Why Your Employees Are the Single Biggest Threat to Your Company's Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.inc.com/will-yakowicz/how-to-prepare-your-company-for-a-data-breach.html

When the Heartbleed security bug was revealed last week, IT departments
across almost every industry scurried to secure their infrastructure.
Frighteningly, the bug, which potentially exposed customer data for more
than two years, is undetectable.

Heartbleed and cyberattacks like Target have made businesses more aware of
the necessity of having sufficient defenses in place to protect trade
secrets, customer information, and financial data. Still, says Heather
Bearfield, a cybersecurity and risk management consultant at professional
services firm Marcum, companies still have a long way to go.

"When we speak with CEOs, CFOs, and CIOs, we see a huge investment, tens of
thousands of dollars, to make sure their financial statements are in place.
But with IT, they think they aren't a target, their infrastructure is
sufficient, and they don't need to invest in security," Bearfield says.
"Those are the organizations that will get hit hard. As we've seen, a
breach can bring an company to its knees. You're going to see a huge shift
as companies realize how important it is to support their IT department."

Below, read Bearfield's tips to prevent a data breach and save your company
a lot of money in the long term.

Educate your employees.

Believe it or not, your employees are the weakest link in your digital
defenses. "Human error is the highest risk to your company. Clicking bad
links, stolen laptops, lost thumb drives and company phones--there are so
many ways company data can be breached," Bearfield says. "Just raising
employee awareness can do a lot to better protect your company."

During company consultations, Bearfield will simulate phishing attacks to
show how easily your network can be compromised. A recent Verizon report
finds there's a 100 percent chance that at least one out of 10 people who
are sent a malicious email will click a link in it (a phenomenon it calls
the "inevitable click"). She also warns that hackers are leveraging current
events to entice clicks--everything from the Olympics this past winter to
the Malaysian airlines search. Make sure your employees know the danger one
click can cause.

Don't be stubborn about passwords.

Bearfield says many companies refuse what should be an simple security
tactic to implement. "We still see so much pushback from the C-suite and
sales teams on the necessity to change all passwords every 90 days. They
feel like they can't remember new passwords, can't come up with a new
secure one with frequency, and think the process will trip them up in their
workflow," she says. "It sounds so easy, but this is actually a big
issue--password security is the first layer of defense but people feel like
it's impossible for them. We also suggest case-sensitive, special
characters, and lockout after a certain number of attempts."

Encrypt before you ship.

Encrypting your email messages is another easy way to shore up sensitive
information. "For some reason, people often see this as a negative thing
[that implies their network isn't secure]. To encrypt an email, all you
need to do is enter a username and password, which is maybe five to 10
seconds of your time," she says. "We have automatic encryption software
that will encrypt a message if you write a string of numbers [in the body],
write the word 'secure,' or other keywords." During one consultation,
Bearfield says she showed a CEO how easy it was to access his email by
asking him how his daughter enjoyed life after getting her braces off. "All
it takes is one message before you realize how important encryption is,"
she says.

Dedicate more resources to IT.

IT spending is one of the most forward-thinking investments you can make in
your business. "Many organizations do not dedicate resources to their IT
departments. Without proper investment, these IT departments are constantly
putting out fires and don't have the time or ability to address other
important concerns," Bearfield says. "They can't keep up with patching,
which can leave vulnerabilities exposed for weeks, or months, if not
longer."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!