Even if you have implemented measures designed to provide protection and ensure information is stored safely, how can you be sure that it is truly immune from unwanted exposure?
Here are some of the tactics used by cybercriminals to extract data from businesses, and the steps that can be taken to prevent breaches from occurring.
The risks that face customer data in the modern business environment are multifaceted and innately complex, with the convenience and flexibility of storing information digitally offset by a raft of potential vulnerabilities.
Even if data is encrypted and stored behind a firewall, it can be accessed by malicious third parties simply by exploiting a lack of cybersecurity knowledge and training amongst members of staff. (For more on cybersecurity, check out Cybersecurity: How New Advances Bring New Threats - And Vice Versa.)
Phishing campaigns and fraudulent emails are especially effective as a means of stealing data, because they rely on the fallibility of human employees, rather than on attempts to subvert tricky security systems.
Further employee-related issues arise as a result of device loss, theft and general errors which can lead to unwanted leaks. While deliberate acts of data sabotage by members of staff with a chip on their shoulder are not uncommon, the most likely cause of mission-critical information going missing will be accidental.
When an employee’s personal smartphone is used to access or store customer data, it becomes a point of extreme vulnerability. This is not just because it could be lost or stolen, but because it may contain malicious apps that are not vetted or approved by the business itself.
This is just one example of how customer data can be exposed, and pinpoints the importance of taking proper precautions when embracing BYOD (bring your own device) policies.
There are various software-based options available to businesses that want to steer clear of the risks that are posed to private information in the modern era.
The first line of defence is a firewall, designed to keep legitimate traffic flowing in and out of your business network while blocking attempts at subversion made by malicious third parties.
A firewall should be enough to keep data stored in-house out of harm’s way. But if you decide to embrace cloud-powered storage solutions, you can effectively outsource the provision of data security to a dedicated provider. For small businesses in particular, this can be a cost-effective option, making up for a lack of on-site hardware resources and expertise.
Wherever you keep your customer data, ensuring it is encrypted is crucial, irrespective of the threats you face. Without encryption, information can be snatched, analysed and put to work for the bad guys, at great cost to your company.
Limit Data Sharing
Another key step, particularly important with the implementation of GDPR, is to only collect and hold customer data that is required for a legitimate, specific purpose. Decide on the data that is vital for each customer, and only give your employees access to the data required for their particular role.
Whether intentional or unintentional, your employees pose a significant threat. Employees may attempt to download customer data onto removable media or email it to a personal account. Additionally they may download phishing software onto a work computer. It’s vital that you consider such insider threats and have software or a system in place to protect against this. Safe internet and email usage is key, and it’s recommended to draw up and implement a list of authorised programs that employees can install on their work terminals.
With the above in mind, training plays a crucial role in any organisation to ensure the safety of your customer data. Employees need to understand how they can help to protect data and why certain measures are in place. Proper training is often overlooked, so make sure you regularly update your policies and communicate this internally.
But even after you have adopted solutions designed to keep your customer data safe, how can you be sure that they will actually work as advertised when an attack occurs or a device is lost?
This is where penetration testing comes into play. It is a form of ethical hacking carried out by experienced, accredited experts which will be able to test the limits of any security systems and strategies to see whether they are as tough as expected.
For example, one goal of pen testing is to ask “Can you obtain our customer information?” and then establish the answer through a variety of real-world hacking tactics.
Penetration testing can factor in everything from controlled infiltration of your business’ network infrastructure to an investigation of the levels of physical security which are present on-site.
Businesses can be assessed based on how well they respond in the event of data loss resulting from the theft of a device, how well equipped employees are to identify and avoid phishing attacks, and whether key software apps are adequately secure. (For more on penetration testing, see Penetration Testing and the Delicate Balance Between Security and Risk.)
Making assumptions about the safety and security of customer data is simply not an option in the current climate; businesses must have a high degree of certainty that the solutions they have in place are up to the task of providing protection.
It is not enough to simply take the word of a vendor about the resilience of their platform, or accept that employees are probably well-versed in cyber threats without having any training on the matter. Regular updates and rigorous testing are the only ways to make a meaningful improvement.