With the GDPR set to be implemented in May of 2018, now is the time to take data security seriously. The GDPR has a tiered penalty structure that will take a large bite out of offenders’ funds and more serious infringements can merit penalties of up to 4% of a company’s global revenue. According to the Kaspersky Lab Malware Report, the first quarter of 2017 saw a 250% increase in ransomware attacks. With statistics like these, there is no longer an excuse for companies to turn their back on securing their internal IT structure.
With online attacks at an all-time high, here are 6 ways to make sure that your data stays protected and you avoid hefty GDPR fines:
Avoid Public Wi-Fi
The allure of public Wi-Fi being free and readily available means that most people do not hesitate to connect at one point or another. Studies show that surprisingly, 82% of business travellers connect to unsecured public Wi-Fi networks, and often do so on work devices.
By connecting to an unsecured network (e.g. public Wi-Fi hotspots/cafés/hotels), you are putting business critical files, passwords, customer data and emails at serious risk of being compromised by a man-in-the-middle attack where the hacker can easily position themselves between you and the authenticated connection. Consider using a secure 4G device with sufficient encryption to ensure that online usage is not intercepted by a third party. Uni-Fi Global devices ensure the security of Wi-Fi connection through global standard encryption mode (WPA2-PSK), Wi-Fi access control and verification protocol.
Use DMARC Protection
This is standard industry security protocol for the protection of email services, specifically in securing domain signatures. Implementing DMARC correctly will mitigate the risk of your domains being used in phishing and fraud attacks.
To secure your domains in this regard, UK based firm OnDMARC guides individuals and organisations of all sizes to full DMARC protection in order to block attacks and increase the deliverability of authorised emails.
Be Vigilant When Sharing Passwords
It’s all too easy for different departments to store their passwords in plain text form on a group-accessible, assumedly secure platform such as Microsoft SharePoint or OneDrive. While this may not seem important, should any of these platforms be accessed maliciously, passwords to numerous accounts could also be sought. It’s vital to ensure that cloud storage systems that are meant to be private (for example folders containing sensitive financial information) can’t be accessed by anyone except those who need direct access to them.
A group-wide methodology to safely sharing passwords should be implemented so that they remain secure. It should be as intuitive as possible (so non-technical users don’t shy away from it) while also using proper encryption.
Set Passwords to Reset Automatically Where Possible
Although this sounds like a no-brainer, it’s not uncommon for individuals to be resistant to change, and thus avoid changing their passwords on a regular basis. It is advised that all companies enforce automatic policies where company account users are required to reset their passwords at some interval (every three months, for example), preventing them from reusing the same few passwords. This will somewhat mitigate against users recycling passwords across all digital accounts which increases account vulnerability.
Note that this should be in place despite any protest that may arise; while the desire to easily remember passwords is understandable, it is much more important that the company be protected against cyberattacks.
Utilise SSL Encryption
SSL encryption is necessary on all public company websites. This encrypts data being transmitted between the client and server, eliminating man-in-the-middle sniffing attempts, and also verifies to company servers that web clients are who they say they are.
Never Underestimate Physical Security Precautions
Whether it be protecting your employees, protecting your devices, or protecting your data – physical security is vital. Although a Hi Vis vest tends not to raise alarm bells in an office complex, it’s so important to be vigilant when it comes to letting just anyone walk into your office. If a company is not expecting any external workers, delivery drivers etc. IDs should be checked and the visitors should reference the name of the company contact they wish to see.
The same precautionary measures should be taken when it comes to physical company documents. It’s nice to have passwords written down for immediate access, but this is bad practice. Paper containing passwords, addresses, and personal/company information should not be thrown away, but shredded. For the use of company devices (phones/laptops) which contain access to sensitive information, physical control of devices should be maintained, particularly when travelling.