In my forthcoming book, Swiped, partially excerpted below, I examine some enterprise-level, cybersecurity best practices. These are the questions organizations need to ask themselves if they want to protect the data they are sitting on. Some of the considerations:
- Does the organization use a standards-based security architecture that is integrated into all technology processes? In plain language, sending personal information via attachment on an email is a “technology process.” This would include both the way data is stored (is it encrypted) and where it is stored (is it online or offline), etc.
- Does the organization provide employee security awareness? Employees are often the hacker’s first point of attack (think spearphishing, easily deciphered passwords, mindlessly misplaced smartphones and laptops, and improperly secured devices that access your secure systems). Comprehensive training is a must.
- Security must be layered. Like very tall, electrified fences and deadbolts on your doors, multiple layers of security can slow down cyberthieves as well as limit what they can access and pilfer in a single attack. Adopt a “minimum necessary access” policy. Allow users (and their devices) only what they need to perform their required tasks. Update access rights in response to personnel or system changes. Never permit multiple employees (or department members) to share a password. Assign each a discrete password, and never let them share passwords.
- Your system must be segregated. Segregate financial, security, customer and employee data storage systems from each other as well as from the data used for routine operations management.
- Bring Your Own Device? If you allow it, set stringent protocols, including security programs and other precautions.
- Have a smart file retention and destruction policy. Limit your legal liability and breach exposures by developing appropriate retention requirements for both hard copy and electronic files, and employing secure destruction practices for electronic data and physical files (think shredding), and any hardware that either you are no longer required to keep or has become obsolete.
In a world where Cyber War has replaced the Cold War and breaches have become the third certainty in life, it is incumbent upon every organization to be on high alert and to build security into their very culture from the mailroom to the boardroom. Just as companies have warned consumers away from clicking on links, they should avoid asking for any sensitive documents to be attached to any email.
Adam Levin is chairman and founder of CyberScout and Credit.com, where this post originally appeared.