Over the past decade, cyber attacks have become increasingly complex. This is due in part to cyber risks related to personal information being accessed from dispersed sources, including social media networks, email, mobile applications, personal banking and online marketing. There is a growing awareness that critical data is at risk.
Cyber risk is the risk of financial loss or damage to the credibility of an enterprise from the breakdown of its system or infrastructure. Any enterprise runs the risk of these disasters, and will need to acquire resources to restore operations back to their normal state, quickly. Businesses have also come to realize that investing crucial time and money on cyber-risk assessment not only safeguards the brand, but also mitigates monstrous financial loss in crisis or incident recovery.
An enterprise relies on the expertise of IT consultants to be able to lead them through security risks. I was consulted as a risk subject-matter expert, and managed a team consisting of security, operations and business to analyze an entire enterprise from a cyber attacker’s perspective. I prepared a comprehensive risk assessment and identified critical data that could be affected by a cyberattack and how this data was stored (such as intellectual property, hardware, systems or laptops), established security requirements, analyzed threats and vulnerabilities, and established contingency plans to detect and prevent the effects of cyber risks and concerns.
Best practices to prevent your cyber-risk exposure
- Reassess your email management. Use multiple email accounts to distribute your personal information to avoid being embezzled from one place.
- Generate a robust, complex password. Although data breaches are out of your control, it is imperative to create a password that can endure attacks. Ideally, passwords should be at least 10 characters, and contain a combination of numbers, symbols, and uppercase and lowercase letters.
- Conceal your web browsing clickstream history. To protect against the efforts of marketing companies to track your online behavior, configure your browser settings so that the browser declines their efforts and delete your website history data on a routine basis.
- Back up data on a regular basis. The quickest way to back up files is to plug an external hard drive into your computer and copy the files to it. If you are connected to a network, you can also back up to a network drive on another computer. Make sure important data is always backed up first. Cloud services are a much more cost-effective solution for back-ups, and data can be restored promptly. Be aware that cloud services are potentially accessible by hackers, so if you must entrust data to cloud services, make sure it’s encrypted.
- One routine mistake produced in database design is to display detailed error messages whenever a process is not working. With this, a hacker can determine if a database is a potential target for an injection attack by analyzing the error message in further detail. To avoid this, implement comprehensive testing scenarios to ensure database applications can immediately fall back into safe mode if a process is corrupted and deter any critical risk error messages from being displayed.
- A database index is a data structure used to improve a query’s execution time. By quantifying how long it takes for a particular database index to query a dataset, a hacker can determine the structure of a database. To avoid this, do not deploy these indexes on datasets that are deemed to be proprietary and confidential, but rather only to more generic datasets.
- Implementing user permissions is a key security requirement. Often, in a scramble to launch a database application to production, users are often assigned privileges they shouldn’t have. These are the types of risks that hackers likely prey upon to gain masked access to a database. Only essential permissions should be distributed at work.
- Implement role-based permissions and capabilities. The data that resides in a database will be queried and accessed by many users. Appropriate levels of permissions need to be established at both the file and the sharing level. At the file level, read, write, and execute permissions that are assigned need to be determined for various user roles with discretion. A temporary employee or contract employee should not inherit database administrator permissions.
- Data collaboration within the company and with third parties will require great scrutiny. Views provide simple, granular security and restrict data that a user is authorized to examine. For example, with a “customer” table, a company may want to grant a salesperson access to customer details including name and address data but withhold the credit card number. A view can be created that only includes the data a salesperson requires access to and grants them access solely on this view.
- Continuously scan the network and email attachments for malware to avoid potential threats.
- Boost additional layers of security to reinforce security level for logical access by implementing a “two-factor authentication” (2FA), that requires not only a password and username but also a piece of user information only the user should know, such as a personal identification number, password or a pattern. For example, if you are using a credit card, you must enter in your PIN code to verify a charge—producing a physical element, the credit card, and a knowledge element, which is your PIN code. However, 2FA systems can be breached if not designed properly.
- A supplementary layer of security is employing biometrics. Biometrics technology verifies the identity of an individual by analyzing their unique physiological or behavioral features, such as fingerprint recognition. Identification using biometric characteristics is preferred over traditional passwords and PIN based methods for various reasons, including that an actual living person is required to be physically present at the time of identification. Identification based on biometric fingerprint scanning eliminates the need to revive a password or carry a secondary credential such as a credit card.
Customers put their trust in companies to safeguard their information with data security practices, but in today’s age these practices are at a critical risk of being targeted. As data stewards, we are obligated to guarantee data is safeguarded and secured from risks of a cyberattack. With the escalating frequency and costs associated with cyberattacks, a company’s risk management strategy should include a risk assessment led by an expert to help mitigate immense monetary loss and protect the company’s reputation and brand.