As WannaCry and Petya made clear, high profile ransomware attacks are on the rise. In fact, in 2015 there were roughly 1,000 attacks a day, but by 2016 the FBI reports that number skyrocketed to 4,000 a day.
As the data possessed by organisations becomes increasingly valuable, these attacks, alongside data breaches and theft, are only going to grow in frequency. Organisations depend on data to make critical business decisions and investments. It’s the modern day oil, and means hackers are constantly looking for ways to leverage this data for their own benefit. But what can businesses do to avoid becoming a hacker’s easy target, and how should they keep their data safe?
Top tips for businesses looking to protect their data:
1. Understand your data
Before implementing any cybersecurity strategy, businesses must first conduct a data sweep. This helps them understand what data they have collected or produced and where the most sensitive and valuable parts sit. If businesses don’t know what data they possess and produce, they can’t even begin to start protecting it.
2. Understand the risks related to data
Once a business understands the data it has and produces, it then must understand the risks associated with it. It’s vital to understand that there is no real full proof defence against a cyber-attack. However, the focus should be on understanding the best practices that are out there to mitigate these breaches. It’s about focusing on the need to protect the data at its source, rather than preventing a breach entirely.
3. Comply with all regulation
There are a number of regulations which dictate the cybersecurity requirements of European organisations – in particular, e-Privacy legislation, Payment Card Industry Data Security Standard compliance and the upcoming General Data Protection Regulation (GDPR). Businesses need to understand, and be compliant with, these policies. However, this is simply the minimum benchmark for data protection, and does not guarantee that a compliant business is ‘un-hackable’.
4. All sensitive data must be encrypted
While it is crucial that businesses restrict who can access sensitive data, it is encryption that ensures this data cannot be used in the event it is accessed by unauthorised personnel. Therefore, businesses must understand where their most valuable data is stored before this step can occur. Regardless of where it is stored – on their own servers, in a public cloud, or a hybrid environment – encryption must always be used to protect data.
5. Securely store your keys
When data is encrypted, an encryption key is created. These keys are necessary to unlock and access encrypted data. Consequently, businesses must ensure that these keys are securely stored. Encryption is only as good as the key management strategy employed, and companies must keep them in secure locations, such as external hardware away from the data itself, to prevent them being hacked.
6. Introduce two-factor authentication
Next, businesses should adopt strong two-factor authentication, to help ensure only authorised employees have access to the data they need to use. Two-factor authentication involves an individual having something they possess – like a message on their smartphone – and something they know, rather than simply relying just on one protection such as a password, which can be easily hacked.
7. Business data must be backed up
However, these previous steps only protect business’ data from attempts to steal it. When it comes to ransomware specifically, the best way to mitigate the potential damage is to back up all critical business data. As ransomware locks an organisation out of its files and applications, having them regularly backed up would mean they could return to normal operations quickly. The backed-up data should be stored either in the cloud or offsite, and kept secure with two factor authentication and encryption. Backing up data will also protect its integrity from unforeseeable events such as fire or water damage.
8. Always install latest patches
Hardware and software are constantly being patched by their vendors, as bugs and vulnerabilities emerge, to prevent hackers from exploiting them. Many businesses do not do enough to install patches in a timely and consistent manner, or are using software which no longer receives regular patches. Figures from Net Applications, for example, show that one in 10 organisations still use Windows XP, despite Windows discontinuing patches. It is imperative that businesses install patches as they become available, to avoid becoming easy targets for hackers.
9. Ensure all unneeded ports are closed
One of the ways in which different aspects of malware can communicate is through the number of open ports on the network. In order to mitigate against this, it’s important to close those that are not being used, to limit the malware’s ability to communicate.
10. Education builds trust
Educating both their customers and employees on the steps necessary to keep data secure, remain safe and protect their personal data themselves, will develop trust with businesses. By educating all staff about their responsibility for keeping data safe, businesses can help reduce these instances. Additionally, not all security measures offered by businesses are automatically deployed, such as two factor authentication on many social media sites, and must be activated by users. Educating the users of these sites will help keep them secure.
11. Bring in an ethical hacker
Once businesses implement a cybersecurity strategy, they can assess their defences by bringing in or hiring an ethical hacker. Ethical hackers use the same techniques as malicious hackers in order to test and bypass a system's defences. They then record any weaknesses found, and give advice on how to fix them. Like cybercriminals, ethical hackers understand the value of a business’ data, and can provide guidance on how to best protect it.
12. Ask for help
Businesses shouldn’t be afraid to ask for assistance if they feel their company doesn’t have the expertise or resource to manage their security needs. Partnering with a third party, like a cloud service provider, can take that strain off and allow them to focus on running the business.
13. Security needs to be a boardroom discussion
To ensure that cybersecurity is taken seriously, organisations must treat it with importance at the highest levels of their business. A crucial step to help implement these measures is to employ a CISO or other high ranking executive to take responsibility for cybersecurity matters. This individual would sit on the board with the CEO and CFO. Regardless of whether a business does this, it is the c-level that has ultimate responsibility in the event of a data breach. CEOs have had to resign following a data breach, showing the serious consequences that can occur if a breach happens.
By constantly evaluating their cybersecurity and repeating these steps for all new data acquired, businesses are helping to protect themselves against ransomware attacks and data breaches.
While these steps won’t guarantee businesses are 100 per cent unhackable, the importance of an adequate cybersecurity strategy cannot be overstated, with recent research revealing that almost seven in ten consumers will take their business elsewhere in the event of a data breach. These steps will help make businesses unattractive or unviable targets for attackers, and mean that even in the event of a breach they won’t be able to use, steal or hold their data for ransom. With new data regulation, such as GDPR, coming into effect next year, businesses need to follow these steps now. Under GDPR, businesses face severe fines, damaged reputations and a loss of customers in the event attackers compromise their data. So time is running out for businesses to get serious about protecting their data.
Jason Hart, CTO of Data Protection, Gemalto
Image source: Shutterstock/Nicescene