Companies of all sizes are seriously thinking about the impact of cyberattacks. Virtually no business can operate effectively without relying on information networks to create, store, manage and communicate data between employees, customers and business partners. But network access and online file storage can create significant risks as well. Business managers across the enterprise, including information technology, financial accounting, risk management, operations and human resources all have a stake in the cybersecurity game.
While we hear about data breaches in the news, there’s no single reason that cybercriminals seek to penetrate a company’s network. According to data from the research firm Statista, the main financial consequences of cyberattacks in 2015 related to business disruption, information loss, revenue loss and equipment damage. Cyber attackers might be looking for trade secrets and confidential documents, collecting financial and customer data that can be sold in the black market, freezing file access in return for ransom (usually in bitcoin), or launching nuisance attacks that bring your public and back office web applications to a screeching halt.
Security threats are not slowing down. A PwC survey reports that there were 38 percent more security incidents in 2015 than in the year prior. So it’s important to ask yourself: Is your company really prepared?
Two ways to make sure your documents stay vulnerable
Frankly, most companies aren’t prepared well enough to keep their documents safe, even if they think appropriate measures have been taken to keep files secure. Here’s two common document security practices that may look good on paper, but keep your business at risk:
- You don’t have or enforce password policies. Requiring authentication into your systems usually isn’t a problem. Most networks and software applications provide the ability for your staff to enter a username and password. A problem that can expose you to risk is poor password integrity. In 2015, many people were still creating very weak passwords such as “123456,” “password (or passw0rd),” “qwerty,” and even “letmein.” These easily guessable passwords make it a cinch for cyber criminals to gain entry into a network.
- You keep files “safely” on SharePoint. Or do you? Sure, Microsoft® SharePoint gives you an environment to store files, but it’s security capabilities are often burdensome or simply inappropriate for many organizations. For example, SharePoint’s group security requires each group to be manually configured, and individual permissions must be continually updated and moved from group to group as employees’ roles and responsibilities change. Maintenance is costly and difficult, and many users still end up having access to files that they probably shouldn’t be able to view and download.
Strong governance is key to strong security
Your ability to reduce risk is directly related to your ability to control your IT environment and keep important documents safe from unauthorized users both inside and outside your company. The first step to responsible governance is recognizing that your business faces risks and focusing attention on ways to make your staff and software more resilient to security threats.
Evaluate the security protocols that are available within your software to keep files safe. The features of all new and existing software applications should be reviewed, especially those that help you house and manage critical business documents. As was mentioned earlier, many insider and external threats focus on getting access to corporate documents that can provide valuable business intelligence. Basic protections within the software should include:
- Role-based user permissions. The more flexibility you have over user permissions, the better. Ideally, you should be able to assign specific permissions to each user of the software, including what software features they can access, what tasks they can perform, and which folders they can reference. As the responsibilities for a user changes (such as a change of position or a termination), it should be as easy as possible to edit, delete and customize individual permissions. For example, an employee should be able to have restrictions placed on their access to documents, but if promoted to a management-level position, be securely granted access to directories and documents with a higher sensitivity.
- Multi-layer encryption. Generally, there are two opportunities for files to be encrypted so that data cannot be read. The first opportunity is “client-side encryption” when the sender transmits a file over the network. Essentially, this data security strategy prevents service providers, third-parties and criminals who may be seeking to intercept data from obtaining access to the information found in the file. The second opportunity to encrypt data is “server-side encryption.” This encryption method ensures that files remain private on the server where they are stored over time.
Establish a point person for optimal security
To keep your user profiles and files secure, you need to make sure that someone in the organization has the responsibility to consistently and regularly maintain them. By appointing a security manager with knowledge of software capabilities and your security policies, you will have more accountability over the integrity of your user base. Don’t confuse a human security manager with automation; while many systems claim to feature application-specific “security managers,” your goal is to have a real person whose priority it is to minimize your security risks and create the safest environment for document storage across applications and networks.
If you have a larger and more complex business, and you haven’t established a security organization, you might want to consider hiring a certified information security manager (CISM). CISM certification is sponsored by ISACA, an independent, nonprofit, global association that advocates for IT governance and guidance, and helps companies to:
- Identify critical issues and customize company-specific practices to support the governance of information and related technologies.
- Bring credibility to the enterprise for which they are employed.
- Take a comprehensive view of information systems security management and their relationship to organizational success.
- Demonstrate to enterprise customers their commitment to compliance, security and integrity; ultimately contributing to the attraction and retention of customers.
- Ensure that there is improved alignment between the organization’s information security program and its broader goals and objectives.
- Provide the enterprise with a certification for Information security management that is recognized by multinational clients and enterprises, lending credibility to the enterprise. (Source: ISACA)
Monitor Your IT assets for security purposes
Cleaning up after a data breach is time-consuming and expensive. Therefore, it’s best to try and prevent security issues from happening by identifying vulnerabilities in advance. And when a crisis does hit, you’ll have a better ability to examine your IT software and determine how a breach might have occurred.
One of the best ways to do this is to maximize the use of log files. Software applications typically have application logging. These logs contain information about how the software was used, such as:
- Added or deleted users
- User login histories
- Changes in permissions
- Invalid password attempts
- Data/file access, modifications and exports
- System start-ups and shut-downs
- Connectivity issues
- Error messages
By collecting log information like this, you can perform routine security audits. For example, your security manager might spot a large number of invalid password attempts or user lockouts, which could mean that someone is trying to crack passwords using automated “brute-force” attacks. Or, you might find that an excessive number of confidential files have been downloaded by a user, which could signal unauthorized access or an insider security threat. (Security Magazine reported that insider threats are responsible for 43 percent of data losses.)
There are plenty of reasons to suggest that online or network-based document storage is safer than paper, in terms of theft, loss, tampering, and administrative or versioning errors. But purposeful and accidental events can affect file security and the safety of business information. By becoming familiar with fundamental security practices, you can start putting measures in place that reduce risk and give your business more control over software users and IT environments.