The cybersecurity challenge is evolving, but there are a number of simple tips for a CISO to meet that challenge, as explained by Rob Allen, European director of marketing and technical services, Kingston Technology.
The last year may have meant significant changes to the workplace, but the need to prioritise business IT security has not gone anywhere. Instead, with more employees working from home, the breadth of potential security risks has only widened. With the rapid change to working environments, there’s less control over where, when and how your team handles the organisation’s data.
Even before this situation, teams were already moving away from strictly fixed office roles. Business travel, mobile, freelance and coffee shop working all led to colleagues being spread out geographically, taking their devices and access to company data with them. And because we’re all human, those devices can and have been accidentally lost or stolen.
In recent years, the potential penalties from failing to protect data have increased dramatically. Around a decade ago in the UK, headline news stories on data security were mostly focused on laptops being left in taxis or trains, leading to the loss of customer or client information.
Now you also need to consider that GDPR legislation, which is intended to prevent misuse of EU citizens’ personal information, could lead to stiff penalties and significant fines – a maximum fine of €20 million or 4% of annual global turnover, per incident – if it is not observed. And although we may have left the EU, GDPR still applies to companies in the UK who continue to trade within Europe.
Besides financial penalties, the next obvious risk of lax data security is with the loss of confidential data that may impact your organisation’s operations. Leaks of trade secrets, financial information or unannounced plans could do serious harm to your business.
And lastly, data security is about reputation too. Suffering a breach due to poor security practices or mishandling data is bad PR for any company. Customers will be more likely to come to you if they think you can be trusted with their data.
Regardless of whether or not you’ve already suffered from serious data loss, it’s therefore simply good practice to make sure you’re handling data in a secure manner.
It’s not enough though to rely on the company’s best security expert – typically the CISO – to design a single top-down policy and expect it to solve these problems in one fell swoop. Nor is privacy an issue for the compliance department.
Doing so is a sign your organisation is not taking these issues seriously enough. And this thinking trickles down from senior management to staff at lower levels, who probably will also not take security seriously. The result is that you’re more likely to suffer a breach or loss of data.
For any CISO, the first (and potentially most difficult) stage of improving data security is by working to change the company mindset. Security is a combined collective and individual effort, and cannot be the sole responsibility of a single person.
A change of culture is key, and the incentives are a better business practice, as well as avoiding financially crippling costs or fines if the problems lead to a serious data loss incident.
Encryption is the main line of defence against data loss. If data is securely encrypted and the device it’s kept on is lost or physically accessed by a third party, they should not be able to read that data.
You should be able to trust that encryption complexity. That’s why standards such as FIPS 140-2 (Federal Information Processing Standards) are commonly quoted, a tried and tested US standard for cryptography that certifies an encrypted device meets well-defined security standards.
On Windows computers this can be activated by just enabling a simple option. However full disk encryption handled by the computer itself will result in a performance loss, as every file needs to be decrypted by the host computer when it is read and encrypted whenever it is written.
A better solution is to opt for storage devices with built-in hardware-based encryption. In SSDs this is handled invisibly by the host computer, you enable the same option as you would for full disk encryption, but performance is drastically improved, with negligible waiting times.
Moving data between work and the office usually relies on using removable USB storage. Opting for the cheapest off-the-shelf USB storage that you might use at home is a way to save a small amount of cash, but it’s better practice to opt for a storage device with built-in encryption.
With removable storage, hardware encryption and decryption is handled by a special chip on the drive itself. It can happen invisibly, so the user does not have to remember to turn it on.
If you opt for a solution that requires you to install software that needs you to enter a password to access the drive, beware of keyloggers and other malware that captures keyboard inputs. There are devices that rely on a virtual keyboard only in order to mitigate this risk.
Avoid sloppy data handling practices
It’s all too easy to take shortcuts, especially when deadlines need to be met. But it’s these shortcuts that lead to data handling mistakes. Bad practice such as using personal email accounts for work purposes, reusing passwords or bypassing security measures are significant risk vectors.
Educating staff about these practices and why they should be avoided is a crucial first step towards helping colleagues to start considering data security.
Take no chances with data collection
GDPR requires companies to collect data only with consent for a stated purpose. Be careful that you’re adhering to this, and data is not being collected (even unintentionally) if the user has not agreed to it.
Develop a secure working culture
Lastly, you should consider the overall working culture and whether it values security enough. Colleagues need to be able to highlight when their organisation is making security mistakes, rather than ignoring them and sweeping them under the carpet.