As of today, security is a hot topic for not just IT industry but almost everyone. From personal mail accounts to data encryption, everyone has something valuable to protect. When we ‘protect’ something, we build a physical and/or virtual system that hinders any unauthorized viewers and users. And when that system fails to stop an intruder, a security compromise happens.In more technical terms, a security compromise (breach, violation) is an incident that results in unauthorized access of data, applications, services, networks and/or devices often through bypassing their security mechanisms. With security compromise, confidential data is exposed to unauthorized people which is likely to have adverse effect on the organization’s reputation, legal standing and of course, revenue. In other words, it is essential for an organization to avoid security compromises. But how? Well, first you need to take a closer look at the different types of security compromise.
Security Compromise or Data Compromise?
These terms are often used interchangeably but it is beneficial to bear in mind that they are in fact two different things. The nuance is in the order most of the time. Security breach happens first when an unauthorized user gains access to the system. Then happens data breach when that user views, alters or copies the data. Yet there is one exception: A company may accidentally expose data which is considered a data breach as well.
Cybercriminals often use malicious software to gain access to protected networks. Viruses, spyware and other types of malware usually find their way into your system through e-mails or downloads.
In order to avoid harm by such attacks, you need strong anti-virus software or firewall. Additionally, educating your employees on not opening strange e-mails or not downloading content from untrusted sources will go a long way.
No executive likes to think that a member of their team would expose sensitive information yet up to %28 of enterprise data security incidents come from inside according to PWC’s 2014 survey. Thus insider malice must be considered along with other things.
But how can we prevent it? Firstly, we must remember the fact that most malicious insider attacks happen 30 days before and following an employee’s last day. That is why you must be strict and punctual when it comes to remove an ex or soon to be ex employer’s access to your company’s e-mail servers, VPN and other resources. Moreover, be alert to red flags that are sent by your employees.
To prevent unintentional breaches from inside, you can block access to USB ports. This can prevent intentional theft and unintentional leaks.
And finally, as a principle, never ever give an employee more access rights than they need to do their job properly.
Passwords are the oldest and most used authentication protocols. Yet it takes somewhere around ten minutes to crack a six-character password that’s all lowercase letters. If you capitalize some of them, it will take 10 hours. If you sprinkle some symbols and numbers, you will create a monster that will withstand at least 18 days.
Long story short, change all passwords regularly and make them as complex as possible.
A social engineer works their way into an organization by taking advantage of the natural desire to help others. For instance, they convince an employee that they lost access to their account. This can manifest itself as a call to help desk or a mail to customer services. An employee can fall prey to this attack and give out information that can be used to access the company’s sensitive information.
To avoid this ‘phishing’ scheme, take some common-sense precautions that require the caller or phisher to prove their identity. Adding such steps to the protocol is a very easy thing to do yet it prevents some serious breaches.
Every day hackers come up with new ways to break in, so you need to stay informed and updated. Always update your software with latest versions. Keep your staff and if necessary, customers informed. Monitor online accounts. Look for a service that can help you keep track of information.