Matthias Pfau is cofounder of Tuta, a secure email service and an innovation leader in encrypted communication and collaboration.
Nearly every week, stories of companies of all sizes experiencing data breach incidents seemingly dominate tech news websites and columns. The variety of causes includes incorrectly configured network settings, vulnerabilities in third-party tools or software, malicious actors seeking to harm your company’s image and reputation and even advanced persistent threats engaged in corporate espionage.
Fortunately, you can take some quick-to-implement steps right now to strengthen your organization’s security posture without breaking the bank. By following these guidelines, you can greatly improve the overall level of security not only for your data but also for the personally identifiable information of your customers and clients.
Preventing Privilege Creep
You wouldn’t trust unknown and unvetted persons to work with your growing team, and neither should you secure sensitive data in a way that allows access beyond those who require it.
One example of this would be your small business not granting system-wide access to the file system to all employees but, rather, restricting access based on immediate need. If you were to operate a small medical practice, it’s never necessary for a member of an accounting team or external company to have access to patient data. Rather than allowing open access, only enabling access when needed on specific occasions would be more secure.
The same is the case for larger enterprise environments. Segmenting access to sensitive data to only those who need it reduces your overall attack surface. This practice protects not only your customers but also the reputation of your organization by avoiding a potentially embarrassing security incident.
Use Strong, Unique Login Credentials Through A Password Manager
Using password managers within your corporate environment allows your IT team and non-technical employees to create strong passwords without falling into bad habits that may otherwise compromise security. This means avoiding the infamous sticky note under the keyboard or lazy practices of never changing devices from default passwords. Attackers always aim for the low-hanging fruit, and continuing to use default passwords makes their job easier. NIST maintains an excellent recommendation guide for creating strong passwords.
Attackers using automated scripts to test the security of your devices and systems will first test these insecure settings. This can range from routers to network storage devices to user accounts. By using a password manager, you and your team will not need to memorize or manually create passwords that can actually protect your data. With a simple click of a button, you will be presented with strong credentials that are stored and can even be shared with team members easily.
Anti-Phishing Training
One of the primary ways malicious actors might try to attack your organization is by deploying phishing emails that masquerade themselves as legitimate-looking messages. Emails sent to public-facing departments might include attachments smuggling in code that can wreak havoc on your company.
Even if you have top-of-the-line security technologies protecting your organization, a clever phishing campaign could result in attackers having the keys to the castle handed directly to them. Informing and teaching your employees how to detect, report and avoid phishing attempts is paramount in improving your security.
Ransomware is a major culprit in many of these attacks, and an unwitting employee opening an attachment can execute it—locking your access to your files while simultaneously exfiltrating that data so attackers can share it in seedy online marketplaces. A well-informed employee who receives one of these types of attachments can ideally stop the attack in its tracks by realizing what’s going on before the damage can be done.
Offering anti-phishing training for your team members allows you to take proactive steps to protect your institution from these types of attacks. Beyond the technological solutions your IT department or any managed IT providers can roll out, your employees are an important line of defense for your organization. When we take the time to treat these team members as the valuable security assets they are, not only will our companies become safer places, but customer data will also benefit.
Encryption Whenever Possible
Intruders cannot exploit data they cannot read. Employ software that uses quantum-safe encryption to keep your data secure against present and future threat actors. If a threat actor were able to gain access to your local network, they wouldn’t be able to decrypt encrypted data that might be visible, which means it remains secure.
Regular users of cloud-based solutions for email or storage should take advantage of end-to-end encryption. It securely encrypts your data before it leaves your office computers. Then, it’s stored on the servers of your chosen service, which also cannot decrypt it. When cloud service providers take advantage of this kind of zero-knowledge architecture, no one other than yourself can view your business’s or customers’ information because no other entities have access to your encryption keys. Without these keys, any data that could potentially land in a breach is nothing but illegible noise to nosy onlookers.
By taking advantage of these easy steps and best practices, you can bring your organization to a much higher security posture without sacrificing simplicity or ease of use.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
