Protecting your organisation from data theft
Rhys Williams, July 19, 2013
The issue of cyber security and the potential damage that can be suffered by a company as a result of data theft regularly makes front page news.
They are attacks on people, processes and technology; and organisations wishing to implement the most effective defences must focus on all three areas. As a result, having appropriate policies in place, implementing regular training sessions and recognising major risk areas are key roles for HR management.
The most vulnerable element of most companies' cyber defence is its employees. Human error and human greed are responsible for significantly more cyber losses than failed firewalls.
In order to properly protect itself, every business first needs to identify the data that is most important to it. For example, it could be intellectual property, sales data or customer data. It might even be employee data. Determining what is important to your business makes it easier to protect.
There are then a number of basic steps that any organisation can implement in order to increase the effectiveness of its data security programme. For example, common reasons for cyber breaches, (such as a failure to follow designated processes, poor password selection or a lack of understanding of the risks), can all be countered through the introduction of regular and targeted training sessions on cyber security. All staff should be trained on the company's security management policy, setting out how members of staff are required to use the company's systems in the most secure manner.
Many people are still unaware of the risks posed by phishing, where hackers attempt to acquire information such as usernames and passwords by masquerading as a trustworthy entity in an electronic communication. The classic example is an email, apparently sent by a colleague, inviting the recipient to click through to an apparently-legitimate website that is infected with malware.
Staff need to be trained to recognise the different types of scams used by hackers, as well as how to behave in cyberspace, with awareness of what sites they are not permitted to access from work PCs or what information they should never let enter the public domain, and so on.
Another aspect to consider is user privileges. It is common for companies, especially those that have grown in size quickly, to have excessive user privileges with too many members of staff having access to confidential data and/or systems that are not required for them to do their jobs properly.
Introducing account management processes that limit the employees who can access specific data and/or systems can result in a dramatic improvement in data loss management.
Evolving technologies bring new challenges and these must also be addressed in staff policies. For example, a home and mobile working policy is important, particularly if your business permits the use of BYOD (Bring Your Own Device). Any member of staff who connects his or her own device to your IT systems must clearly understand their responsibilities. Equally, key to the success of any policy is ongoing monitoring of compliance. Plan and implement regular checks to ensure compliance with the policy.
Ultimately, however, there is no 'one size fits all' answer to the issue of cyber security. It is up to each individual company to determine its own risk appetite and to implement policies and training accordingly.
Rhys Williams (pictured) is a partner in the commercial technology team at Taylor Vinters