• No results found

HOW TO PROTECT YOUR DATA

N/A
N/A
Protected

Academic year: 2021

Share "HOW TO PROTECT YOUR DATA"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

HOW  TO  PROTECT  YOUR  DATA  

 

INTRODUCTION    

Every  day  in  the  news,  we  hear  about  data  breaches.    

Are  you  concerned  your  sensitive  business,  customer  and  supplier  data  is  not   protected?  

 

Do  you  have  a  secret  sauce  that  keeps  your  business  alive?    

Want  to  learn  more?  We  are  here  to  help!    

RESOURCES  NEEDED:   • Data  Owner  

• Device  Management   • Sound  Business  Practices   • Cyber  Safe  Practices   • Backups  

• Off-­‐site  Storage  

• Gold  Standard  in  Data  Protection   • Encryption   • Recovery  Testing         STEP-­‐BY-­‐STEP  INSTRUCTIONS:    

1. Data  Owner  –  All  data  needs  someone  in  your  organization  to  determine  how   valuable  the  data  is  that  you  want  to  protect.  In  the  cybersecurity  business,   we  call  that  person  a  data  owner.        

 

The  data  owner  could  be  the  inventor  who  created  your  secret  sauce,  your   CEO  who  devised  your  unique  business  strategy,  or  the  customers  who   depend  on  your  services.      

 

Not  all  data  needs  protection.  The  data  owner  can  be  called  upon  to   determine  which  data  to  protect,  how  sensitive  it  is,  who  can  access  it  and   use  it  and  the  severity/criticality  of  the  data,  if  it  is  lost  or  stolen.      

 

It’s  easy  to  say  that  your  payroll  is  critical  for  paying  your  employees,  but  the   age  of  your  equipment  and  maintenance  schedule,  may  not  be  as  important,   until  you  need  to  replace  it  or  ask  the  manufacturer  to  repair  it,  if  under   warranty.  The  data  owner  for  your  business  can  help  you  decide  how   “critical”  various  data  elements  are  that  you  want  to  protect.    

(2)

 

2. Device  Management  -­‐  Data  protection  can  include  protecting  the  data  by   preventing  access  to  the  device  (via  passwords  or  other  authentication   methods)  even  when  it  is  stored  on  a  laptop  or  memory  device.  Ensure  that   any  critical  data  stored  on  removable  device  (memory  stick,  disk,  hard  drive,   laptop,  tape)  is  password  protected.  These  devices  and  the  data  that  resides   on  them  can  be  easily  stolen  and/or  compromised.  If  the  device  is  password   protected,  it  will  be  harder  to  gain  access  to  the  data  stored.  

 

3. Sound  Business  Practices  –  simple  business  practices  can  help  protect  your   data.  Your  employees  are  often  your  best  defense  in  protecting  your  data.   They  know  the  ins  and  outs  of  your  business,  when  deliveries  are  made,  who   the  suppliers  are,  who  your  critical  customers  are,  profit  and  loss  data,  and   many  more  unique  business  facts.  Don’t  let  that  information  get  leaked,   stolen  or  posted  on  social  media.  Have  you  included  them  in  your  data   protection  strategy?      

 

Here  is  a  set  of  sound  business  practices  that  you  can  easily  implement  in   your  business:  

 

• Advise  employees  to  routinely  save  their  work,  sounds  simple,  but   hours  of  work  could  be  lost  if  they  don’t  think  to  stop  and  save.   • Never  open  email  attachments  by  habit  or  click  on  links  unless  it  is  

a  secure  site  and  you  know  where  the  email  originated.   • Never  allow  employees  to  use  memory  sticks  or  disks  from  

someone  outside  the  company,  unless  someone  has  scanned  it  first   for  viruses.  

• Keep  your  business  operations  private  and  instruct  your  

employees  about  what  they  can  and  cannot  post  on  social  media.   Keep  these  issues  private;  facts  about  deliveries,  which  of  your   employees  will  be  at  work  the  next  day,  or  what  happened  at   work.  If  posting  such  issues  on  social  media,  your  adversaries’  can   uses  that  information  to  compromise  your  operations.      

• Advise  your  employees  to  keep  their  passwords  safe  and  secure   and  use  our  guide  on  how  to  create  secure  passwords.  

 

4. Cyber  Safe  Practices  –  Data  protection  is  also  about  protecting  the  devices   you  use  to  store,  manage  and  track  your  data.  Here  are  some  simple  tips  to   prevent  data  loss.    

