The amount of data we create is increasing rapidly. According to IBM, every day we generate 2.5 quintillion bytes, so much that 90 percent of the data in the world today has been created in the last two years alone.
But with more data, comes more risk. Organisations depend on data to make critical business decisions and investments.
Data is the new oil, and hackers are constantly looking for new, and better, ways to steal or manipulate this vital business asset for their own purposes. Despite the advances the cyber security industry is making in developing data protection tools, the sophistication of hackers is increasing at a similar pace.
It’s now not a matter of if, but when a business becomes the victim of a hack. So, what can be done to avoid becoming an easy victim of a data breach, and keep data safe?
Read next: How Canadian online investment manager Wealthsimple is preparing to win over the UK.
1. Study your data
The first step a business must take before implementing any cyber security strategy is to conduct a data sweep. This helps a business understand what data it has collected or produced and where the most sensitive and most valuable parts sit. Businesses need to know what data they have before they can even think about how to protect it.
2. Go beyond compliance and regulation
Businesses need to understand, and be compliant with, the existing legal policies and regulations concerning data security. In particular, e-Privacy legislation and the upcoming General Data Protection Regulation dictate the cyber security requirements of European organisations. However, these regulations are simply the minimum benchmark for data protection, and do not guarantee that a compliant business is ‘un-hackable’.
3. Implement two-factor authentication
The next step for an organisation should be to focus on adopting strong two-factor authentication. This helps authorise the identity of individuals who have access to sensitive data, and ensure only the right people have access to the right kinds of data. Two-factor authentication involves an individual having something they possess – like a message on their smartphone – and something they know, rather than simply relying just on one method of protection in isolation.
4. Encrypt all sensitive data
Although two-factor authentication helps control access to data, encryption ensures that sensitive data cannot be used if it is accessed by unauthorised personnel.
By encrypting data, it becomes useless if it is stolen. It is for this reason that businesses must understand where their most valuable data is stored before this step can occur. Even if the data is stored on your own servers, in a public cloud, or a hybrid environment, encryption must always be used to protect it.
5. Store your keys securely
Encryption keys are created when data is encrypted, and are necessary to unlock and access the encrypted data. Once an encryption strategy is in place, attention must be given to ensuring that these keys are securely stored. Encryption is only as good as the key management strategy employed, and organisations must ensure they are kept safe in secure locations, in external hardware away from the data itself for example, to prevent them being hacked.
6. Back up all crucial business data
However, these steps only protect the business’ data from malicious attacks. There are dozens of unforeseen circumstances that can damage the consistency of the data a business stores, such as fire, smoke or water damage.
While these events are hard to predict or prevent, such as flooding, the damage can be mitigated by regularly creating backups of data on all computers and preventing the worst from happening – losing vital data for good. The backed-up data should then be stored offsite or in the cloud, and protected with two factor authentication and encryption, to keep it secure.
7. Update devices with latest patches
Vendors are constantly patching their software as bugs and vulnerabilities emerge, to prevent hackers from exploiting them. Currently businesses are not doing enough to implement patches in a timely and consistent manner, or are using software which no longer receives regular patches. For example, research by BitSight found Windows XP or Vista was still running on 20 percent of the 35,000 systems examined, despite Microsoft discontinuing security patches for both.
8. Education will go a long way
Businesses should develop trust by educating their employees and customers on the steps they should take to keep data secure, remain safe and protect their own personal data.
Recent figures from the UK’s Information Commissioner’s Office found that human error accounted for almost two-thirds (62 percent) of the incidents involving data loss. By educating their staff, businesses can help reduce these instances. In addition to this, some consumers remain unaware that not all security measures offered by businesses are automatically deployed, and must be activated by them, such as two factor authentication on many social media sites.
9. Employ an ethical hacker
Once a business has begun implementing a cyber security strategy, they can test their defences by hiring an ethical hacker. Ethical hackers use the same methods and techniques as malicious hackers to test and bypass a system's defences. They then document any vulnerabilities found, and provide advice to businesses on how to fix them. Like cyber criminals, ethical hackers understand the real value a business stores is its data, and can help provide guidance on how to best protect it.
10. Make security a boardroom level discussion
Data is as important to a business as its finances, and should be effectively protected.
To ensure that an organisation takes its cyber security seriously, it must be treated with importance at the highest levels of the business.
Employing a CISO or other high ranking executive to help take responsibility for cybersecurity matters, and to sit on the board with the CEO and CFO, is an important step for helping implement the above measures. Regardless of whether a business does this, in the event of a data breach it is the c-level that has ultimate responsibility for the security of data. In some instances, CEOs have had to resign following a data breach, showing the serious consequences that can occur when a breach happens.
Protecting against data breaches is vital to foster customer trust and loyalty for an organisation. While these steps won’t guarantee a business is 100 per cent unhackable, the importance of an adequate cyber security strategy cannot be overstated, with recent research revealing that almost seven in ten consumers will take their business elsewhere in the event of a data breach.
Organisations must approach data protection with the assumption that they will be breached. Only once a business has followed these steps can they be confident that they have adequate processes in place to be doing everything they can to protect their data.
It is no longer a question of if, but when, a business will suffer a data breach. With under a year until GDPR comes into effect, businesses need to follow these steps now to avoid facing severe fines, damaged reputations and a loss of customers in the event of a data breach.