An essential component of reliable security is employee behavior. Employees are a part of any cybersecurity efforts' success or failure. This article will look at several key areas related to improving organizational cybersecurity.
Operational Security and Accessibility
Improving enterprise security is about more than updating security protocols. It requires that employees follow the new protocols. A report from Shred-it found that 47% of cybersecurity incidents were related to employee error, as reported by CNBC. These incidents included the loss of devices or critical documents. Sometimes, security incidents are as simple as employees giving out their passwords or providing access to information for coworkers who shouldn't have such access. A survey from IS Decisions discovered that 48.8% of employees answered yes to the question, "I already have shared by passwords or login details." Changing employee behavior is no small feat. However, discussing the ramifications of poor security practices with employees can positively impact their behavior.
"If they're not aware of cybersecurity before we hire them, we'll make them aware," Charlotte Gibb, co-owner of the Walnut Creek, California developer that supplies software to the hotel and hospitality industry, said to CNET. "Our customers are often targets of cyberattacks, so we must be very alert to how this might affect them. We take cybersecurity very seriously."
Secure Storage and Verification of Data Backups
The importance of the relationship between storage of data and its security is mentioned in a paper produced by SNIA(Storage Network Industry Association), "Few other elements in the IT infrastructure have a more important relationship with data than that of storage systems. They may also be the last defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls." For data security administrators, they must juggle what's known as CIA:
- Confidentiality — access only to authorized users.
- Integrity — reliability of data.
- Availability — data is available to everyone in the organization who is authorized and needs access.
Securing data is a very dynamic task. It can't be sealed off because then it becomes useless, but it can't be open either because then it becomes vulnerable. Whatever security is put in place must also allow practical access without overburdening users.
There’s a delicate balance that must remain in place between access, security, and convenience.
A startling statistic from a 2017 report by Washing DC-based Clutch found that 58% of small businesses are unprepared for data loss. Even scarier is that 60% of SMBs that lose data will close within six months. Data backups are more than backing up data. Validating backups is a big part of any thorough backup process. Automated backup validation helps determine if there is anything wrong with a backup. However, automated backup validation can't tell if your data is accessible. Just because it looks fine on disk and the backup didn't encounter any problems doesn't mean everything is ok. To determine if backed-up data is truly intact requires restoring the backup. That's a resource-intensive process that cannot be done daily. As the saying goes, fix as much as you want to lose. It doesn't mean every backup needs to be restored and checked. But periodically checking backups through restoration provides peace of mind that you can't get through automated methods.
Controlling Access to Information at Various Sensitivities
Controlling access to information means granting access to only authorized persons. Within a group of authorized persons, each person may have specific access—levels of access increase with more privileges. As an example, new hires may have the lowest level of access. Contractors may have a level above new hires and so on. Some people may only have view access, while others have read/write access. What access someone has depends largely on that person's role and their need for access to data. Software developers often need access to lots of data for testing. Developers auto-generate data for testing, but using accurate data can present edge cases, providing more thorough testing. Correct data can be obfuscated in this case so that personal information is not identifiable. Software developers can then run tests on this "cleansed" data that better match real-world scenarios.
In-person communication with staff about security will have more impact than an email blast. Letting staff know how bad practices can impact customers is also effective. Staff should attend regular security training. These efforts show staff that the company is serious about its security initiatives. Additionally, customers will benefit from improved security methods and practices.