To sign up for our daily email newsletter, CLICK HERE
In an increasingly digitized world, organizations large and small must carefully guard their data. This is important not just to defend against large-scale data incidents like the October 2021 release of the Pandora Papers, but to reduce the risk of smaller, more mundane incidents as well.
Unfortunately, the threat landscape grows more complex by the month. Modern organizations must contend not only with the familiar lineup of malicious actors working from afar but with disgruntled insiders and incompetent vendors. Keeping the most serious and likely threats in view requires a nimble and multi pronged approach.
This work isn’t easy, and success sadly isn’t guaranteed. But simply not trying is not an option. Here’s what your organization can do to mitigate its risk and manage digital threats as they arise.
1. Have a Systemic, Scalable Data Backup Plan
Whether it’s a large-scale event like the 2021 incident that affected dozens of firms — including Asiaciti Trust and Fidelity — or a targeted attack on your organization only, don’t allow a data incident to result in any actual data loss.
This sounds like an ambitious goal. It’s not — but it does take careful planning. The key piece is a comprehensive and scalable data backup plan that ensures the data your organization collects and produces is duplicated in near-real-time — at least twice per day. You’ll need servers and physical media to store all this information, but that’s a small cost to avoid massive disruption down the road.
2. Monitor for Insider Threats
The greatest threat to your organization’s data could come from within. Many business leaders engage in wishful thinking when it comes to insider threats, or the risk of disgruntled or malicious insiders accessing and taking data without authorization.
As the old saying goes, the best practice here is “trust but verify.” While giving your employees, contractors, and third-party users latitude to do their jobs and showing (not just telling) that you do trust them, you must implement effective access control and monitoring systems to ensure they’re not tempted to turn.
3. Keep Corporate Hardware and BYODs in Good Working Order
Older devices running outdated software are inherently less secure than newer devices running the most up-to-date versions. Your organization probably doesn’t have the budget to replace its entire inventory of corporate hardware every year, but that doesn’t mean you’re powerless to prevent security lapses. Properly maintaining computing hardware and applying the latest patches or version upgrades as soon as they become available can go a long way.
This is arguably even more important when it comes to BYODs (bring your own devices) — the personal devices that support dispersed, anytime-anywhere work. Consider implementing a formal device policy that makes your employees’ personal phones and laptops extensions of your organization’s computing footprint, and subject to the same expectations around updates and data hygiene.
4. Develop and Communicate Data Protection Policies for Your Team
Even if you don’t have a formal device policy, you can communicate basic, common-sense data protection practices to your team. These include but aren’t limited to:
- Not clicking links or visiting URLs in the bodies of suspicious emails
- Never providing sensitive information over email
- Never plugging foreign data storage devices (such as USB drives) into devices connected to your organization’s network
- Never downloading suspicious email attachments
- Never allowing unauthorized individuals to borrow or use BYODs
5. Use a Comprehensive Anti-Malware Suite and Keep It Up to Date
Use a comprehensive and reputable anti-malware suite to protect your organization’s devices from viruses and other malicious bits of code. This shouldn’t be your only line of defense, of course — you need a network firewall and sound data hygiene practices too. But it can spot and neutralize the digital threats that do break through.
6. Harden Your Databases
Last but not least, work to harden your company databases by:
- Uninstalling or disabling features you don’t use
- Fine-tuning access permissions to reduce unauthorized changes to your data
- Using automated tools to probe your databases for weak spots
- Reducing dependencies to contain the effects of flaws and ensure they don’t result in cascading failures
An Ounce of Prevention Is Worth a Pound of Cure
Prevention is usually the best medicine. Given the choice, most organizations would prefer to invest more in information security now than in the wake of a costly, reputation-damaging data incident.
That option isn’t always available, of course. Some perpetrators are more sophisticated than others. Many are skeptical that large-scale incidents of the sort that ensnared Asiaciti Trust and Alcogal can be prevented entirely; Asiaciti Trust, among others, are likely to take proactive measures. This suggests that even when an incident seems inevitable, preventive measures can and do mitigate the harm to affected organizations.
In other words, the decisions you make about digital security today can and perhaps will have significant implications down the road. Choose wisely.