Since 2016 we have seen a huge reform in data security regulation policy with the introduction of General Data Protection Regulation. Yet even after its implementation huge incidents like Facebook’s PII leak in September have occurred, illustrating the importance for businesses to protect their data with IT policies and infrastructures.
2017 saw a 20% increase in major data breaches – 39.4% of these breaches were reported within the Business sector. Any organisation may be subjected to security threats which come in a variety of forms, from sophisticated intelligent agents, insufficient device protection, to simple user error. Fortunately, protection from all ranges of threat are available.
How am I at risk?
An organisation could be at risk in several different ways, most of which can naturally be split into external and internal.
An external risk to company data might be a hacker or password cracker, or a phishing email. Even using a company device while connected to a public WIFI hotspot or using social media apps can put your data at risk of being seen by unwanted eyes.
At the same time, internal security risks are more common than some may think; lack of knowledge around data security among users is just as big a risk as scams and infiltration. So, we will go through some of the most common risks to an organisation’s security and talk about some of the practices and products that you can employ to safeguard your organisation against a range of security breaches.
1: User Error
A great deal of security risks can be easily eliminated if care is taken by the user. Probably the biggest example of user error is simplistic passwords. A mid-range 2018 PC can attempt 10 million combinations per second, so when setting a password, it is important to maximise the number of potential combinations by using a range of upper- and lower-case letters, numbers, and symbols.
The trouble is, as of 2017, the two most common passwords in the English-speaking world was “Password”, and “123456”, which would take less than 2 minutes to crack using a computer from 1996.
In fact, if your password is less than 7 characters long, and only uses a mixture of upper- and lower-case letters and numbers and no symbols – it could be cracked in a maximum of 66 days, and a minimum of 56 seconds. It’s also best not to use a password like “qwerty” or with words like “football”.
Good practices for business are as simple as implementing minimum complexity requirements for passwords and educating employees. Require them to use a diverse combination of character in their passwords and update important passwords at least 2 – 3 times a year. There are 94 potential numbers, symbols and lowercase or uppercase letters on a keyboard available for you to use in your password. In an 8-character password, that makes 7.2 quadrillion different possible combinations! Even a supercomputer capable of attempting one billion combinations a second would take up to 3 months to crack it…
2: Cyber Attacks
It’s safe to say that we all have an email address, and we’ve probably all received an email that doesn’t seem quite right – whether it’s given you a link to a direct debit, or that it’s just addressed to “User” or “Valued Customer” (if that really is your name, we apologise.)
While some scams can be easy to detect, the rise of AI means illicit emails are becoming more sophisticated. A Japanese AI program co-authored a short novel that passed the first round of the Nikkei Hoshi Shinichi Literary Award ceremony in 2016, and in the same year it was predicted that 20 percent of business content could be written by machines by 2018.
These more sophisticated, harder to detect emails may have attachments containing ransomware designed to steal your personal data and threaten to publish it or permanently block access to it unless you pay a ransom. This is where Office 365 can help you with its own AI-powered technology. In the time it takes for you to click a web link, Office 365 Advanced Threat Protection (ATP) can scan it to assess if it is part of a phishing scheme and present you with a warning if the link turns out to be illicit in nature. Office 365 ATP is also able to apply these assessments to email attachments – by opening an email attachment in a virtual test environment ATP can analyse its behaviour and assess its intent. Emails with unsafe attachments are automatically blocked for delivery.
Another tool for added email security is Azure Information Protection. Azure can apply Enterprise-grade encryption to emails and documents, so that only authorised personnel are able to open it; this system also comes with a handy set of controls for email labels, so you know the different between a legitimate corporate email and an illicit one.
3: Device Security
Christmas is nearing, which means so are Christmas parties. At some point you’re likely to commandeer the aux and bring up your favourite festive tune on your device. Or maybe you’re getting a new tablet or phone, and you give it to your kids to have a play on. There’s no harm in it, so long as you’ve safeguarded against more than losing your device on the dance floor or having someone ‘accidentally’ £50 spent on Candy Crush.
EE found that around 10 million devices a year are lost with company data on them! Often in this scenario, a device can be remotely wiped to eliminate the risk of corporate data falling into the wrong hands. But then what if, like many employees, you have both corporate and personal data on your device? Cross-contamination is just one of the complications that can occur with Bring Your Own Device practices.
The biggest risk surrounding devices is having apps with different levels of security and trust on the same device. The biggest example is social media apps like Facebook and Twitter, which everyone uses and are essential marketing tools for businesses – but are inherently less secure than dedicated business apps. Take, for example, the incident where the PII of 30 million Facebook users was leaked. Using Facebook or Twitter on a company device may provide a backdoor to attaining access to a device.
This is another way in which Microsoft Azure can eliminate risks. Azure’s security researchers are constantly collecting data on attack patterns and trends to update the Azure Security Centre. It also provides evolving threat detection capabilities, identification of security vulnerabilities in your organisation, and help with applying controls to secure your security risks. Moreover, to elevate device security, Azure can work in conjunction with Microsoft Intune, using app protection policies to ensure that data from apps with different levels of trust and security don’t become mixed up. A goof example of this is stopping data from corporate apps getting saved in local device storage.
4: Sharing Company Data
While it’s commonly believed that security breaches mostly involve external cyber infiltration, researchers have found that 42% of security breaches are internal, and of such breeches, 65% are completely accidental. Therefore, employing good practices around data sharing across organisations is a big first step in securing company data. This can be as easy as setting up organisation wide policies to protect against sensitive information.
A number of template policies are provided in Office 365’s Data Loss Prevention (DLP) service and can help users detect personally identifiable information (PII) such as credit card information, or social security numbers that may be at risk. There are DLP policy templates for all the following:
- Gramm-Leach-Bliley Act (GLBA)
- Payment Card Industry Data Security Standard (PCI-DSS
- United States Personally Identifiable Information (U.S. PII)
- United States Health Insurance Act (HIPAA)
Templates can also be modified to change certain rules or even add new ones. Policies can also be built from scratch to tailor to a business’ needs.
Office 365 has another tool essential for internal data protection: Azure Information Protection. Azure can apply Enterprise-grade encryption to emails and documents. It also provides users with email and document controls such as “Confidential” or “Do not copy”.
Hopefully after reading this blog you have a clearer idea of what needs to be done to keep that company data secure and compliant. If you would like more info on any of the above products or policies – please do get in contacts below.