 

• Hardware  and  software  inventory  life  cycle  status  –  do  you  know  if   your  equipment  is  still  supported  by  the  manufacturer?  Have  you   downloaded  the  latest  updates?  Is  your  businesses,  running   applications  that  are  no  longer  supported  by  the  vendor?  It’s  

(3)

software  to  run  your  business.  This  is  one  of  those  often  

overlooked  cyber  safe  practices  that  not  only  protect  your  data  but   keep  you  one  step  ahead  of  the  hacker  or  criminal.  Often  these  bad   actors  are  looking  for  hardware  and  software  that  has  not  been   kept  up  to  date  with  the  latest  patches  and  downloads,  -­‐  an   unprotected  system  –  which  makes  you  an  easy  target.  

• Conduct  regular  maintenance  and  run  virus  scans,  learn  how  to   run  a  utility  system  that  can  diagnose  your  system  for  problems.   These  utilities  can  prevent  little  problems  from  becoming  big   problems,  and  will  keep  you  in  business.    

 

“Hackers have honed their abilities to perform automated, opportunistic attacks that constantly scan the Internet looking for unprotected systems. So even if the victim doesn’t have valuable data to steal, its network could be hijacked and become an unwitting proxy through which new attacks are routed.” Read more: http://www.itproportal.com/2015/07/04/small-businesses-next-target-heavyweight-hackers/#ixzz3f1r1ojRB    

 

5. Backups  –  Before  you  make  changes  to  critical  data,  always  make  a  duplicate.   Even  if  you  just  made  a  backup  yesterday,  make  another  and  label  it.  If  you  or   your  employees  create  a  backup  on  a  removable  drive,  have  the  drive  or   memory  device  password  protected.      

 

6. Off-­‐site  Storage  –  Something  you  probably  never  thought  of,  but  what   happens  if  there  is  a  fire  at  your  facility  and  your  only  backup  was  on-­‐site   and  was  lost  in  the  fire?  Keep  a  copy  of  your  critical  data  offsite.  If  you  use  a   managed  service  provider  to  store  your  data  and  applications,  ensure  that   they  provide  you  the  ability  to  recover  your  data  if  it  is  compromised  at  their   site.  Know  what  is  in  the  fine  print  before  you  sign  the  agreement.  If  they   don’t  provide  a  guarantee  -­‐  find  another  provider.  Another  option  -­‐  one   service  provider  may  not  be  enough  -­‐  you  might  need  another  provider  in   another  region  of  the  country  to  ensure  your  data  is  backed  up  –  based  upon   your  needs  for  recovery.  

 

7. Gold  Standard  in  Data  Protection  -­‐  But  before  we  talk  about  encrypting  your   data,  let’s  consider  some  tips  for  the  ultimate  in  data  protection.      

 

Safe  deposit  boxes  are  used  to  house  your  most  precious  valuables  –  wills,   birth  and  death  certificates,  bonds,  jewelry,  etc.    Storing  them  in  a  fire  proof,   tamper  proof  vault  ensures  that  these  valuables  are  not  lost,  stolen  or  

damaged.  Only  you  have  the  key  -­‐  the  bank  can’t  even  unlock  it  for  you.    What   is  the  correlation  to  today’s  digital  environment?  A  lot!      

   

(4)

 

If  you  have  data  that  is  so  sensitive  that  it  would  cause  irrefutable  damage  to   your  business,  store  it  off-­‐line  –  use  a  stand  alone  machine,  a  stand  alone   system,  password  protected  (possibly  with  two  factor  authentication  –  we   will  explain  that  in  another  how-­‐to-­‐guide),  and  physical  access  controlled.   Don’t  store  this  sensitive  data  on  a  laptop,  tablet  or  mobile  device  connected   to  the  Internet  or  on  a  device  that  is  easily  stolen  and/or  compromised.    

Sounds  odd,  for  a  cybersecurity  company  to  recommend  such  an  antiquated   approach?  Not  really!  If  you  don’t  have  the  ability  to  hire  a  full  time  

cybersecurity  professional,  able  to  design  a  secure  network  infrastructure,   your  best  bet  is  to  store  the  information  off  line.  

 

Lastly,  don’t  share  your  most  confidential  data  with  all  of  your  employees.  In   the  cybersecurity  business  we  call  that  –  “Need-­‐To-­‐Know”.    Only  share   sensitive  information  with  your  employees  who  have  a  need  to  know.  Keep   your  secrets  safe!  

