Implementing Preventative Measures to Minimize Data Breaches
Much has been said (here and in many other articles) about cyber security risks, and the measures LBi Software and other companies are taking to prevent system data breaches. We talk about data encryption at rest, filed level encryption, VPN tunnels, malware/virus protection, intrusion detection services, two factor authentication, secure coding principles and more, but breaches can still happen.
More focus is needed on the most common reasons for breaches and what you, the client, can do to minimize them. Let’s face it; the chances of a hacker cracking the data encryption code that most databases use is roughly equivalent to winning the Powerball lottery. It could happen – after all we saw three lucky winners last week (though it took billions of tickets sold since the last jackpot winner) – but it just isn’t going to happen that way. That is why the Federal Government is currently pressing technology companies to assist in cracking encryption codes used by the bad guys in their communications with other bad guys. Even the Fed cannot crack those codes alone.
As the client you need to make sure that not only are the databases encrypted but the data feeds that feed those databases are encrypted as well. Too often flat files with unencrypted data are left on servers’ archive folders or worse yet in the SFTP folder or fatally the FTP folder. So that large investment to have a secure app and database is thwarted by operations. Are your 401k feeds encrypted? And are the prior weeks’ files purged?
HR system providers like LBi check all the cyber security boxes — maintaining all the relevant certifications and compliances, provide the most secure industry standard infrastructure possible, guarantee performance and security in writing, backing it all up with comprehensive policy and procedure documentation.
Still, risks remain. You can take every precaution possible to prevent back door (or even side door) break-ins, but far more often than not the real weakness is in the “front door”. By this I am referring to the means and mechanisms you the client use to access your systems — your log-in procedures and your data/system access policies.
Remember that scene in Ferris Bueller’s Day Off where Ferris sneaks a peak at the secretary’s ever-changing password list hidden in her desk drawer? That’s all he needed to break into the school computer to change his grades. And unfortunately that practice (or something similar) is prevalent in many businesses today. We simply have too many systems we access via password to easily remember them all. How many online services do you use that require a password? Five, ten, more? Some require a simple 4-6 character password while others require 8 characters or more with at least one capital letter, one number, and one special character. As we all know it is unwise to use one single password for every system we access, so we are left trying to remember several — and often these systems force periodic changes in their password. Many of us are guilty of writing our password on a sheet of paper. By themselves passwords simply provide false confidence in system security.
The good news is there are measures businesses can take to ensure better security through password policies and practices. Here are some items that help make your environment more secure:
- IT staff could install software on every desktop to automatically scan for malware that captures login keystrokes.
- Implement Single Sign On (SSO) technology. SSO centralizes the password storage and management system, providing one single login for all company systems. It simplifies the management of employee passwords and places full control in the hands of your highly competent IT staff. SSO can also override possible weaknesses in some systems with less secure password technology.
- Implement Two Factor Authentication when a user/employee logs on from outside the organization. This is real protection; even if someone correctly guesses your ID and PW they will not be able to access the system.
- Have a rigid written and published password handling policy. There should be formal penalties for mishandling passwords, such as writing them down or providing to other users. Management must strictly enforce these policies. Perhaps provide secure password saving applications to your employees similar to KeyChain.
- Institute the obvious password creation rules — no part of your name or birthday, minimum 8 characters, mix of alpha, numeric and special characters, etc.
- Institute strict desktop log-off procedures, such as auto log-off after 5 minutes of inactivity.
- Provide system users with the MINIMUM data access level they need to effectively conduct their day-to-day business. Many companies configure their systems to provide more data access to workers than is actually needed.
- Fully vet any and all employees that have access to your critical systems, especially new employees, employees who are or were recently on probation, sub-contractors and part-timers, and any employee who draws any level of suspicion.
- Consider hiring a Chief Information Security Officer (or certified short-term consultant) who can thoroughly analyze your existing processes and implement improvements where recommended.
- Have strict email policies. DO NOT email data files. How many of us have emailed a spreadsheet of employee data to a colleague?
- Have strict mobile policies, so that if your phone is lost or stolen corporate data is not at risk. Policies can include having passwords on all mobile devices (phones, tablets, laptops) and giving corporate security officers the ability to remotely wipe the data on the phone (if it is lost or stolen).
- Make sure the applications you purchase or develop were developed using sound security principles like OWASP Secure Coding Principles.
Taking these and other internal steps, in conjunction with your system vendor’s security processes, will help provide the highest level of security possible. No system is entirely risk-free, but together with your trusted vendor, you can place full confidence that every feasible measure has been taken to guarantee data confidentially.