Online security safeguards
Employee mistakes are considered a greater threat to data than external hackers or insiders.
Cybersecurity threats are not only growing in number, they are also becoming more sophisticated. Yet more than half of organisations worldwide do not prioritise protection efforts in their cybersecurity budgets, according to a recent study by Ernst & Young.
This is especially troubling in Southeast Asia, where cybersecurity preparedness levels are scattered along the spectrum from underdeveloped to advanced -- a fact hackers are exploiting.
In order to prevent the most successful types of breaches -- phishing and malware -- companies need to be more proactive in protecting the network and valuable data it contains. IT departments can begin to ensure the safety of data by taking these five steps:
1. Ensure that cloud and application vendors follow data security best practices: The responsibility for securing information does not end when it is transferred to the cloud. It is critical to choose software and platform providers who take security seriously and have developed a comprehensive set of practices, technologies and policies to help ensure the data is secure.
This means selecting providers that have security certifications such as ISO/IEC 27001 and SOC 2, provisions for redundancy and business continuity, network security, and protection measures for data centres.
2. Offer cybersecurity training to employees: According to the latest Global Encryption Trends study, employee mistakes are considered a greater threat to data security than external hackers and malicious insiders. This underscores the urgent need to train employees in the appropriate ways to handle company information, particularly as many organisations are employing more remote workers.
Conveying simple tips, such as resetting the passwords of all other online accounts when prompted to change a password on one site, and using unique passwords for each site, can go a long way in preventing security breaches. As PwC notes, training and educating employees to "act as the first line of defence" will help to reinforce the organisation's cybersecurity efforts.
3. Ensure the security and privacy of information in the cloud: In any business, vast amounts of confidential files are sent and received each day. Cloud storage can help keep these files within a more controllable data boundary layer needed to help an organisation maintain confidentiality and security.
For example, IT departments could have online file management software that allows them to restrict documents from being shared outside the organisation. The software can also specify users who can access sensitive information based on their IP addresses or cause a file shared to the public to expire after 30 days. This level of control can be an additional layer of safety by making it unnecessary for an employee to download the document to a local device.
4. Strengthen passwords and employee credentials: Having passwords to protect access is a given, but if the passwords are easy for hackers to guess, the team's protection efforts are wasted. Tools to help IT teams generate strong passwords and also identify weak ones can help strengthen the security of online accounts and protect data from cybercriminals.
Documents shared outside the organisation can also be password protected so that files are delivered safely and equipped with an expiration date to make the password invalid after a set period.
As a standard best practice, ensure employees change and use passwords for cloud business products even though it may not be mandated by the software service itself.
5. Make a protocol for controlling and managing passwords: Organisations should also consider an online password manager to manage all passwords effectively. Although passwords are not meant to be shared, business requirements often demand selective sharing of passwords with others, which can pose a risk if employees leave these passwords on sticky notes or on personal email as they may have access to privileged information.
IT departments should clearly define password ownership internally and use software solutions to create audit trails when a shared password is used. Alerts should also be sent to the owner of the password or the IT department leader when the passwords of sensitive resources are accessed. At any point, IT administrators should have a clear picture of who is accessing which passwords.
Additionally, automated solutions can help employees safely share passwords with colleagues as needed. Solutions are available to help IT departments securely store passwords in a centralised vault and share them in a completely invisible manner, through a web interface using browser plug-ins, as an example.
While cyberthreats do not appear to be abating in the near future, IT administrators can be proactive in protecting valuable and sensitive company data with online, cloud-based solutions that aid in the management of enterprise passwords, monitoring of employee activity and securing of documents in a layer that is akin to being the operating system for a business.
Taking these steps will ensure companies are prepared for the barrage of breach attempts they face daily, and can quickly identify and trace attacks when they happen.
Gibu Mathew is vice-president and general manager for Asia-Pacific of Zoho Corp, an Indian software development company.