Don’t ignore the human element when protecting your organisation from a data disaster

Imagine parking your car in a rough neighborhood because you couldn't find any other spots.

Without thinking, you leave your laptop and wallet sitting in plain view. When you return to the vehicle, all the windows have been smashed in, and your valuables are nowhere to be found.

The feeling you get from this potentially preventable financial loss is a small hint of what executives at The Home Depot and Target probably felt during the recent security breaches.

The Home Depot breach has cost the company an estimated $62 million (£40 million) so far, and Target's breach cost approximately $148 million (£97 million).

There have been countless smaller breaches this year that didn’t snag quite as many headlines, and many of those security issues resulted in the deaths of small businesses that buckled under the financial burden.

According to a recent report, it now takes an organisation about 31 days and hundreds of thousands of dollars to recover from a breach. Companies are often slapped with fines and lawsuits in addition to being forced to cover fraudulent charges.

Plus, those that fail to meet payment card industry security standards can get billed for banks’ costs of replacing credit and debit cards.

These expenses, along with the company’s tarnished reputation, may be impossible to recover from. While you might love Target or The Home Depot, you may now think twice about paying with a credit card at one of those stores, and customers affected by the breaches may never return.

While these consequences can be financially devastating for any business, the expense to secure data is tiny in comparison. While software is one of your best defenses, protecting customer information begins with your employees.

Here are three things you should focus on to avoid a similar data disaster at your company:

1. Regularly Communicate Privacy Policies

Not all data breaches originating from employees are the result of malicious intentions. Quite often, a lack of awareness is to blame.

Of course, your organisation needs to have clear privacy policies outlining how to handle customers’ personal information, but you also need to make sure you’re communicating those policies to employees on a regular basis.

Don’t just email out a PDF once a year or stuff a printout in new employees’ training binders. Hold regular info sessions for all employees who handle any type of personal information, create posters to hang around the office, or print out cheat sheets reminding employees of security dos and don’ts.

2. Separate Data Security and Access

Although employees need access to data and networks to do their jobs, many breaches are the result of weak security or employee negligence.

To minimize these risks, separate employees who have access to the information from those who control the security around the data. Data users should not be able to give access to others, while security officers who control which employees have access to which data should not be allowed to access it.

Failing to separate the roles of security officers and data users can make it easier for thieves to steal customer information. Users with access to administrator accounts can easily copy data files over to another server without having to deal with database security.

If a data thief or malware steals an admin’s credentials, hackers can easily copy data from servers. The more employees your security officer gives admin access to, the easier it might be for thieves to steal your company’s data.

3. Implement the Right Software

In addition to educating employees and separating your data security officers from data users, implement software that can encrypt the data files and limit access to users or software processes that absolutely require it.

Disallow admin-level access to the data files, and make sure the person who controls the policies is not the admin. Review audit logs continuously, and take action on disallowed access attempts that could identify efforts to steal data.

Failing to bolster your organisation’s security from all fronts is like leaving your car unlocked with the keys in the ignition. It’s just asking for trouble.

But a combination of the right software, policies, and education can reduce the risk of data theft and protect your organisation from financial ruin.

Tim Maliyil is the CEO and data security architect for AlertBoot, which protects customers from data breaches by deploying managed full-disk encryption, email encryption and mobile security services PCs, smartphones, and tablets.