HOW TO PROTECT YOUR DATA
INTRODUCTION
Every day in the news, we hear about data breaches.
Are you concerned your sensitive business, customer and supplier data is not protected?
Do you have a secret sauce that keeps your business alive?
Want to learn more? We are here to help!
RESOURCES NEEDED: • Data Owner
• Device Management • Sound Business Practices • Cyber Safe Practices • Backups
• Off-‐site Storage
• Gold Standard in Data Protection • Encryption • Recovery Testing STEP-‐BY-‐STEP INSTRUCTIONS:
1. Data Owner – All data needs someone in your organization to determine how valuable the data is that you want to protect. In the cybersecurity business, we call that person a data owner.
The data owner could be the inventor who created your secret sauce, your CEO who devised your unique business strategy, or the customers who depend on your services.
Not all data needs protection. The data owner can be called upon to determine which data to protect, how sensitive it is, who can access it and use it and the severity/criticality of the data, if it is lost or stolen.
It’s easy to say that your payroll is critical for paying your employees, but the age of your equipment and maintenance schedule, may not be as important, until you need to replace it or ask the manufacturer to repair it, if under warranty. The data owner for your business can help you decide how “critical” various data elements are that you want to protect.
2. Device Management -‐ Data protection can include protecting the data by preventing access to the device (via passwords or other authentication methods) even when it is stored on a laptop or memory device. Ensure that any critical data stored on removable device (memory stick, disk, hard drive, laptop, tape) is password protected. These devices and the data that resides on them can be easily stolen and/or compromised. If the device is password protected, it will be harder to gain access to the data stored.
3. Sound Business Practices – simple business practices can help protect your data. Your employees are often your best defense in protecting your data. They know the ins and outs of your business, when deliveries are made, who the suppliers are, who your critical customers are, profit and loss data, and many more unique business facts. Don’t let that information get leaked, stolen or posted on social media. Have you included them in your data protection strategy?
Here is a set of sound business practices that you can easily implement in your business:
• Advise employees to routinely save their work, sounds simple, but hours of work could be lost if they don’t think to stop and save. • Never open email attachments by habit or click on links unless it is
a secure site and you know where the email originated. • Never allow employees to use memory sticks or disks from
someone outside the company, unless someone has scanned it first for viruses.
• Keep your business operations private and instruct your
employees about what they can and cannot post on social media. Keep these issues private; facts about deliveries, which of your employees will be at work the next day, or what happened at work. If posting such issues on social media, your adversaries’ can uses that information to compromise your operations.
• Advise your employees to keep their passwords safe and secure and use our guide on how to create secure passwords.
4. Cyber Safe Practices – Data protection is also about protecting the devices you use to store, manage and track your data. Here are some simple tips to prevent data loss.
• Hardware and software inventory life cycle status – do you know if your equipment is still supported by the manufacturer? Have you downloaded the latest updates? Is your businesses, running applications that are no longer supported by the vendor? It’s
software to run your business. This is one of those often
overlooked cyber safe practices that not only protect your data but keep you one step ahead of the hacker or criminal. Often these bad actors are looking for hardware and software that has not been kept up to date with the latest patches and downloads, -‐ an unprotected system – which makes you an easy target.
• Conduct regular maintenance and run virus scans, learn how to run a utility system that can diagnose your system for problems. These utilities can prevent little problems from becoming big problems, and will keep you in business.
“Hackers have honed their abilities to perform automated, opportunistic attacks that constantly scan the Internet looking for unprotected systems. So even if the victim doesn’t have valuable data to steal, its network could be hijacked and become an unwitting proxy through which new attacks are routed.” Read more: http://www.itproportal.com/2015/07/04/small-businesses-next-target-heavyweight-hackers/#ixzz3f1r1ojRB
5. Backups – Before you make changes to critical data, always make a duplicate. Even if you just made a backup yesterday, make another and label it. If you or your employees create a backup on a removable drive, have the drive or memory device password protected.
6. Off-‐site Storage – Something you probably never thought of, but what happens if there is a fire at your facility and your only backup was on-‐site and was lost in the fire? Keep a copy of your critical data offsite. If you use a managed service provider to store your data and applications, ensure that they provide you the ability to recover your data if it is compromised at their site. Know what is in the fine print before you sign the agreement. If they don’t provide a guarantee -‐ find another provider. Another option -‐ one service provider may not be enough -‐ you might need another provider in another region of the country to ensure your data is backed up – based upon your needs for recovery.
7. Gold Standard in Data Protection -‐ But before we talk about encrypting your data, let’s consider some tips for the ultimate in data protection.
Safe deposit boxes are used to house your most precious valuables – wills, birth and death certificates, bonds, jewelry, etc. Storing them in a fire proof, tamper proof vault ensures that these valuables are not lost, stolen or
damaged. Only you have the key -‐ the bank can’t even unlock it for you. What is the correlation to today’s digital environment? A lot!
If you have data that is so sensitive that it would cause irrefutable damage to your business, store it off-‐line – use a stand alone machine, a stand alone system, password protected (possibly with two factor authentication – we will explain that in another how-‐to-‐guide), and physical access controlled. Don’t store this sensitive data on a laptop, tablet or mobile device connected to the Internet or on a device that is easily stolen and/or compromised.
Sounds odd, for a cybersecurity company to recommend such an antiquated approach? Not really! If you don’t have the ability to hire a full time
cybersecurity professional, able to design a secure network infrastructure, your best bet is to store the information off line.
Lastly, don’t share your most confidential data with all of your employees. In the cybersecurity business we call that – “Need-‐To-‐Know”. Only share sensitive information with your employees who have a need to know. Keep your secrets safe!
8. Encryption – Encryption is important to protect data during transit or at rest. Not all data needs encryption, in fact some important transmissions between your devices and the Internet wouldn’t work if it were encrypted. Your wireless devices are constantly sending signals (transmissions) to your Internet service provider, telling it is ready to receive a signal or command. If everything was encrypted we wouldn’t be able to enjoy many of the conveniences we do today at the speed we demand and expect.
Step one is to decide what needs to be encrypted – ask the data owner. If you are a merchant who depends on on-‐line credit card transactions – consider complying with PCI Security Standards (another NCSS how-‐to-‐guide). Even if you don’t need to comply with these standards (you conduct less than 6 million credit card transactions per year), you might want to consider complying since your customers can trust you with their sensitive payment card information. Many of the tips in our guides provide you with the tools needed to be PCI compliant. Encryption techniques are embedded in the majority of PCI compliance provisions.
Encryption at rest involves encrypting data when it is stored on your computer, at an offsite location like a managed security provider, or with your business partners. If you are holding sensitive data -‐-‐ how and where you store this information is critical to protecting it. Read the fine print and ask your service provider if they are storing your data in encrypted format and what controls are in place for accessing it. Ask before you buy, don’t assume that your data will be encrypted or protected with your provider. There are many free and low cost services that provide on-‐line storage – but
9. Recovery Testing. Ok, you’ve made it this far, you believe everything is safe, you have a back up copy of your data at an offsite location and then, poof – something happens at your main site and you need to recover your systems and data. But -‐ you never tested your recovery procedures! You have no idea how to restore your critical data from the offsite location – and you have no idea when the data was last back up!! Not a good place to be in.
We recommend you develop a restoration plan and test the plan. The restoration plan should have a number of features (another how-‐to-‐guide), but as a minimum, you should know how often your data is back up, the step-‐ by-‐step procedures on what systems to bring up first, how to conduct testing and then how to copy your restored data back to your primary site
operations.