 

8. Encryption  –  Encryption  is  important  to  protect  data  during  transit  or  at  rest.   Not  all  data  needs  encryption,  in  fact  some  important  transmissions  between   your  devices  and  the  Internet  wouldn’t  work  if  it  were  encrypted.  Your   wireless  devices  are  constantly  sending  signals  (transmissions)  to  your   Internet  service  provider,  telling  it  is  ready  to  receive  a  signal  or  command.     If  everything  was  encrypted  we  wouldn’t  be  able  to  enjoy  many  of  the   conveniences  we  do  today  at  the  speed  we  demand  and  expect.      

Step  one  is  to  decide  what  needs  to  be  encrypted  –  ask  the  data  owner.  If  you   are  a  merchant  who  depends  on  on-­‐line  credit  card  transactions  –  consider   complying  with  PCI  Security  Standards  (another  NCSS  how-­‐to-­‐guide).  Even  if   you  don’t  need  to  comply  with  these  standards  (you  conduct  less  than  6   million  credit  card  transactions  per  year),  you  might  want  to  consider   complying  since  your  customers  can  trust  you  with  their  sensitive  payment   card  information.  Many  of  the  tips  in  our  guides  provide  you  with  the  tools   needed  to  be  PCI  compliant.  Encryption  techniques  are  embedded  in  the   majority  of  PCI  compliance  provisions.  

 

Encryption  at  rest  involves  encrypting  data  when  it  is  stored  on  your   computer,  at  an  offsite  location  like  a  managed  security  provider,  or  with   your  business  partners.  If  you  are  holding  sensitive  data  -­‐-­‐  how  and  where   you  store  this  information  is  critical  to  protecting  it.  Read  the  fine  print  and   ask  your  service  provider  if  they  are  storing  your  data  in  encrypted  format   and  what  controls  are  in  place  for  accessing  it.  Ask  before  you  buy,  don’t   assume  that  your  data  will  be  encrypted  or  protected  with  your  provider.   There  are  many  free  and  low  cost  services  that  provide  on-­‐line  storage  –  but  

(5)

9. Recovery  Testing.  Ok,  you’ve  made  it  this  far,  you  believe  everything  is  safe,   you  have  a  back  up  copy  of  your  data  at  an  offsite  location  and  then,  poof  –   something  happens  at  your  main  site  and  you  need  to  recover  your  systems   and  data.  But  -­‐  you  never  tested  your  recovery  procedures!  You  have  no  idea   how  to  restore  your  critical  data  from  the  offsite  location  –  and  you  have  no   idea  when  the  data  was  last  back  up!!  Not  a  good  place  to  be  in.  

 

We  recommend  you  develop  a  restoration  plan  and  test  the  plan.  The   restoration  plan  should  have  a  number  of  features  (another  how-­‐to-­‐guide),   but  as  a  minimum,  you  should  know  how  often  your  data  is  back  up,  the  step-­‐ by-­‐step  procedures  on  what  systems  to  bring  up  first,  how  to  conduct  testing   and  then  how  to  copy  your  restored  data  back  to  your  primary  site  

operations.      

   

References

Related documents

McAfee helps you optimize security practices and cut operational costs through enhanced situational awareness, multilayered threat protection, automated compliance,

With over a decade of experience in developing encryption-based security solutions, Zecurion allows IT departments to efficiently protect corporate information from internal

Attributes Strength 4 Agility -1 Mind -2 Combat Abilities Attack - Horns +0 / D6 Attack - Trample +2 / D6 Defence 0 Protection - Hide 1 Lifeblood 20 Bear-Dog, Giant Weight: 1-1

How To Safeguard Your Fund Against Cyber Security Attacks.. Hacks, breaches, stolen data, trade secrets hijacked, privacy violated, ransom demands made; how can you protect your

Data Protection Program Compliance Monitoring and Reporting Risk, Threat, & Vulnerability Assessments Data Protection Strategy Technology Specifications People &

Maintaining critical business information in a secure data centre provides an extra layer of data protection.. In addition, your business benefits from implementing more

Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud.. As systems are

A single server running Windows 2000 Server or Advanced Server (SP2 or greater); Windows Server 2003 Standard or Enterprise editions (32-bit and x64); Windows NT 4.0 Server (SP6