5 tips to improve your company's IT security
According to a 2018 IBM study, the average cost of a data breach for a U.S. company is $7.91 million, while the average cost of a lost or stolen record that contains sensitive or confidential information is $148. Unfortunately, these figures are only rising.
Cyber attacks continue to not only cost companies more money but have also grown larger and more aggressive because of how profitable cybercrime has become. Despite the ongoing advances in IT security, threats continue to emerge just as fast as security measures evolve. Though cybercriminals will continue to find new, creative ways to gain access to business data, there are simple tactics you can implement to better protect your company.
- Train users well
End users tend to be the weak link in security breaches, due to a lack of training. It’s vital to document your company’s IT security policies, best practices, and procedures, and make sure employees are regularly trained and informed about any changes.
Items that must be addressed include:
- Creating and managing passwords (see #2 below)
- Using two-factor authentication (see #3 below)
- Always implementing software updates
- Locking computers when not actively in use (see #5 below)
- Knowing the risks associated with USB drives
- Knowing how to spot and report phishing emails, which helps the system better filter future spam and phishing attempts
- Knowing what to do in case of a data breach and who to contact about it
These items are only the starting point. Once all company procedures are documented, hold regular training sessions to make sure end users are up to date on the latest policies and procedures. Additionally, you should train every new employee on day one.
Remember, while these things may seem like common sense, there’s a good chance they’re not as straightforward as you think.
- Choose passwords wisely
Unfortunately, "password" and "123456" remain the two most popular passwords in use. Many of your employees may be using those passwords at this exact moment. To better protect your company’s IT security, be sure that all your users follow basic password rules like:
- Make passwords as strong as possible with a combination of upper and lowercase letters, numbers, and symbols.
- Always use a different password for each site.
- Never write a password down.
- Don’t reuse passwords from personal accounts for work.
Consider implementing a password manager, such as Google Chrome’s built-in one. This allows users to only have to remember one unique password and keep the rest in a secure online vault.
- Require two-factor or multi-factor authentication
When creating an online profile or signing into an account, users are often prompted to enter a code that they receive via text, call, or email, or to answer a personal follow-up question. This is known as two-factor (or two-step) authentication.
Passwords serve as the front line of defense, and two-factor, as well as multi-factor authentication, provide additional layers of security to make sure individual users are the only ones with access to their accounts. It’s so effective that Symantec reported an 80 percent reduction in the possibility of a data breach when used.
While adding an extra step may be frustrating for your company’s employees at first, over time it will become second nature. And we can all agree that a little initial frustration is nothing compared to the consequences of a security breach.
- Store data on a cloud-based service
Many SaaS companies build their platforms on cloud-native services not just because it’s the latest technological advancement but because of its security advantages.
If the responsibility of configuring firewalls and keeping operating systems updated falls on your internal teams, there is a high probability something will be overlooked. For example, the average time it takes enterprise companies to fix a vulnerability is 18 months. In contrast, when using public cloud services, your team doesn’t have to manage servers and the underlying infrastructure is constantly monitored by IT security experts.
One way to demonstrate that your IT security policies adhere to cloud data management best practices is to receive high-level security certifications. Such certifications include SOC (Service Organization Control) certifications, 1, 2 and 3, and are only received following a thorough internal audit.
- Lock your computer (and hold those accountable who don’t)
If employees fail to lock their computers when they’re not actively using them, they could allow unwanted access to sensitive or confidential data. To curb this behavior at our company, we like to send out a harmless, company-wide email from the wrongdoer’s account, promising things like a week’s worth of free lunch for the office.
While a lighthearted approach, it ensures employees won’t make the same mistake again and helps establish a no-tolerance policy for behavior that could put data at risk.
Data breaches happen everywhere on a regular basis and are only getting worse. However, by instilling the right training, processes, and practices, company-wide, you can protect your organization from making the news as the latest cyber attack victim.
Stéphane Donzé is the founder and CEO of AODocs, a software company he created from the idea that the enterprise’s need for compliance and efficient processes is not contradictory with good user experience. Prior to founding AODocs, he was VP of Engineering at Exalead, a leading enterprise search company. After Exalead was acquired by Dassault Systèmes in 2010, he relocated to California from Paris as VP of Product Strategy. Stéphane has a master’s degree in software engineering from Ecole Polytechnique in France (X96). With 18 years of experience in enterprise software, he is passionate about user experience across an organization.