Another story sweeps through the news about a data breach of credit card information, as retailer Target reports that 40 million credit card accounts have been affected. The company will say little about how the breach happened. For now, they say only that the “data on the magnetic strip” of the credit card was compromised.
It’s easy to think that things like this just happen to retail giants like Target, but this is not necessarily the case. “We see breaches across all sizes of companies,” says Mike Donovan, Global Focus Group Leader for Beazley Breach Response, headquartered in London. While only the breaches at big companies make the news, this is a problem for companies of all sizes.
Even if you don’t store credit card data, give some thought to the other important assets that could be compromised in your business: banking information, intellectual property, and company financial or confidential employee data. If any of this information is compromised, it can cause problems ranging from bad PR and loss of customer confidence, to lawsuits, to losing competitive advantage.
You could assume that Target has ample resources to bring to bear to address this problem. The risk may be the same for smaller organizations, but the resources available to resolve the problem are not.
Here is a list of key things that any business can do to protect important data:
- Require complex passwords that need to be changed at least every 90 days. This is a simple, low-cost approach that many companies neglect. Follow these rules:
- At least 8 characters
- Contains both upper and lower case letters
- Contains special characters such as *, &, #
- Contains numbers
- Does not user proper names or dictionary words
The servers that your employees log into should provide the ability to set rules to enforce the creation of strong passwords.
- Encrypt the files that are stored on your servers. Data breaches can happen when external hackers gain unauthorized access to your servers. Should this happen, having the data encrypted provides another layer of security. However, data breaches often happen internally, facilitated by an employee who has full access to the servers. Encrypting the data protects against internal breaches as well.
- A firewall is not enough. It is important to be able to eliminate open ports in the firewall so that hackers cannot find a way through. Putting some type of reverse proxy in your DMZ will enable you close inbound ports in your firewall.
- Secure your transfers. This, again, is a simple thing to implement, but it can get overlooked. Any data transferred by plain FTP or email is not secure. Use SFTP or another protocol running through SSL to encrypt the data while it is being transferred.
- Monitor server activity and have automated events set up to stop an attack before it happens. Often, a true data breach will be preceded by unusual events. IP addresses and users involved in suspicious activity should be instantly banned, and then further examined. Hackers can come in through a variety of IP addresses, so banning isn’t enough. Human evaluation is still a key component of a complete security policy.
- Keep your software updated. Software companies are continually releasing new versions that are higher performance and more secure. Not keeping software updated increases your chance of risk of data breach.
You may not be thinking about or prioritizing these things, but consider that it’s far easier to be proactive than to have to clean up a major legal and PR mess on the back end. For more information about proactively protecting your company’s data, please visit www.webdrive.com/products/cornerstone.