You may already know that the biggest data security risk for businesses of all sizes is employee negligence. People fall for simple phishing scams and leave their work phones unlocked, and we’ve all seen that file named “passwords.txt” right on someone’s desktop.
Data security training is crucial, and it can go a long way toward protecting your business. But we’re all human, and we all make mistakes. Most likely, sooner or later, an employee will unintentionally open you up to a vulnerability.
What happens then? The outcome depends on what else is protecting you.
Quality Through Quantity
Linus Pauling, the Nobel Prize-winning scientist, once observed that the best way to have a good idea is to have a lot of ideas. Likewise, the best way to have good security is to have a lot of security.
That doesn’t mean haphazardly throwing together every idea you can think of. We’re talking about layers of security. Any single safeguard can fail, but the more safeguards you have, the more likely it is that at least one will succeed.
Employees are an important layer of defense — some would say they are the most important. But employees can’t be perfect, and neither can you. So go deeper.
Back to Basics
How do you build strong layers of data security? The first and best step is to consciously make security a priority, a part of everything your business does. If safeguarding your data is just another box to check or a process you do once and then forget about it, then it’s unlikely to be much help.
Once you’re in the right mindset, what should you do next? The Federal Communications Commission offers a detailed Cyber Security Planning Guide that includes the following recommendations:
- Conduct a data inventory. A good first layer of security is simply to know what data your company has, why you have it, where it is stored, and who has access. To protect your assets, you have to understand them. This knowledge alone won’t keep intruders out, but it’s a foundation for everything that follows.
- Create a data policy. Are you holding on to old records you no longer need? Maybe your data policy should require purging obsolete data; after all, thieves can’t steal what you don’t have. Perhaps your policy should dictate where sensitive information should and should not be stored. The most important thing about a data policy is to have one and follow it. If you do, you’re already safer than many of your competitors.
- Secure your data. How? Strong passwords and two-factor authentication are an excellent start. Data encryption is even better. You can encrypt anything from a single file to a hard drive to a database, and many encryption tools are inexpensive or free. Again, the key is to have a policy for what you’re doing and make it an integrated part of your business.
- Train your employees. As said earlier, employee training probably can’t be your only line of defense, but it’s an important one. Does everyone in your company know how to spot a phishing email or a fake landing page? Do they make phone calls to verify the identity of people who want information? Do they have a plan to follow in case something does go wrong? As with a data policy, the most important thing about employee security training is simply to do it continually, with clear signals from management that security matters.
Building strong layers of security and making them work can be a daunting challenge, but it gets easier with practice — and with help. Independent audits of IT controls are an important layer of defense. If you want to learn more about how an independent assessment of IT controls adds to your defense-in-depth process, CRI’s advisors can point you in the right direction.