News & Views

5 Ways to Reduce Your Risk Of A Data Breach

by John Lane - Oct 21, 2019

The advent of cloud storage in recent years has proven a significant turning point in the way small businesses are able to conduct their affairs, branch out and flourish. Indeed, the cloud services industry is estimated to reach the whopping $555 billion revenue mark by 2020, no surprise considering the far reaching benefits this form of data storage, transfer and exchange poses to small businesses like your own.

The elimination or diminishing of on-site storage systems saves on troubleshooting, hardware and security costs; it also eradicates the risk of on-site data breaches and data loss. Cloud transfer and sharing dramatically speeds the running of your day-to-day business, improving customer support, services and ultimate customer satisfaction.

Yet, as is often the case, potential threats tend to follow the money; which is why lower costs, heightened efficiency and productivity, increased implementation speed, improved security and scalability will be of little to no avail, without state-of-the-art cloud security that can live up to the risks of the times.

Here are a few tools you can employ and ways in which cloud security is transforming, to help you overcome the risk of cloud data breaches, as SMB cloud dependency increases over coming years.

 

Conditional Access

 

Aimed at small and medium businesses, low on subscription costs and containing a fairly comprehensive data management suite amongst its many features, Microsoft 365 is an obvious choice for many SMBs.

Until June 2019, unimpeded remote access to company resources via employee devices posed a very real risk of data loss, replication and theft, due to the fact that Conditional Access was a security feature that could only be enjoyed by Azure AD Premium P1 subscribers. By feedback and demand, however, this service has now been extended to Microsoft 365 subscription holders.

Conditional Access can be enabled via the Azure AD settings in the Azure Portal, where the following features of Conditional Access can be implemented:

• Limit access by IP location: block access to your cloud data from countries you don’t do business with or limit access to a certain radius or country alone
• Limit access by device: for example, if your organisation only employs Android devices, deny access through Apple devices or visa versa
• Limit to or block certain applications: control the ability of users to connect to your resources through certain types of applications, such as web-browsers
• Limit app usage: limit user application use to certain applications only
• Limit groups and individual users: limit access by certain employees or departments by creating an access policy

 

Use A Collaboration Tool

 

We are all painfully familiar with the nest of frustration and security risk that is e-mail, especially in group and collaborative situations where multiple recipients are involved.

From team members who accidentally reply outside the thread, to searching for references within the thread itself, situations where teams collaborate, chat and share information via standard e-mail tend to become confusing and unnecessarily time consuming.

The security risk is obvious, multiple inboxes in diverse locations containing links, discussions and errant threads of confidential company business…a nightmare in data governance.

Microsoft Teams, a component of Microsoft 365, is a collaboration tool designed to help you get a handle on collaborative, team communications and the good news is, you needn’t abandon e-mail entirely, as, to an extent, the apps can be used in conjunction.

The Microsoft Teams platform is a space where teams can collaborate, converse and share via group chat, one-on-one chat, video call and audio, all in a secure and efficient manner. Relevant e-mails can be sent directly to the app, links shared and files uploaded, these items will be organised within the room, displayed for easy reference and accessible to all the team members.

 

Stay Up-To-Date

 

A vital component of your data governance program should be a regular run-through of your network software inventory, with an aim to identifying and upgrading / replacing end-of-life software, such as Microsoft server 2003 and, by 14 January 2020, Windows 7 that could, in short term, be opening your systems up to very serious potential threats.

Thinking that your EOL software is sufficient to continue using because it has served you well in the past is a mistake. Not only are you likely operating less efficient systems than your competitors, you will no longer receive security updates and critical bug fixes, possibly forcing you to enlist the services of an expensive security professional when things go horribly wrong.

Incompatibility with new apps and products coming onto the market is another glaring reason to immediately replace EOL software, since it represents a hindrance to your company’s continued digital optimisation, expansion and success. What’s more, failure to upgrade your EOL software is likely to cause your systems to slide down into non-compliance, on the regulatory and legal front.

Last but definitely not least, few things can make hackers smile as much as EOL announcements on popular software like Microsoft Server 2003 and Windows 7…

Consider how many times the software you use receives an update in one year, now keep in mind the fact that the majority of these updates include, in part, security features and bug fixes without which your organisation’s confidential data would be at risk. Now understand that each time you miss the opportunity for upgrade you will be laying yourself open to even more threats.

End-of-life software on your network inventory should be considered a warning beacon declaring that your data is now open to the risk of intrusion.

 

Conduct Vulnerability / Penetration Testing

 

Malicious attacks, such as denial of service attacks, hijacking accounts and data theft are very real threats to small businesses in the digital age.

Vulnerability testing, as well as penetration testing or pen testing are terms you may have heard on the grapevine recently, as they are steadily becoming go-to data governance, data management and cybersecurity tools that can give users peace of mind because they are designed to determine the vulnerability of your business's network at large.

Vulnerability and pen testing options allow businesses to maintain compliance and maximum security efficiency, and they are especially valuable in the wake of both minor and significant network changes.

You may be wondering which one of these tests is more suited to your SMB, however it’s important to understand that, while these tests fundamentally identify the same types of potential threats to your network (ie: vulnerabilities, security gaps in your network and encryption flaws or weaknesses), they are, in fact, executed differently and often have a tendency to bring up diverse results. Long story short, you should do them both!

• Vulnerability scans are automated system scans which, when initiated, reach completion without user input. They are scheduled to be performed regularly and, once underway, can be completed within minutes. Vulnerability scans simply identify the vulnerabilities and weaknesses so that they can then be fixed. They don’t go in and attack you, they merely identify, so they are quick and painless, easy to do on a monthly or even a weekly basis. They are pre-programmed, non-intrusive and should be a starting point for the ultimate security test, namely…the penetration test.


• Penetration tests are invasive, systematic vulnerability tests manually undertaken by an experienced programmer or ‘hacker.’ The programmer will use intuition, experience and skill to attempt a hack on your systems, he will penetrate where possible, identifying false positives left over from the vulnerability scan in the process. Should your system contain weaknesses which allow the hacker to penetrate your network, he will proceed to exploit your system, so as to determine the depth to which the system is vulnerable, before the necessary fixes can be undertaken. The pen test should be performed on an annual basis and certainly after every significant system change.

 

Develop A Security Conscious Culture

 

In the ever changing digital landscape, the potential threats of data breaches, data loss, hijacking accounts and denial of service attacks are forever ‘just around the corner’ especially if you don’t stay well on top of your cybersecurity game. Studies indicate that, by and large, while security conscious cultures do exist in today’s large, medium and small businesses, they are very seldom in line with the times and are generally not sustainable.

Security protocol may be covered in your employee contracts and during employee orientation but, with an enemy that is forever invisible and forever upping his game, consistent regular maintenance of a security conscious culture that is fighting-fit is 100% essential to the safety and success of your SMB.

• Ensure that employees understand the ways in which they might inadvertently or directly breach security protocol. Penalties should be applied to those who fail to follow protocol but, likewise, incentives should be offered for employees who contribute actively to security by, for example, identifying new risks they may become aware of
• As new threats are regularly coming to light, employees should attend compulsory briefings to ensure that they are aware, up-to-speed and ready to alter their security habits in accordance
• The SDL program or secure development lifecycle program should be a staple in any security conscious company. An SDL comprises a set of security protocols that should be undertaken by the relevant employees following any significant system change or upgrade within your network… Microsoft SDL is a good place to start, so be sure to check it out