Set the tone at the top. Data protection legislation goes further than simply asking the IT department to implement “appropriate measures”, it also adds many new technical requirements to an organisations data and the systems that contain the data. It expects a commitment to invest time and money, it requires ‘board level’ focus to manage risk and a shift in culture. In truth, data protection is as much behavioural as it is technological.
Expecting that systems, process and policies will provide enough security is simply put, naive. Regardless of systems implemented no one is safe from an attack or data breach.
The first step to better security in the organisation is employee awareness. Employees are the greatest asset when it comes to data security, and, not surprisingly, the greatest liability. Making employees think of cybersecurity and the role they play in the securing the data of the organisation is imperative.
Much like taking measures to secure your premises from intruders (burglars) with fences, bars, alarms and more; organisations are now expected to take similar measures to protect their digital assets; having an aware workforce puts more eyes and ears in the game. Emphasise data ethics, if it isn’t yours why take it?
Run awareness refresher sessions, make sure any and all changes to policy are well communicated and acknowledged. Call in guest speakers to chat with employees. Make awareness a key step when on boarding new staff.
The second key step is to draft data security policies. New systems, processes and procedures that are not under-pinned by solid policy-making, understood and supported by all concerned will remain weak, at best.
These policies must cover key issues such as:
Data Backup and Recovery
Setting up off-site storage
Document data management procedures
Test recovery frequently
Keep anti-virus, ransomware and malware protection software up-to-date
Run regular scans to confirm the validity of the protection software
Password management
Set down a password policy that combats:
Re-using passwords
Sharing passwords
Drive a minimum password length of eight (8) alpha-numeric with one ‘character’
Implement two-factor authentication wherever possible
Build a tightly secured network
Audit for default admin logins and passwords
Ensure, as minimum, SSL security is in place for web sites
Use strong encryption on all firewalls
Manage and monitor the use of external storage devices such as USB keys
Have a strong and clear approach to BYOD (bring your own device)
Keep operating systems and applications up-to-date
Never decline or postpone for too long an update from the OS or Application vendor
Once an OS, Application or Browser has reached end of life make every effort to get it out of the organisation
Limit the use of local admin rights
Regularly audit laptops for obsolete, no longer used user accounts – get rid of them
Thirdly, engage with third-party specialist cybersecurity and data protection experts. Cybersecurity and counter measures a fast-moving target, expecting in-house IT shops to keep up is a nearly impossible ask. Larger companies may setup a dedicated team of experts organisational cybersecurity as their focus, it will still be a difficult job for them to keep up. Setting up strategic partnerships with experts.
Third party specialists can help with understanding legislation in the context of the organisation, carry out audits and vulnerability assessments, assist with simulations (specifically data recovery), construct communication campaigns in the event of a breach and lastly, give Board Members the comfort that the measures being taken to secure the company data are not just adequate but tried and tested.