Sophos security consultant Carole Theriault has some tips for companies who want to better protect their data. Over to you Carole...
Sophos recently surveyed almost 1200 people about how their companies deal with data protection.
The results of the survey, presented at a data security summit hosted by Sophos and data security law firm Field Fisher Waterhouse, showed that 36% of respondents were concerned about the additional complexity that could come with data protection legislation, and 16% were worried about the possible associated costs of compliance.
The study also showed that 50% of respondents felt that the laws were not robust enough, while a whopping 87% said that organisations should be forced to publically disclose data breaches (something that many firms could find embarrassing, of course).
So, why do companies care so much about protecting their data? As I see it, there are two principal reasons, both of which lead to financial losses.
First, the kicking a company's reputation takes if a data breach is plastered all over the papers can be seriously painful.
Remember when retail giant TJX (parent company of TK Maxx/TJ Maxx) had details of at least 45.6 million credit cards stolen by hackers? The knock-on effect, of course, hammered at the company's reputation.
The second reason has to do with complying with legislation.
There are an increasing number of laws being passed which puts the onus on the companies to better safeguard their data. The UK's Information Commissioner's office (ICO) was empowered in April this year to impose fines of up to £500,000 (US $763,000) on companies found to have breached its data protection principles.
At the moment, legislation varies from region to region, which makes it difficult for security companies to offer up specific and concrete advice to everyone.
So, you basically need a data protection legal expert to assist you, so you know what you need to do in your specific geography. However, we can give you some general guidelines. These are designed both to make the job of a hacker much more difficult, and to help you protect against accidental data loss.
Ten top tips for protecting sensitive data in your organisation from theft or loss
- Encrypt all confidential info. Keeping sensitive information inaccessible from prying eyes.
- Use hard-to-guess passwords. Enforcing good password usage is key to stopping hackers crack into your systems.
- Keep security software up to date. New malware is being released all the time and spreads at alarming rates. Updating your software automatically is key to defending against the latest threats and vulnerabilities.
- Danger USB! Unauthorised use of USB storage devices could lead to data being lost from your company. Control usage with security software.
- Knowledge is power. Find out what your local legislative requirements and review your security strategy to ensure you are compliant. They will be able to advise on what type of technologies, processes, and policies are required by law.
- Prepare for disaster. Create a plan of action to follow if a severe data breach takes place. Swift reaction can make a huge difference to legal ramifications and corporate reputation.
- Education is key. Find an engaging way to explain to staff the value of data and talk through the technologies, policies and best practice. Have employees be part of the army safeguarding sensitive data rather than keeping them in the dark.
- Encourage - rather than punish - employees who report potential data loss or breaches. The information can help you mitigate against costly risks.
- Don't lock it all down. Employees today need a lot of online freedom to be efficient and effective. Locking everything down will only encourage employees to find nefarious workarounds. Talk to them, find out what they want, and figure out a way to give it them in the safest way possible.
- Back seat bungles. It's all too easy to leave a laptop or smartphone, containing sensitive information in a taxi or a public place. Data should always be encrypted, but also use a remote wipe facility if devices are lost.