When it comes to breaches, there are no big fish, small fish, or hiding spots. Almost every type of organization – including yours – has critical personally identifiable information (PII) stored. Storing PII makes you a target regardless of size, industry, or other variables, and all it takes is one employee thinking a phishing attempt is legitimate. That means everyone’s at risk.
Statistics show that data breaches are on the rise and can bring devastating, long-term financial and reputational repercussions to your organization. The 2019 Cost of a Data Breach Report, conducted by Ponemon Institute, estimates the average total cost of a data breach in the United States to be close to $4 million. And the average price for each lost data record, says the report, is around $150.
Breaches happen in so many ways, a one-size-fits-all solution doesn’t exist. Security requires a multifaceted approach to be successful. Here are four ways (plus one) your organization can beef up its data security barriers and prevent data breaches.
1. Train employees
Put all new employees through data security training and require all employees to take a refresher course at the start of every year, so the latest security guidelines are fresh in their minds.
While this type of training can be dull, it only takes a few minutes to cover the essential details. For example, employees should:
- Treat all devices (e.g., desktops, laptops, tablets, phones) as being capable of accessing the organization’s systems
- Never write down or leave a record of passwords where others can easily find them
- Be extra suspicious of emails or phone calls from unverified people requesting passwords or other sensitive information (There’s more on that last one below.)
Incorporate some up-to-date breach statistics to help convey the seriousness and pervasiveness of threats and the possible financial ramifications.
2. Simulate phishing attacks
Many security issues are the result of human error, such as clicking on a link in a malicious email.
Spear phishing attempts – i.e., highly targeted and customized phishing efforts – tend to lead to more breaches because they target specific personnel. The messages may reference a department or regular job function and can appear similar to other relevant messages in the target’s inbox on any given day.
Free or paid phishing simulators can test your employees’ ability to detect phishing emails by sending some of those types of emails yourself. Alerts and reports are provided for when someone responds to one of these messages.
Using one of these simulators, you can put your employees through active training to help them become more secure.
Remember to remind staff to double-check anytime they aren’t 100% positive that an email is legitimate. If an employee receives something that looks even a little off or out of the ordinary from a sender they know or can contact, they should run the thing by the IT team.
3. Evaluate accounts
How often does your IT team evaluate existing accounts? It can undoubtedly be a complicated process, but evaluating all of the activated accounts within your organization can go a long way in shoring up security and minimizing digital bloat.
Are there orphaned accounts floating around within your organization that former employees can still access? Are there review processes for determining and updating what different users should be able to access as their position within the organization changes?
The best time of year to evaluate accounts may be when you update everyone’s accounts from the previous year. If the time to sit down and evaluate accounts continually eludes your IT team, have them chip away at it between other processes, or have them schedule it as a larger project during less demanding months.
4. Review your user account lifecycle processes
What is the standard process for deactivating accounts when employees leave your organization or outside consultants are no longer providing services? These types of departures – whether involving immediate security concerns or not – are the most significant contributors to orphaned accounts plaguing in your systems.
Manually managing or automating account deactivation is crucial. Review and optimize your organization’s deactivation processes to determine how fast and comprehensive they are when it comes to quickly restricting accounts.
Rapid responses can prove invaluable, providing peace of mind that comes from knowing your account review process cleans everything up.
Side note: Consider implementing a secure SSO solution
Having a single point of entry for the majority of your systems and applications can make things easier for all employees. Users will only need to remember one set of credentials and administrators can protect resources behind more restrictions without reducing easy access. By limiting the point of entry to one single spot, you can protect against potential data breaches. Configurable security settings, like date and time restrictions, allow administrators to control their environment even as systems and applications are extended to the cloud.
Applications and systems containing certain sensitive information can be made inaccessible from anywhere other than specific physical locations to help prevent risks, and secure portals can maintain logs of user activity, including when and how information is accessed.
Your organization’s data is one of its most valuable resources. Protecting it doesn’t have to be complicated or expensive, but it must be done right. Strengthen your organization’s data security practices today by starting to implement some or all of these practices.