I'm sorry if this ruins some romanticized vision you have of hackers, but most of the time they are using the same old tricks over and over again. They get away with this, of course, because people fail to do the most basic things to protect against data loss.
The vast majority of data loss which companies experience come from common areas. They're not elaborate hacks involving pages and pages of source code and black hooded characters. They are ordinary people making mistakes, and ordinary people taking advantage of those mistakes. Let's look at those common errors so you do not make them as well.
Data loss companies experience
Spyware: Beware your click
Everyone in your company, from the CEO down to the person working the cash register, is capable of clicking on spyware which can ruin your data privacy. Spyware is a type of program which downloads itself onto your computer. It does so without your knowledge and proceeds to steal your:
- Customer information
It usually does so by logging all of your keyed information. The most important thing that you can do is to make sure that your staff know that they should not click on links unless they trust them. This goes double for when you are prompted to download something.
Second, every single machine which your company owns and uses needs to have some sort of spyware prevention software. One much is updated frequently to combat the latest spyware is recommended.
Preventing device theft
Most of the time, device theft is seen as an inconvenience. While it is certainly inconvenient, it can also be a devastating moment of data loss. Think about how much your company may store on a laptop, or the type of communications on an employee cell phone. It could ruin your company.
Minimizing the risk of the device theft is as simple as:
- Forcing everyone to use lock screens on all of their devices.
- Setting up device encryption on all devices. You can opt for whole disk encryption, or encrypted folders for sensitive information.
- Online tracking tools, such as the popular Find my iPhone, can help you remotely wipe devices as soon as they are lost. They can also help you locate them later.
The weakest link in any security plan your company will come up with is people. They are going to lose things, you need to have some sort of plan for compensating for this. Having your company data already encrypted, or being able to remotely wipe it, is the simplest step to take.
Having important credentials stolen
There're many ways that company credentials can be stolen from employees. The most common way happens on unknown networks, such as when working remotely. What will commonly happen is a hacker will set up a wireless access point and use it to steal data. If they're really smart they will set it up at conferences and other events where many professionals are gathering.
Whether your employees are on your home network, or one which they don't know, make sure that they know this:
- On every unknown network which you access for work, you must use a VPN to encrypt and secure the network. This includes when you are in someone else's office, when you attend a conference, or in a hotel room.
- When using a public computer, never click on the remember password option that pops up in the browser.
- Strong passwords must be used, and they must be used wisely. This involves using a wide variety of passwords so that you are not hacked on a wide scale if one password is taken. It also involves not putting a sticky note on the side of your computer with your password on it.
Once credentials are stolen hackers can use them to access your systems freely. Prevent them from getting the information in the first place by protecting your most vital credentials.
Careless document handling
We have all seen a bad sitcom where a bit of careless document handling has led to hilarity. It's funny in the sitcom, but it's not so funny when you:
- Forward emails to the wrong people by accident
- Put private data on a public server or publish it in a public place
- Fail to delete old documents properly
Pretty much every sitcom that has ever existed has done at least one of these things. Your team cannot make the same mistakes. Be sure to cover it with them periodically, and certainly bring it up with them directly when they transgress one of these issues.
Your computer is like anything else, when you get comfortable with that you want to stay as it is. I personally used OS X 10.8 (Mountain Lion) for much longer than I actually should have. This was a bad decision on my end as older programs tend to stop getting updated.
When operating systems, software, and apps stop getting updated their security also stops getting updates. Your first step in correcting vulnerable applications is to update to the latest operating system.
Your next step to make sure that your software and apps have latest updates. The vast majority of these updates are exclusively for solving 0 days, and patching security holes. 0 days are something that hackers commonly look for. Unfortunately, they can sometimes find them well after the 0 day has been patched because the company didn't bother to update.
Lower your data loss risks
Many of the errors you read about above are not elaborate hacks. For the most part, they are human errors that hackers take advantage of. To lessen your risks make sure that you:
- Educate your team about spyware prevention, and have spyware programs on all of your machines.
- Taking steps to minimize the risk from device theft.
- Be aware of the risks of credential theft.
- Use proper document and information handling techniques.
- Do not let any of your applications become vulnerable due to a lack of the updates.
These are data loss issues that any company can eliminate. You don't need a fancy IT team to take these five steps, you only need some common sense and the will to do it.
Marcus is a digital privacy advocate with a weekly blog post on Best VPN Provider.co every Wednesday. You can find him there with the latest news on privacy, VPNs, and general privacy and security concerns. You can also follow @BestVPNs on Twitter for the best in online security Twittering!