According to the 2017 Ponemon Cost of Data Breach Study, affected organizations pay more than $3.6 million, on average, in direct and indirect costs attributable to data breaches. That works out to a $141 average cost per record — down significantly from 2016, but still quite dear for smaller organizations with limited resources.
Data security is all about probabilities. It’s simply not possible to eliminate your exposure to the ever-evolving cyber-threat landscape. There are simply too many unknown unknowns.
But it is possible to significantly reduce your risk of sustaining a breach that results in data loss, and to mitigate the severity of such a breach.
These nine simple tips can help — though there’s no substitute for aligning with a cybersecurity expert.
1. Get an SSL Certificate for Your Website
An SSL certificate is a vital measure of protection for your customers and website visitors. Beyond the actual, demonstrable data security boost your certificate provides, it’s a critical indicator of your commitment to keeping your customers’ information safe. Many people simply aren’t comfortable patronizing organizations without SSL certificates — and that’s a completely defensible position.
2. Use a Secure, User-Friendly Payment Gateway
If you plan to accept online payments through a third-party payment gateway, choose a vendor that takes financial security seriously. And look beyond industry-standard PCI DSS compliance to the value-added features that improve the customer experience in good times and bad. First among those are friendly UX and comprehensive customer service. Look for vendors that blend the DIY aspects of a knowledge base with the convenience of live chat, like this Talus Payments support environment.
3. Use Two-Factor Authentication
Any accounts or programs that require employee sign-ins should utilize two-factor authentication, period. Two-factor authentication — for instance, traditional passwords plus SMS verification — isn’t foolproof, but it can significantly reduce unauthorized sign-ins when used properly.
4. Implement Strict Usage and Transport Protocols for Physical Storage Media
While physical storage media are crucial data backup aids, they’re also vulnerable to loss and theft. If you haven’t already done so, draw up and publicize standards and processes around the usage, removal, and transportation of any physical storage media — external hard drives, thumb drives, and so on.
5. Deploy a Comprehensive Monitoring Framework
Who’s watching the watchers?
In the modern cyber-threat environment, the answer should always be: other watchers, who in turn have watchers watching them.
In all seriousness, the security of your company’s (and customers’) data supersedes any expectation of employee privacy. Work with your internal IT team and external consultants as necessary to incorporate airtight insider threat monitoring and anomaly detection practices into your security architecture.
6. Silo Sensitive Information
Comprehensive monitoring isn’t enough to address insider threats, nor accidental or intentional data loss or theft by company or third-party actors. Siloing — essentially, allowing access to information on a need-to-know basis — is just as important. You want your employees to have access to just enough information and permissions to fulfill their defined roles effectively. No more, no less.
7. Use Secure Colocation Facilities
If your company utilizes an offsite server farm or colocation facility, make sure it’s appropriately secure. Best practices dictate redundant protection against human and natural threats: biometric access, after-hours motion detectors, shatter- and bulletproof glass, digital locks, fire- and water-resistance, solid construction capable of withstanding hurricane-force winds, and on and on. Your company’s colocation facility should be among the sturdiest, most secure commercial buildings in town — and, if not, it’s time to find another option.
8. Develop a Redundant, Comprehensive Backup Strategy
One backup isn’t enough. The current standard is 3-2-1 (or 2 plus 1) backup. That means at least three complete copies of your backed-up data: two on different devices in the same physical location, such as your office; and one in a secure cloud storage medium or on a physical media somewhere well away from the other two copies. Make and keep a backup schedule — or, better yet, automate the process entirely.
9. Never Access Sensitive Cloud Services on Insecure Networks
Last, but not least: Don’t ever access company data in the cloud over an insecure wireless network, regardless of any other security measures in place. That’s a recipe for a breach. If you absolutely must log in on an unfamiliar server, use a VPN to encrypt your traffic.
Never Rest, Never Settle
In early 2016, CIO listed what it believed would be the nine biggest cyber-threats to emerge during the following two years. As the calendar turns into 2018, it’s amazing how dated its analysis feels.
This isn’t a knock on CIO, merely an acknowledgement that the threat landscape is incredibly difficult to predict.
It’s also an implicit reminder that, when it comes to digital security, your organization can’t let down its guard for a moment. The threats are too real, and the stakes too high, to settle.