Businesses of all sizes are frequently entrusted with sensitive data—such as banking info, names and addresses, and other personally identifiable information (PII). Keeping this data safe from those who would abuse it is a grave responsibility that keeps getting increasingly difficult over time.
When data leaks occur, they can be devastating to your company’s operations and reputation. The disruptions caused by a data leak as you work to investigate its cause and the extent of the damage can end up costing millions of dollars. According to Ponemon Institute research cited by IBM, the average cost of a leak is about $141 per lost/stolen record, or $3.62 million per data breach event. However, this figure may not account for lost business from customers avoiding companies that have recently experienced a major cybersecurity breach.
Considering the stakes, preventing data leakage should be a top priority for any company. But, how can you prevent data leakage at your company (or at least minimize the risk)?
Here are a few basic tips to help you mitigate your risk of data being lost or stolen:
One of the best ways to keep data from leaking is to make sure that sensitive information isn’t sitting on every single workstation, smartphone, and USB drive in the office. Sensitive data, such as the PII of your customers, should never be stored on an employee’s laptop or portable drive where it could be easily stolen in the first steps of an attack.
Keeping that data in a central, secure location (such as a heavily-defended database) that employees who have the right account privileges can access remotely over a virtual private network (VPN) can help increase security.
Why?
Because, this introduces an extra step in the process for an attacker to access/steal the data. If the data was simply on the compromised workstation, the attacker would be able to get at it right away. By keeping sensitive data a bit more isolated, you can create a multilayered cybersecurity strategy that is tougher and more time-consuming to crack. This, in turn, gives your company’s cybersecurity team a better chance of identifying, containing, and eliminating the attack before it can cause too much damage.
Here’s an everyday work scenario: Mike is a customer service rep working at his company’s customer call center who is tasked with responding to calls about customer complaints—usually regarding their orders. To complete this task, he needs to be able to look at customer accounts and order histories (and possibly the tracking numbers on those orders). However, he also happens to have near-unrestricted access to payment card data because the person who set his account privileges did so manually and forgot to limit his access.
One day, Mike opens an email on his work computer and sees a link he thinks he needs to click on because it’s an “emergency.” He ends up downloading and running a program that logs his keystrokes and sends the records off to someone else—Mike just got phished.
A couple of days later, someone logs into Mike’s employee account remotely, and steals the payment card data of nearly every customer that the company has.
While the tactic—the use of a keylogging software—mentioned in this story is a bit archaic, the point is that because the employee had access to sensitive data they didn’t strictly need, and then their own user account got compromised, the company’s customers were all exposed to risk.
The breach in this scenario could have been prevented in a number of ways. One of the best would have been to make sure that the employee didn’t have access to such sensitive information in the first place. When setting up user privileges on your business’ network, it’s important to maintain a “policy of least privilege” wherein all of the users on your network only have access to the bare minimum resources required for them to perform their job responsibilities.
Another the data breach in the “Mike” example from before could have been prevented would be if Mike had been able to recognize the phishing attempt for what it was and not click on the link that led to the malware infection.
Providing employees with some training in cybersecurity awareness so that they can recognize phishing attempts and other cyber-attack strategies can do a lot to help them avoid falling for these attacks. It can also help them to know what to do in case of an attack—improving your company’s overall ability to detect and respond to these attacks.
Some things to cover in these training sessions might include:
While things like antivirus programs and basic firewalls won’t stop a determined attacker, they can help minimize your exposure to data loss/theft by providing some basic protection at each of your security endpoints.
Keeping these security programs up to date to recognize and counter the biggest threats can help prevent your company from falling victim to basic attacks that use well-known exploits. When checking out antivirus software, consider a solution that includes file scanning for email attachments—this can help keep your employees from accidentally downloading a virus to their computers.
Sooner or later, many of the people who are working at your company will move on. They might be retiring, taking on an exciting new opportunity, or you may have to terminate them for some cause. It’s an unfortunate fact of life for every business and business owner.
However, whenever you’re terminating someone’s employment, be sure to revoke all of their access to sensitive data as soon as possible—whether they’re leaving on friendly terms or not! Exiting employees can be an enormous potential risk to the security of your business’ data. With their employment at an end, there is less motivation for the employee to strictly adhere to data security standards—especially if they’re leaving on bad terms.
By revoking a terminated employee’s access to your most sensitive data quickly, you can remove any temptation to misuse said access. Even if the employee is considered completely trustworthy, it’s important to treat every employee the same way to minimize risks.
These are just a few of the easier-to-implement tips for preventing data leakage at your company. For more help with bolstering your company’s cybersecurity posture, check out our free Back to Cybersecurity Basics guide, or contact us directly!