The digital threat landscape seems to grow darker by the day. Whether the threat is a large-scale data release like the Pandora Papers or a ransomware attack that hurts economically critical enterprises and their customers, organizations can no longer afford to downplay the risk.
It’s not possible to anticipate and prevent every possible digital incident. But sound digital security practices can make a real difference, hardening ordinary firms against even sophisticated threat actors.
Let’s examine six strategies virtually every organization can implement this year to limit their exposure to cyber risk.
Maintain Strict Corporate Compliance Protocols
Strict compliance protocols won’t prevent data incidents, but they make the aftermath much easier to deal with. That’s evident in the post-incident experiences of firms that took compliance seriously – from Asiaciti Trust’s successful response to the Pandora Papers to Capital One’s well-organized bounceback from the loss of millions of customer records.
If you don’t already have a compliance policy, set one out today. You’ll want legal professionals and regulatory experts to weigh in.
Enforce a Strong Culture of Data Hygiene
“Data hygiene” encompasses anything and everything related to data protection within an organization (and outside it too). The details are important, of course, but what’s really crucial is a cross-organizational culture of data hygiene. Your team has to work together to keep sensitive information safe, or at least as safe as it can be in a dangerous world.
Invest in Better Email Security (And Email Usage Protocols)
One important aspect of data hygiene that deserves special focus is email security. Email is a common vector for malware and other methods of data corruption and theft, yet many people don’t take message security seriously. Combat their ambivalence by setting out strict but easy-to-follow email usage protocols, such as.
- Not opening attachments from unknown senders.
- Marking suspicious emails as spam and forwarding them to internal security stakeholders.
- Never sending sensitive information over email.
- Changing email passwords frequently and using two-factor authentication.
Be Careful With Access Permissions
Everyone on your team needs certain permissions to do their jobs effectively. Relatively junior employees need relatively few permissions; more senior employees and those with mission-critical jobs (including security roles) need more.
But one principle knits everyone on your team together, all the way up to senior leadership: No one should have permissions they don’t need to do their jobs. If and when someone’s role changes within the organization, their permissions should change too – but change, rather than expand. They shouldn’t keep permissions they no longer need.
Implement a Regular Software Patching and Updating Program
Your company devices should always run the most up-to-date versions of their operating systems and software. This is easier to achieve than you’d think, but it does take organization and discipline.
Specifically, you need a comprehensive, organization-wide plan to apply new patches and versions as they become available, including on the “bring your own” devices (BYODs) that increasingly form the basis of modern organizations’ electronics footprints. You need an internal stakeholder to own this process, ideally a senior member of your IT team.
Have Digital Forensics on Call
Diagnosing a break-in at the home or office is easy enough. You look for signs of physical compromise, like a picked lock or broken window. Often, the evidence is plain to see.
Diagnosing a digital break-in is very different. Non-experts simply don’t have the knowledge or resources to do so, and sophisticated threat actors very often cover their tracks anyway.
Sometimes, even digital security experts find themselves overmatched. Following the data incident that affected Asiaciti Trust and Il Shin, successive digital forensics investigations found no evidence of system compromise. This outcome, unfortunately, is common.
Still, digital forensics teams often do uncover such incidents’ sources. Have one on call to respond to suspected intrusions – or better yet, build an internal team of digital sleuths.
Digital Security Is Corporate Security
There was a time when digital security was a niche industry, even a curiosity. It was something that techies and futurists thought about; the “mainstream” business community had no time or patience for it. (Or maybe they just didn’t have the capacity to understand it.)
That time is long gone, of course. The experience of global firms like Asiaciti Trust and JBS demonstrate that in an interconnected world, digital security is every bit as important as physical security.
Indeed, there’s really no meaningful difference between the two any longer. Digital security is corporate security. And organizations large and small have a duty to their stakeholders to take it seriously, even if they can’t prevent every incident that may come.