Are Your Employees Keeping Your Data Safe? Don’t count on it!

Let’s illustrate with this true story…

A man was making his way to his local jobcentre when he spotted something glistening in the morning sun. Full of curiosity, he went to investigate and discovered it was a USB stick. Being a frugal man, he popped the device into his pocket, thinking he would be able to put it to good use later. When he returned home, he connected the USB to his laptop, but before reformatting the device he decided to check out its contents (we mentioned earlier he was a curious soul). As he sniffed around, he realized with amazement that the device contained high level security information for Heathrow Airport. 174 folders containing maps detailing CCTV camera locations, labyrinthine tunnels snaking below the building and even the exact route the Queen takes when she uses the airport.

Understandably worried, the man quickly ejected the device and brought it to… the Daily Mirror (go figure, it surely had nothing to do with the money The Mirror and other tabloid newspapers were offering for information of this type). The news caused a huge uproar and led to BAA (then owner of Heathrow, now Heathrow Airport Holdings Ltd) overhauling the way company data was handled (and so they should! Can you imagine what could have happened if that information had gotten into the hands of unscrupulous types. “The exact route the Queen takes when using the airport” – makes you shudder…)

No one knows how this sensitive information found its way to a street in London, however, all signs point to the USB drive being dropped accidentally by a hapless employee. This story hammers home a vital point: whether you’re an international airport hosting more than 70 million travellers each year or a small business with 5 employees, your biggest security risk isn’t hackers based in outer Mongolia but your employees!

So how do you keep your data safe? Well the EU General Data Protection Regulation (GDPR) sets out some guidelines regarding protecting sensitive information but here are some of our top tips:

1. Identify your important data

Before you even start thinking about how you protect your company data first do some housekeeping. First identify the information you need to protect (“crown jewels” such as financial information or trade secrets, employee records, customer data / payment info). Once you know what needs to be protected, you will then need to know how this information is collected (or created), how it is stored (servers, cloud, mobile devices, emails) and also how it moves (i.e. email, Wi-Fi, portable device such as a USB).

2. Now Protect It!

  • Encrypt your data. That way if it is accidentally lost it would mean nothing to anyone who finds it.
  • Use strong passwords to protect your most sensitive information.
  • Will you know when your important data is leaking, or being accessed or taken? There are intelligent tools that can give you this information.
  • Is cardholder information handled exclusively by a secure payment portal?
  • How is your important data backed up?
  • Is it necessary for all your users to be able to download data from the office? Consider disabling USB ports and any other portable devices. If you have a company intranet disable the ability to download files so work can only be done within the shared area.

3. Control, Control, Control

  • Limit access to the data you need to protect to those who need it, and terminate their access when they no longer need it?
  • What physical security do you have in place?
  • Do you know at all times who should have access or has had access to the data you need to protect?

4. Limit 3rd Party Access

It is not necessary to give full access to your systems to 3rd parties. A well segmented network will allow for limited access to only certain parts. Never give 3rd parties access to your systems indefinitely. Encourage them to agree set times to carry out their work. After this time disable their access.

5. Reusing or disposing old kit? Make sure it is wiped properly

6. Educate your staff

Hackers continuously find new ways to access information, which is why creating a culture of consistent awareness of threats is so important.

One team meeting about cyber security is not enough to guarantee that employees understand how to keep data secure. Cyber-attacks come in many different forms and are always evolving, so everyone needs to be kept up to date on what to look out for.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *