How to implement data security in the company
Data security should be a top priority in all businesses. It requires time, work and often financial investment. However, the effort is much cheaper and less labour-intensive than the damage mitigation that entrepreneurs have to do after a data leak. The following procedures on the technical, human and organisational level protect data against attacks from outside as well as inside.
Develop strategy
Vague security measures do not help effectively against data theft or loss in the long run. Data security in the company must include clearly defined security strategies. These should be as detailed and comprehensive as possible so that every employee and manager knows what to do. Mitigation strategies are essential if a data leak occurs despite all security precautions. In addition, companies must always update their practices. Only then will they be able to ward off new threats.
Protection against malware
Adequate protection against malware is one of the cornerstones of any data protection strategy. This includes high-quality malware scanners that regularly check the computers of a company network. They detect suspicious programmes and delete them if necessary. In addition, they block other malware from entering a system in the first place. A firewall additionally monitors the data exchange of a computer or a network.
In general, however, employees should always be careful, avoid suspicious websites and do not click on links in e-mails whose source they do not know. In addition, they should not download software from dubious manufacturers onto their computers.
Securing the WLAN network
The company's internal WLAN network should always be well encrypted. This means that the default passwords from the provider must be exchanged for a password that is not easy to guess.
And even a complex WLAN password needs an effective encryption method. Companies should opt for the sufficiently secure WPA2 method (sometimes found under WPA2-Personal or WPA2-PSK). With some providers, even the even more secure WPA3 encryption can be found.
Regular firmware updates also ensure that security gaps are closed. If unusual activities actually occur within a network, the router log can be checked. It records all network activities. It is also worth activating the firewall of a router. Modern devices are now equipped with this as standard.
Optimise passwords
Computer users are often too lax when it comes to password creation. However, with the amount of tools, accounts, networks and end devices that require strong encryption, this is no wonder.
Nevertheless, complex passwords are important before protecting against data theft. They should contain at least 8 characters, consisting of letters, special characters and numbers. Dates of birth (including the combination of several dates of birth), pet names or similar are strongly discouraged.
Password managers are useful for generating random character combinations and saving them. Users then do not have to re-enter them every time. There are numerous reputable providers that companies can trust if they do not have their own password manager on their computers.
Personal devices
Within a company, there should also be strict security regulations for personal end devices and data carriers such as laptops, tablets or smartphones. These policies include clear guidelines on topics such as data deletion, location tracking or internet monitoring.
Automatic software updates
Vulnerabilities in operating systems, software or apps cannot be avoided. However, tech companies usually react quickly to security gaps and offer updates with corresponding patches so that hackers cannot exploit them.
End users, however, have to install these updates immediately. This should be done automatically and in the background so that the update does not disrupt the normal workflow.
Carry out employee safety checks
Employees or former employees can pose a threat to corporate data security. Industrial espionage happens everywhere and employees or supposed business partners occasionally have malicious intentions. Companies must therefore thoroughly check the backgrounds of their applicants. Suspicious behaviour among existing staff should be closely monitored by supervisors.
Delete data thoroughly
Old or broken devices are often disposed of without the former users giving much thought to the data they contain. Even when an operating system is reinstalled or hard drives are formatted, information is not gone forever.
Cybercriminals can recover sensitive data with easily accessible tools.
Entrepreneurs must use tools themselves or hire IT service providers who overwrite the relevant files several times so that they can no longer be reconstructed.
Use cloud service providers
Corporate data can also be secured with cloud service providers. These providers must ensure an effective security concept, if only to remain competitive and able to do business. They can devote the time and manpower to data security that is often not available to a small and medium-sized enterprise.
But beware: the company that contracts the cloud service is still responsible for customer data and the like. It is at least partly to blame if there is a data leak at the cloud provider and customer data is stolen.
By the way, good old tape has been experiencing an unexpected revival as a mass storage medium since 2016. But can Air Gap in backup really only be achieved with tapes? Click here for the fact check!
Train employees
Regular training on the topic of data security is helpful. Measures must become second nature to a company from the management to the lowest employee level. Only in this way will they be effective.
On the one hand, the staff must understand these strategies on an intellectual level and have the skills to implement them. In order to measure the extent to which employees are aware of the scope of their own security responsibilities and act accordingly, IT-Seal GmbH has developed the Employee Security Index. On the other hand, an awareness or a corporate culture should emerge that emphasises the importance of a data security concept: it is about the well-being of the customers, the company and ultimately each individual employee.
Secure authentication procedures
Two- or multi-factor authentication should establish itself as a standard in every company. Here, logging in, for example to a network, is not only done via the user name and password. Several additional authentication features are added.
These can be, for example, an ATM card or a code that the user receives via a smartphone app or via SMS. Biometric features in the form of a scan of the iris, the face or voice recognition for authentication can also be set up. This whitepaper explains what is important when selecting the second factor and how the interaction with Customer Identity & Access Management works.
A study by LastPass/IDG also shows interesting insights into identity and access strategies of IT decision-makers in the "new normal" of remote work.
Back-up copies
To recover stolen, lost, destroyed data or data taken hostage by ransomware more quickly, regular backups are helpful. However, entrepreneurs should be aware that data thieves can still pass on or publish information.
Introduction of a four or more eyes principle
Even within a company, data security is strict at best. This means that not every individual may have access to sensitive data. Companies can stipulate that, for example, two people need two different passwords to access a certain data set. This prevents a single employee from misusing important data.
Regulate access rights
Each user of a corporate network should only be given the permissions for the data resources that are needed for the respective work. With a time-limited authorisation, no one can access a system without authorisation after the work has been shared.
Shops or companies also often receive visitors, work with external employees and freelancers or enter into business partnerships.
For all these cases, there should be safeguards in place so that temporary employment or visits do not become a security risk.
Observation and logging of data traffic
Anyone who monitors, logs and regularly evaluates the data traffic of a network can detect suspicious activities more quickly.
Periodic audits
Security technologies and data security measures should be reviewed regularly. For example, there are many solutions on the market worth comparing - including software from Safetica Technologies, Thales or Matrix42.With a solution tailored to the company's needs, gaps can be identified and closed before cybercriminals exploit them. For best practices on how companies can implement data loss prevention (DLP) tools, see this whitepaper.