In a constantly evolving digital landscape, companies and their employees have to be on their toes to protect against data breaches and make cybersecurity one of their top priorities.
Despite the ever-present threat to the sensitive information companies maintain, local experts say there are a number of simple steps firms can take to mitigate the risk.
The human factor
The overwhelming majority of data intrusions happen because someone did something they shouldn’t have, according to Andrew Lindley, chief technology officer with Travelers Rest-based Quality Business Solutions.
QBS provides payroll and other business services to companies in every state in the country, and because it deals with some of the most sensitive data companies possess, it takes cybersecurity very seriously.
More than 80% of data breaches occur when someone within an organization clicks on a link they shouldn’t have, according to Lindley. And because such deceptive messages and the malicious links they contain are omnipresent and sent to personal and corporate devices all over the planet, employee training is crucial to reducing the risk.
“The amount of money and resources that are being applied to cybersecurity is kind of unbelievable, and even with that there are still vulnerabilities,” Lindley says. “It’s all about trying to focus on the things that will make the biggest impact.”
Because so many data breaches stem from human error, having policies, procedures and training in place can have a significant impact, says Eugene Luskin, CEO and co-founder of Sync.MD, an Anderson-based company that developed a platform that enables people to securely store and access digital health records.
Luskin and Lindley both say social engineering is one of the most widespread strategies hackers use to trick people into revealing valuable information about themselves. Innocuous looking polls or games on social media lure people into revealing important details about themselves that can then be used to gain illicit access to sensitive data.
Luskin, who worked in data security with Microsoft for more than 20 years before launching Sync.MD, says that despite Hollywood portrayals, cracking data security is actually technically difficult and carries risks of discovery. This is why hackers look for shortcuts by getting an unwitting user to reveal useful information, and the numbers show this strategy is effective.
Training employees on data security and doing so routinely can pay huge dividends, Lindley says. For example, as part of QBS cybersecurity training the company sends employees mock phishing emails to see if they will click on suspicious links.
Through the training, the company was able to reduce the click rate from about 35% down to 6%. This highlights the training’s effectiveness but also reveals the hard reality about the world of cybersecurity: There will always be some risk.
Lindley says that due to the proliferation of connected devices and the increasing shift to remote work, new vulnerabilities are emerging.
“I would almost guarantee that home network is less secure than the (company) network they’re dialing into,” Lindley says.
Add to that the certainty that other devices like gaming consoles, cell phones and laptops are connected to the same network, and the risk factors go up substantially. Increasingly, appliances and smart devices are also connected to home networks, adding yet another series of potential vulnerabilities.
To combat these vulnerabilities, Luskin and Lindley says companies should pay attention to these areas:
- Make sure all software is up to date and security patches are installed as soon as they are released.
- As much as possible, implement a layered data-security strategy. Limit data access to only those employees who need access.
- For smaller companies who need to outsource their cybersecurity services, make sure the vendor selected has the proper certifications. (For example, SOC2 is a certification developed by the American Institute of CPAs for how to handle client data.)
Luskin says the bottom line is every company must make data security a permanent priority.
“It has to be done,” he says. “It’s better to be overprotective of your data… rather than be hacked.”
Simple steps to protect data
- Make cybersecurity a priority. Train employees to be aware of risks.
- Control data access. Give access to only those people who need it.
- Monitor web traffic. Watch for suspicious activity like an unauthorized download.
- Make sure software is up to date and security patches are installed as soon as they are available.
- Make sure employees secure computers and workstations before they leave for the day.