Common Mistakes Businesses Do When Protecting Data
Ask any IT security expert, and they will all tell you that protecting sensitive data in today’s digital world is one of the biggest, if not the biggest, challenge they face.
With the wide adoption of cloud computing and the continuing trend of pro mobile employee policies like BYOD, there are more and more vulnerabilities that can be exposed and used by malicious parties to obtain sensitive data.
To help your business watch out for these vulnerabilities, here are some of the most common mistakes businesses do in their quest to protect their data:
1. No policy to categorize data consistently and systematically
Enterprises create a lot of data, and not all of them requires the same level of protection. That is why businesses must create a data classification policy that will categorize data based on sensitivity. At the very least, it should have these 3:
a. Restricted – most sensitive type of data.
b. Confidential or private – moderately sensitive data
c. Public – non-sensitive data
2. Not guarding against human element
One of the most common causes of data breach is the users of the data itself. With employees freely downloading data and sharing it online, they forget the difference from what is sensitive and confidential data from what is public. Sometimes the lack of education about data sensitivity is the biggest security vulnerability of all.
With employees allowed to bring their own devices at work, they can access sensitive data into their laptops or mobile device. Once they are out of the office, they may connect to unsecure networks, and the data stored in these devices are no longer under the protection of the company network security protocols.
Different standards of data security based on position
It is another human element that is usually not addressed by businesses. Some organizations are successful in educating employees in handling data, but they are not able to do the same with executives. With the authority and power wielded by company executives, IT staff has a hard time telling them off if they are putting company data in danger.
Not guarding against social engineering
Another vulnerability that is commonly not given attention is social engineering. Humans, it turns out, are easier to hack than computers. A polite phone call to an unsuspecting employee can give the hacker the information they are looking for, especially if the employee is not aware that the info he gave is sensitive information.
3. Obsolete security models
It is a common occurrence with on-premise systems. Since companies already spent a fortune on the system, they would just run with it without care for the ever-changing security landscape. The idea that what worked in the past will continue working does not apply in data and network security.
4. Incorrect implementation of encryption
Some companies implement encryption for the sake of implementing encryption. Some mistakes that businesses commit during encryption include:
- Improper key management
- Using weak encryption
- And, not encrypting data before it is shared in untrusted networks
5. Lack of endpoint security
Endpoints are probably the favorite target of cybercriminals. It is usually the most vulnerable with software and applications, including different plug-ins being very difficult to secure. By not applying up to date patches, these endpoints will continue to be a sore spot in data security.
6. Choosing the wrong cloud vendor
Some have questionable policies, including less than adequate security protocols. Some cloud providers also have data centers outside the US, where the ownership of data is blurred. Not to mention that in some industries, storing data outside the country is against federal regulations like HIPAA.
7. Unsecure printing environment
Another vulnerability that cybercriminals often target is the printing environment because IT teams commonly neglect it. Like non-secure endpoints, printers are often destinations for sensitive data that can be useful to cybercriminals. Also, information from the actual printouts can be stolen. Important documents are usually printed and left on printing trays for an extended period, which exposes the information on it for everyone to see.
8. Going for compliance instead of risk-based assessment
A lot of companies that are heavily regulated aim for compliance before anything else. The problem is that they set it as the end goal and does not customize their security measures based on a risk-based assessment. Risk-based assessment takes into consideration the current vulnerabilities of the business. As a result, they are indeed compliant, but they are not truly secure.
9. By believing that they have a secure IT infrastructure
The most glaring weakness that businesses exhibit is overconfidence. Once the IT staff hold onto the belief that they are fully protected from any threats, that is when they stop being vigilant. They neglect network and system monitoring and no longer update security patches.
Businesses have to remember that no IT infrastructure is ever fully secure. Cybercriminals are constantly evolving and finding ways around the current security measures. Once you get complacent, that is the moment you are most vulnerable.