Data Threats Change, but Security Essentials Don’t
There’s little doubt information security is among the most serious — and most sensitive — issues facing online businesses. Ask those whose secrets were exposed during the notorious Ashley Madison security breach how lax security can change a person’s life. Ask Hillary Clinton’s 2016 presidential campaign about the potential repercussions of flawed security protocols.
New threats to data arise almost daily, and old threats become more sophisticated. Nevertheless, the fundamentals of data protection remain constant: Know what information you have, solicit and keep only what you need, promptly dispose of material no longer relevant and create an incident response plan.
The U.S. Federal Trade Commission is tasked with overseeing commercial data security and prosecuting companies whose sensitive consumer files escape due to negligence. The agency’s free booklet, Start with Security: A Guide for Business, lists 10 points all businesses should consider when designing security protocols.
Factor in security from the start, in every area of your business. Make conscious decisions about the type of information you collect, how long you keep it and who can access it.
Control access to data — not only by outsiders, but also within the company. Private information should be available to employees only on a need-to-know basis.
Insist on complex and unique passwords and store them securely. Despite warnings and a plethora of horror stories about how using the same password in multiple places can create utter chaos, users continue to make the mistake. Consider auto-generating passwords or two-factor authentication. In addition, thwart brute-force attacks by limiting the number of login attempts before locking an account. Ensure authentication protocols cannot be bypassed.
Store and transmit sensitive information securely. Use strong encryption to guard against accidental exposure of sensitive files.
Segment your network. Keep sensitive data on an entirely separate server that has been hardened against known — and even postulated — threats. Monitor access to the data repository.
Limit remote access and ensure endpoint security. A network is only as secure as the weakest node.
Implement security from the ground up in new products and services. Weak code is a primary vector for attack. Before a product is released, test for common vulnerabilities and verify privacy features work.
Ensure service providers practice impeccable security. Financial processors and mailing services should be well vetted and willing to guarantee compliance with industry regulations in writing.
Frequently evaluate and update policies, procedures and software. The recent WannaCry assault on government systems worldwide exploited unpatched software. Stay informed about current and rising threats — and don’t forget about old ones. Redesigned bugs have returned from the dead to wreak havoc anew, often with even more catastrophic results.
Establish alert and response protocols. If the worst happens, know what to do. Figure out when and how the breach occurred and take immediate action to contain the damage. If consumer data was stolen, notify consumers as soon as possible.