You’ve heard the horror stories and read the headlines about ID theft and data ‘breaches’, but it isn’t just cybercriminals who threaten your data.
If you can cover these four bases then you are well on the way to getting a good night’s sleep!
1. Your website isn’t the same as your data – so different layers of security will be necessary
Your TV set displays what you’ve asked it to find from available broadcasters, and it’s much the same arrangement between your website and its backend databases.
Say you have customers logging on to your online shop, or accessing details at your bank or service company – each time they do this they experience a glossy, all-singing, all-dancing website interface. Beneath all that, they are proxy users of a software application, and it’s the application that interrogates the database/s to look up and reveal sensitive information such as credit card details and passwords.
This is an extremely important concept to understand, because there are so many highly publicised threats out there to distract the attention of business people.
Take DDoS (Direct Denial of Service) attacks for example, where hackers overwhelm a website with millions of requests per second in a bid to take it offline and prevent trading. The attack itself is not designed to compromise or steal data, and the protection measures are quite different to those that surround the database itself.
“Cybercriminals like to muddy the waters by blending tactics”
However, cybercriminals like to muddy the waters by blending tactics to get at valuable data such as using DDoS to create a distraction while inserting malware (malicious software) elsewhere.
Action: Have certified ‘penetration tests’ periodically conducted by experienced professionals who try all the tricks in the book to damage and exploit your data under safe conditions.
2. Remember that anyone to whom you grant privileged admin access, holds the future of your business in their hands
Don’t panic, but it’s a fact that most instances of data theft and malicious attack come from ‘insiders’. And what easier way for a rogue employee to siphon away your intellectual property than giving them the keys to the safe!?
This risk is further exacerbated by privileged admin users who you’ve neglected to change access rights for, even after they’ve left your employment. Ensuring a documented process for admin rights management, and tiering levels of admin restrictions so that the most sensitive data is the most tightly controlled, are essential elements of a data security strategy.
“Many is the time where a given user’s details are exploited maliciously without their knowledge”
Sometimes the damage caused by privileged insiders is unwitting. For example, accidentally deleting records, or leaving their desk for 30 seconds without locking their PC first. Privileged user credentials are a primary target for cybercriminals too, and many is the time where a given user’s details are exploited maliciously without their knowledge.
Action: Commit to meet a data security compliance standard applicable to your business such as Cyber Essentials, ISO:27001 and/or PCI DSS (Payment Card Industry Data Security Standard). Such standards ensure watertight security processes as well as stipulating the security infrastructure relevant to your need.
3. Remember that you want data backup to be really boring rather than really exciting
Spare a thought for the poor devils who live and breathe the mind-numbingly boring technology paradigm that is data backup. The only time backup ever gets exciting is when someone forgets to do it, someone loses the backups or the entire process fails.
Having a good approach to backing up your data needn’t be risky, time-consuming or resource intensive. Unlike not backing up your data, which is all three of those things and worse…
Action: Ensure 24/7 proactive monitoring and backups to your systems so that any issues that might arise result in extremely limited impact.
4. Iron out the creases in your code
Like any product of human invention, software is imperfect. Without the right care and attention, those imperfections can have disastrous implications for your data security.
Buying commercial ‘off-the-shelf’ software is no guarantee against software ‘bugs’ that inevitably arise during the software development process. In the ensuing race to find these high-profile vulnerabilities, malware hackers seek to exploit them before software manufacturers can patch them.
Having your own bespoke software created for your specific requirements can provide peace of mind, especially if strict coding practices are followed. However, risks cannot be completely eliminated and using bespoke software doesn’t make you ‘off limits’ to hackers.
Action: When commissioning bespoke software for your business, insist upon secure coding practices, including code review, to mitigate security vulnerabilities during the development process. If using commercially available software, ensure all relevant patches are implemented immediately upon release.
—
Keeping your data safe means guarding against accidental harm or loss, as well as preventing malicious attack from partners, employees and ex-employees who may have an axe to grind.
While that might sound like the recipe for sleepless nights, following these simple steps will mean you are doing the basics to keep your clients’ and customers’ data safe. Sweet dreams!
Helastel are software specialists who offer a commitment to achieving your security and compliance requirements side-by-side with highly qualified specialists in cybersecurity and intellectual property law.
