Norman Begg of online security company my1login offers advice on protecting a developing business against computer hacking and accidental data loss
As a business grows, so does the threat of data security breaches, both accidental and malicious. Adding more employees, additional premises, new hardware and mobile devices into the mix all open up your business to potential dangers capable of doing serious financial and reputational damage. Don't cut corners on IT security or wait until it's too late to protect your business.
Here are my top tips for securing your sensitive business data:
Real user data should never be used for software testing or development purposes. Generatedata.com is a free-to-use site which allows you to create real-looking user data for these tasks. Also, remember to switch off test accounts and close development environments when you're finished using them, as these can be a route used by hackers to gain access to the live environment and real customer data.
If you need to store user data, be sure to use an ISO 27001 accredited server infrastructure. This ensures that it meets international baseline information security management standards of confidentiality and integrity.
Also, make sure that any customer data you store is encrypted and that encryption keys are not stored on the same server. If users have accounts with your service, ensure that their passwords are 'hashed' and 'salted' using a strong algorithm such as SHA-2.
Ensure that office hardware is physically locked down and access to it is restricted. It's easier for a thief or hacker to simply pick up and walk away with a piece of hardware than to crack their way through multiple-layers of online security.
PCs and laptops should be set up to require passwords to log on and employees should be encouraged to lock their screens when away from their desk or device. If transporting user data on USB sticks, make sure they're encrypted (using a free solution such as Truecrypt).
Most Operating Systems and browsers will now auto-update, but make sure the feature is switched on for all employees' devices. Ensure that Anti-Virus, Anti-Spyware and Firewall software is always up-to-date and that virus and spyware scans are run regularly. Key loggers, screen-grabbers, Trojans and other viruses can enable hackers to access accounts and ultimately obtain user data.
Ensure that employees are using strong, unique passwords, making it much less likely that they will be hacked. Strong passwords should have a minimum of 15 characters and include lowercase, uppercase, digits and symbols. No password should ever be used twice across different accounts. Unique passwords ensure that should one system be compromised, exposure is isolated and the business is protected from the domino effect of one hacked account leading to another.
Enforcing strong password practices is no good if employees unwittingly hand their passwords over to hackers. Train staff on how to spot phishing emails, the tell tale signs of a spoofed website and how to avoid falling victim to social media based scams.
Keep track of who has access to what; from employee passcodes to suppliers you have shared login credentials with. An audit trail ensures that should an employee leave, or a contract with a supplier end, it's clear whose access needs to be revoked and what authentication details are required to be changed.
Ensure good practice online: always use SSL/HTTPS on websites if possible. Using SSL ensures your data is transmitted to and from the web securely and is less susceptible to man-in-the-middle attacks. Restrict the ability to download software on employee devices.
Make sure your Wi-Fi network is secure and that access to it is restricted: change your router's standard login details, enable WPA2 security using a strong password, turn off the transmitting of the network name, and don't hand out the Wi-Fi password unnecessarily.