Simple ways of implementing and maintaining data security in your company
The move towards remote working and the digitalisation of work infrastructures have increased demand on security teams, as risks and threats have increased. An IBM research has shown that data breach costs rose from USD 2.2m to USD 3.6m in 17 years, the highest average total price in the report's history. Much of that cost came from breaches where remote work was a factor, showing the increasing need for companies to adjust their security and have a more holistic understanding and approach to cybersecurity.
For this, training is crucial as people are often the weakest link in security. Because of this, companies need to ensure all employees are well trained on aspects such as cyber security and best practices. Not only that, but the information needs to be conveyed to workers in a simple way and constantly, as most people tend to dismiss complicated subjects or underestimate the threats.
A seminal paper entitled "Why Johnny Can't Encrypt" conducted a study of PGP 5.0 and concluded that most users could not successfully send or receive encrypted email, even if the user interface for the product seemed "reasonable." To make matters worse, many test users acted in ways that compromised the security of the sensitive email they were asked to send and receive. The study concluded that to ensure that a product is both usable and secure, there is a need for a more "usability for security" notion.
The first step to implementing data security in a company is, naturally, to ensure that Senior IT management approaches cybersecurity as an organisational-wide risk issue. With that in mind, the first line of defense to stop many attacks is to simply educate employees about the dangers of clicking on links. So, workers should be trained - often - on phishing and data sharing practices, keeping software updated, using unique and strong passwords, and enabling two-factor authentication, for starters.
Despite training and educational talks and videos, many people will only learn once they make a mistake. However, the learning then comes too late. There is a new movement in security teams sending phishing emails containing "fake malware" to employees. When activated, the links will lead them to a site telling them about their mistake and educating them on possible consequences and the dangers of what they did.
Teaching staff not to click on suspicious links and effectively teaching them what suspicious links are, is crucial. The other entry gate for data hackers are weak and leaked passwords. But, unlike exciting Hollywood thrillers, most hackers won't develop a brand new intelligent "algorithm" to steal data; they will simply log in.
Because of this, adding authentication factors such as something you have (like a physical key or authentication app) or something you are (such as your face or fingerprint) will add a crucial extra layer of security. A simple, effective best practice in cybersecurity is for organisations to enforce different passwords on different websites. And a valuable tool is a reputable password manager that will create complex, strong passwords and store them in an encrypted file.
Coupled with a two-step authentication when offered, these are valuable tools and practices that all companies should adopt (or should've been adopting).