Technology is more prolific in the world of business than ever before, allowing (among other things) employees to work wherever they choose with full access to company files. But with this increased freedom comes greater risk that sensitive company data will fall into the wrong hands.
HR magazine spoke to Denise Hudson Lawson, enterprise learning architect EMEA at online IT learning provider Pluralsight, and Dale Meredith, ethical hacker and author of Pluralsight security training courses, to discuss their five top tips for keeping your data safe.
1. Train your staff in data security
“The weakest link in any company when it comes to security is the end user,” Meredith told HR magazine. “It’s so easy to socially engineer someone to give up information such as their password, or to trick them into clicking on an unsafe link in an email. A user could unwittingly give someone access to your network resources, which could include your customer database or financial information. In this way your weakest link is also your first line of defence.”
Prevention is better than cure, so make sure your employees know how to handle data safely and test them regularly. You could, for example, call a staff member pretending to be from the IT department and ask for their login details. You will know their training has been successful if they ask for proof of your identity before handing over their sensitive information.
2. Think carefully about passwords
A password is one of the simplest ways to ensure your data is not available to unauthorised viewers, but it is important to ensure the password is strong enough to resist an attempt to crack it.
“One of the mistakes we see often is the use of weak passwords,” explained Meredith. “Passwords are supposed to be complex, but they are also supposed to be memorable. We define a weak password as anything less than 14 characters – but what end user do you know who wants such a long password?”
Another problem is the content of the passwords. Meredith has found that people tend to have passwords based on their hobbies and interests. “The fact that we share so much on social networks allows someone to look at a profile on Facebook or Twitter and learn stuff about you. They can then use the things they’ve learnt to guess your password.”
3. Avoid downloading from unknown sources
Pirating files is not only illegal, it could also be putting your data at risk.
Meredith warned that employees downloading files from unknown sources could result in compromising the computer’s security. “People don’t understand why that stuff is up ‘for free’,” he said. “An attacker can take that download and put a trojan inside it.” A trojan is a malicious computer program that might seem useful but could actually make the machine susceptible to harm or infiltration. “When you install the application you downloaded the Trojan can bypass your antivirus, install itself, and give the hacker a connection to your computer."
4. Take care with mobile devices
With the rise of BYOD (bring your own device) more people are accessing company information from their personal phones and tablets. Employees should take care when installing apps or using Wi-Fi to ensure data is only accessible to the people permitted to see it.
Meredith warned that mobile device users should check what data they are willingly giving out. “We’re putting so much information on our phones; like bank details, important numbers, contacts, and birth dates,” explained Meredith. “When you download a game look at the permissions you’re sacrificing when you install it. Typically it will show a screen that says what the application wants access to. Some stupid little game should not need access to your contacts.”
Using an insecure Wi-Fi connection can also make a breach possible. “The biggest issue with BYOD is the connections we’re making,” Meredith added. “We’re connecting to the Wi-Fi at Starbucks, Mercedes has just launched a car with built-in Wi-Fi, I tether [turn a smartphone into a mobile Wi-Fi hotspot] off my phone all the time. Do I trust the employees of my mobile company who may be able to look at the data passing through? Are all of the connections you make secure?”
5. Work with IT on HR policies
With such high stakes, it is important to ensure employees understand the gravity of data security. Provide information in your employee handbooks, and put policies in place for when things go wrong.
Hudson Lawson said that working with other departments to draw up suitable policies is key. “I suggest all HR professionals build a very good relationship with their IT and networking teams, and together come up with policies that can be written into employee contracts. Then when an employee joins the company they have all the information ready to hand,” she said.
“If there is an internal security breach that is something to do with employee behaviour then having a strong policy in place could help with disciplinary processes. Everyone hates talking about internal disciplinary actions, but when there’s sensitive corporate data at risk then it’s something that needs to be considered.”