Data and information breaches can happen in a multitude of different ways – from network penetration to an employee clicking on a phishing attack to stupidity or dumb luck of losing a laptop or files in any format.
Here are a few common types of breaches and steps you can take to prevent them from happening to you.
Quick note: some of these recommendations might be overkill, so use common sense for your particular needs.
Don't think only about laptops or phones. Anything on which your data lives can be lost or stolen, including paper, digital media, thumb drives, etc.
1. Physically secure your data – digital AND paper
a. In public areas/cube farms, set PCs and laptops to logout after a brief period of inactivity.
b. Put away files and portable equipment when walking away from your desk.
c. Hide papers, computers, phones, etc. in an empty car or house (remember 26.5 millionveterans' records were stolen from a Veteran's Administration's employee's home).
d. Shred confidential and private paper documents before disposal.
e. Don't leave documents exposed in the output trays of printers, copiers, and fax machines (see Keep Documents From Prying Eyes With Pull Printing for more).
2. Physically secure laptops when in a public area at all times. Never leave a laptop unattended – even in your favorite coffee shop!
3. Extra security for devices (and media) used in mobile work that are used to access and work on business-critical information and/or confidential information:
b. More physical security
4. When no longer needed, delete personally identifiable information (PII) according to your retention plan. Clear PII from mobile devices and laptops when no longer needed. Be sure to digitally shred them, not just delete.
5. Report potential breaches if required by law. The Health Insurance Portability and Accountability Act (HIPAA) requires that those affected are alerted within a set period of time. Be sure to follow the compliance laws particular to your industry.
Working With PII
Personally Identifiable Information must be securely transmitted and stored.
1. Maintain strict folder permissions and access – don't accidentally store PII in a company-wide folder.
2. Ensure PII isn't accessible via the Internet without being locked behind a password.
3. PII should be encrypted during transmission.
4. For mobile work, don't use an open wireless network (like at Starbucks) when transmitting PII.
5. Don't email or use an unencrypted instant message platform to share this information.
6. Have a cover sheet for paper files containing PII. If stored in folders, keep folders closed when not actively using the file.
A strong password is the first line of defense against losing information.
1. Hide your passwords and use strong ones – no favorite childhood pets, birthdays, or anniversary dates. And, please, for the love of all that is holy, don't use “123456.”
2. Don't share your passwords with anyone (except maybe your spouse!).
3. If you have access to highly sensitive information as well as information that's not as at risk of exposure, use different passwords for each.
4. Don't use the same passwords for work and personal accounts.
5. ALWAYS change the default password.
Patch and Update Anti-Virus and Operating Systems
Hackers are constantly looking for weaknesses in both operating systems and security software. Keep both patched with the latest updates.
1. Make sure you've got anti-malware software installed of course!
2. If you don't trust the sender, don't click on a link or an attachment.
3. If you're working with confidential data, don't open files sent on chat or IM – that can bypass your security software.
Suspicious and Risky Software
If it doesn't feel right, don't install a program on your computer. Some have a virus that can open up a back door into your computer and network. Check with your IT department first.
I know this list isn't rocket science. But it's amazing that companies keep ignoring these recommendations, are then hacked, and then wonder “why was I hacked.” It could be because the hackers were so brilliant that they spent time and energy penetrating your security systems. More than likely, it's because you – or one of your employees – did something careless.
Don't be careless.
Follow these basic security tips and up your chances of keeping your data secure.