When the Heartbleed security bug was revealed last week, IT departments across almost every industry scurried to secure their infrastructure. Frighteningly, the bug, which potentially exposed customer data for more than two years, is undetectable.
Heartbleed and cyberattacks like Target have made businesses more aware of the necessity of having sufficient defenses in place to protect trade secrets, customer information, and financial data. Still, says Heather Bearfield, a cybersecurity and risk management consultant at professional services firm Marcum, companies still have a long way to go.
"When we speak with CEOs, CFOs, and CIOs, we see a huge investment, tens of thousands of dollars, to make sure their financial statements are in place. But with IT, they think they aren't a target, their infrastructure is sufficient, and they don't need to invest in security," Bearfield says. "Those are the organizations that will get hit hard. As we've seen, a breach can bring an company to its knees. You're going to see a huge shift as companies realize how important it is to support their IT department."
Below, read Bearfield's tips to prevent a data breach and save your company a lot of money in the long term.
Educate your employees.
Believe it or not, your employees are the weakest link in your digital defenses. "Human error is the highest risk to your company. Clicking bad links, stolen laptops, lost thumb drives and company phones--there are so many ways company data can be breached," Bearfield says. "Just raising employee awareness can do a lot to better protect your company."
During company consultations, Bearfield will simulate phishing attacks to show how easily your network can be compromised. A recent Verizon report finds there's a 100 percent chance that at least one out of 10 people who are sent a malicious email will click a link in it (a phenomenon it calls the "inevitable click"). She also warns that hackers are leveraging current events to entice clicks--everything from the Olympics this past winter to the Malaysian airlines search. Make sure your employees know the danger one click can cause.
Don't be stubborn about passwords.
Bearfield says many companies refuse what should be an simple security tactic to implement. "We still see so much pushback from the C-suite and sales teams on the necessity to change all passwords every 90 days. They feel like they can't remember new passwords, can't come up with a new secure one with frequency, and think the process will trip them up in their workflow," she says. "It sounds so easy, but this is actually a big issue--password security is the first layer of defense but people feel like it's impossible for them. We also suggest case-sensitive, special characters, and lockout after a certain number of attempts."
Encrypt before you ship.
Encrypting your email messages is another easy way to shore up sensitive information. "For some reason, people often see this as a negative thing [that implies their network isn't secure]. To encrypt an email, all you need to do is enter a username and password, which is maybe five to 10 seconds of your time," she says. "We have automatic encryption software that will encrypt a message if you write a string of numbers [in the body], write the word 'secure,' or other keywords." During one consultation, Bearfield says she showed a CEO how easy it was to access his email by asking him how his daughter enjoyed life after getting her braces off. "All it takes is one message before you realize how important encryption is," she says.
Dedicate more resources to IT.
IT spending is one of the most forward-thinking investments you can make in your business. "Many organizations do not dedicate resources to their IT departments. Without proper investment, these IT departments are constantly putting out fires and don't have the time or ability to address other important concerns," Bearfield says. "They can't keep up with patching, which can leave vulnerabilities exposed for weeks, or months, if not longer."