Rhubarb at SkillsYouNeed

This is a guest post for Skills You Need.
Want to contribute? Find out how.

How Today's Leaders Can Prevent Data Breaches

See also: Action Planning

Data breaches aren’t just a problem for IT to solve; they’re a problem that deserves C-suite attention.

Following Target’s massive data breach during the 2013 holiday season, both the CIO and CEO lost their jobs. Also, a proxy group called Institutional Shareholder Services called for the ouster of seven out of 10 board members.

Preventing data breaches isn’t a nice-to-do. It’s a must-do for people in leadership positions.

Unfortunately, too many business leaders still don’t get it. Ponemon reports that 17 percent of executives don’t know whether or not their company suffered a data breach last year.

As a leader, you need to know how to prevent breaches, get notified if they happen, and lead your company through the aftermath.

Your job might depend on it.

Preventing Breaches: The Human Factor

Breach prevention involves beefing up your company’s IT infrastructure. Security solutions, however, don’t solve your biggest problem: employees who don’t safeguard company information.

Take a look at some of the biggest ways your employees are opening the door for cyberattacks.

Stop Using Terrible, Terrible Passwords

Start by teaching your team the fundamentals of password security. Using “password,” “p@$$word,” and “123456” just won’t cut it anymore.

  • Make strong passwords. Your team can create strong passwords by combining upper and lower-case letters, numbers, and symbols, but sometimes those kinds of passwords are hard to remember. Another technique to create both strong and memorable passwords is to combine unrelated words, such as DaisyCoffeeCatUmbrella. To make it even more attack-proof, change just a couple of the letters to numbers or symbols: D@isyCoffeeC@tUmbre11@.
  • Enable multi-factor authentication (MFA). MFA requires employees to use a biometric technique, like an iris scan or thumbprint, or enter a one-time code sent via text-message or Google Authenticator, in addition to providing their passwords. It adds an extra layer of security to the username/password login.
  • Try a password manager. Password managers store passwords in encrypted form. Instead of typing their passwords every time, your employees simply click an icon that auto-fills encrypted passwords for them. They can create as many unique passwords as they want, and they’ll never have a problem remembering them.
  • Keep passwords safe. Passwords shouldn’t be shared — period. They also shouldn’t be written on sticky notes adhered to the cubicle wall or the bottom of a keyboard.

Avoid Social Engineering

Attackers persuade employees to give away their credentials by using manipulative social engineering techniques. These techniques prey on emotions to convince otherwise smart employees to make dumb decisions.

Sometimes, attackers send an email from the CEO saying that everyone should click a link and reset their passwords. When people see a message from the CEO, they react immediately, and they follow directions without hesitation. Unfortunately, the message didn’t really come from the CEO, and they’re just handing their credentials over to an attacker. The same goes for scary emails that look like they come from a bank, or humorous emails that suggest clicking on a cute cat video — a click which causes the computer to download a virus.

If you supervise leaders who have access to sensitive information, let them know that attackers often specifically target them to get their credentials. In general, no one should ever click a link in an email or text message. They should always open a new browser window and navigate to the supposed sender’s home page. Also, they should be careful about calling phone numbers left over voicemail from unknown callers. Instead, they should call the company’s main number and ask to be transferred.

Download Updates ASAP

Train your employees to download updates for their computers and mobile devices the moment that they become available. Most of the time, these updates and patches are designed in response to a specific vulnerability or threat. Many employees put off the updates because they want to use their computers to do their work. Unfortunately, procrastination could expose your company to malware or cyberattacks.

Avoid Mixing Company and Personal Information

Many employees bring their own mobile devices to work. This practice, called BYOD (bring your own device), makes your company vulnerable in three main ways. First, your employees might download customer information or information about intellectual property onto their own devices. Even if they have the best of intentions, such as wanting to take work home over the weekend, your information is in jeopardy if their devices get lost, stolen, or shared.

Second, any malware on your employees’ devices, whether they’re laptops, mobile devices, or USB drives, can get uploaded onto your company network. Third, if your employees expose personally identifiable information governed by HIPAA or PCI, they could also expose your company to serious financial penalties and civil liabilities.

Limit Shadow IT

Many employees don’t like certain applications provided by your company. They think that the applications they prefer will help them do their jobs better. Thanks to cloud computing, it’s easy for your employees to set up software-as-a-service (SaaS) accounts without notifying IT. Experts call this “shadow IT” — accounts that are set up without IT’s knowledge.

Securing the Machines

In addition to requiring strong security measures from your employees, take steps to protect your IT infrastructure. The type of protection you need depends on the sensitivity of the information that you store.

Unfortunately, cyberattacks aren’t just limited to large enterprises; attackers are increasingly targeting small and medium-sized companies. If you’re an organization that stores high-value intellectual property, data from government agencies, or personal health information, invest in first class security.

Go beyond solutions that just provide firewalls and alerts. Choose security software with built-in threat intelligence. Threat intelligence analyzes your log data, in addition to tracking current threats in the wild, to let you know which alerts are legitimate and which are false alarms. A threat intelligence solution also helps you monitor the flow of data in and out of your network. It helps you analyze how both your employees and your third-party contractors transport and use company data.

It’s Your Problem, Too

Shareholders are increasingly holding company leaders responsible for high-profile, costly data breaches.

You need to lead by showing your employees you’re paying serious attention to data security.

About the Author

Megan Andrews is a freelance writer who is just stepping into the wonderful world of content marketing and SEO. She has a BA in English and experience in many fields, ranging from finance to health (and a few odd ones too). When not creating quality content for quality sites, Megan enjoys reading, photography, and learning new things about the amazing world around her.