Most of us can’t imagine a world where we can’t connect digitally with employees, vendors, partners, and customers. Whether working remotely on a laptop or doing business on your phone, our digital infrastructure is not just a convenience, but a necessity.
Doing business today requires sharing and storing sensitive data so users can easily access it and do their jobs. With ease of access comes risk. Cybersecurity professionals are in a constant war to protect sensitive data without making it difficult to access for authorized users. Balancing security with productivity is about managing and mitigating risk.
Cybersecurity Awareness Month was launched by the National Cybersecurity Alliance & the U.S. Department of Homeland Security in October 2004 to bring awareness and solutions to protect our sensitive data. This year marks the 20th anniversary of its inception and the Cybersecurity and Infrastructure Security Agency has focused this year on securing our world.
Four Ways to Protect Your Business
While a lot of the focus of cybersecurity awareness month is on staying safe online, below are four ways to protect your business and its data from compromise.
- Recognize and report phishing
- Use strong passwords and multifactor authentication
- Update software
- Encrypt sensitive data
People aren’t falling for the Nigerian email scams of old, I hope, but phishing is still a huge problem as attackers get more sophisticated. Hopefully, people are getting wiser about these scams, but you still have to be diligent. Harmful links or attachments could provide unauthorized access to information or infect your network with malicious code. This can result in data being held for ransom or just exfiltrated and sold to your competition.
Employees should be able to identify the basic signs of phishing emails such as strange or unexpected requests, often using alarming language or urging immediate action. These messages often appear to come from your colleagues or business partners. Bad actors are improving their techniques all the time, so employees need to learn about the latest scams. Contact your training department or security for the latest information.
A best practice is to look at the sender’s email address. If you don’t recognize it, don’t respond, and don’t click on any links or attachments. If it looks legitimate, hover over any links to make sure they go to legitimate sites. If in doubt, contact the person who sent it to verify.
Use Strong Passwords and Multifactor Authentication
While strong passwords aren’t a failsafe, it is one of the easiest ways to protect your business by stopping people or programs from guessing or cracking simple passwords. Just recently, Google made an effort to eliminate using passwords for its services in favor of passkeys. Since passkeys are certificate-based and eliminate the vulnerability of storing passwords, using them can greatly improve your security. Unfortunately, most systems and sites still use passwords, so this vulnerability will remain for a while.
Using a single sign-on (SSO) system to manage identity and access improves your security, since there are fewer passwords to remember and these systems have better security built-in. Many companies use tools that generate random passwords for access once a user has verified themselves to prevent stealing passwords. This is also important for system accounts when accessing servers, routers, and security consoles.
Multifactor authentication (MFA) provides extra security by confirming identities with a second verification method, like entering a code texted to a phone or one generated by an authenticator app. Companies use this for access to a VPN and privileged systems that have sensitive data. Many computers, tablets, and phones have fingerprint scanners or other biometric controls to prevent someone from walking up to the device and accessing it with just a password.
For a lot of externally accessed systems, setting up MFA is very simple and many users can do it themselves. If you want stronger security, requiring a smart card or FIDO security key is your best option. Many systems and sites support FIDO protocols natively and using these devices is easy. For internal systems, use the strongest MFA for the most sensitive systems.
Update and Patch Software
This seems very obvious, but it’s amazing how many people and companies don’t do it. As software developers find security holes, they create patches to fix the vulnerability. Windows, macOS, Linux distributions, and mobile operating systems have automatic update processes to download and install the latest patches. Sometimes corporate policy doesn’t turn these on by default, because security teams need to vet the patches before deployment. Once vetted, they should be pushed to all affected systems. The same goes for business software, routers, firewalls, network, and security applications. Too many exploits arise from unpatched systems.
Encrypt Sensitive Data
The best way to protect your sensitive data is to automatically encrypt and assign dynamic access control to sensitive files. You can limit editing, copying, printing, screenshots, and general sharing of sensitive content with unauthorized users and systems both inside and outside your organization. This ensures that only authorized users can access your sensitive data based on security policies that validate user access continuously.
If a hacker or other bad actor exfiltrates a sensitive file by phishing, password compromise, or exploiting an unpatched system, your sensitive data is still protected. Since it’s encrypted, if the user tries to open the file, they get random characters. This is also important to mitigate potential insider threats. Typically once a user accesses sensitive data, they can share it with anyone. With encryption and in-use controls that limit what a user can do with the content once they open the file, this minimizes that risk.
Secure Your World
Using a multilayered approach to security is important. If one system fails, the others still protect your data. Don’t make it easy for hackers, criminals, or other unauthorized users to access your sensitive data and compromise your business. Use strong access controls, patch security vulnerabilities and encrypt your sensitive data.