Do not let your data become hostage: 3 ways to safeguard sensitive data

Do not let your data become hostage 3 ways to safeguard sensitive data - Cybergate your cyber security partner

Do not let your data become hostage: 3 ways to safeguard sensitive data

Do not let your data become hostage: 3 ways to safeguard sensitive data.

Today data is at the core of important business decision making, making it the lifeblood of any organisation. The increase in its importance led it to be a main target of cyber criminals. With more and more sophisticated cyber threats, data breaches and cybercrime targeted towards sensitive data being stolen or being held hostage is a daily reality. Sensitive data such as personally identifiable information (PII), financial information, Health records, authentication credentials, confidential business data, intellectual property (IP) and geo-location data

In this blog article we will present three essential ways to safeguard one of your most invaluable assets – your data!

Multi Factor authentication and strong passwords

It is often taken for granted and is regarded as a basic step but still it is a crucial step to protect your data and prevent it falling into hacker’s hands. Weak passwords or login – password same combination makes it rather easy for hackers to gain unauthorised access to your sensitive information. Brute-force attacks are usually used by cyber attackers to guess credentials to force their way into systems and data repositories. Always enforce best practice passwords policies, whereby passwords need to be complex, unique, and never utilised beforehand.

Forcing a mix of upper- and lower-case letters, numbers, special character and a specific minimum string length are some ways a password can be made more ‘complex’ and less guessable. Gone are the ‘let me in’ days, always train your staff to avoid using names, birthdates, or favourite football teams as passwords.

Do not store passwords on browsers and push the use of password managers that are able to generate random passwords beyond most cracking programs deployed by hackers. Never use the same credentials for multiple accounts.

MFA, or multi-factor authentication, is to be implemented wherever possible to add an additional layer of security by requesting users to provide additional forms of verification in addition to a login and password. Common methods include the generation of a code using an authenticator app or requesting a code sent via text message on a user’s smartphone device. In such cases, if a hacker has one’s password, it is still difficult to unauthorisedly log onto a system. 2FA or even better MFA make compromised accounts significantly useless.

Data Encryption

Having plain data stored in databases is a very risky way of storing one’s data. Encryption ensures your data is converted into an unreadable format. If intercepted by unauthorised malicious attackers it remains useless, as they would not have in hand the decryption keys. Encryption algorithms are to be utilised to protect and secure sensitive records, emails and even communication channels. Encryption makes it extremely hard for hackers to decipher and make sense (and use) of such data. Some database architectures also opt for headless data storage, which adds an extra layer of security in view of adhering to regulations such as GDPR and safeguarding stakeholders’ interest.

A crucial best practice is to regularly back up all your data. In the unfortunate event of a data breach or a ransomware attack, having up-to-date backups can save an organisation from losing valuable data. This is of paramount importance for business continuity as it keeps business interruption to a minimum. Check backups regularly, and always store backed up data in a separate location (ex. On the cloud).

Encryption starts from public facing assets such as having an active SSL certificate configured for your website to encrypting files and folders on your servers or on your cloud instances. When using public WIFIs opt for a VPN to secure your connections.

Employee Cyber Awareness Education and Standard Operating Procedures

Undoubtedly human error is often the leading factor in data breaches. The most common scenarios see employees falling victim to email phishing scams or unknowingly downloading malware from dodgy websites or p2p. Education, in the form of cyber awareness training, will firstly make employees aware of the various threats that exist, secondly educate about the possible irreparable repercussions, and thirdly help build a culture of data security first organisation wide.

Salient topics in a good cyber awareness training course include password hygiene, different forms of phishing scams and what to do in case of suspicious activity or worse off in case of an incident. These kinds of courses offered face to face in classroom fashion or online in self-paced self-managed format via an e-learning platform lead to minimising the risk of unauthorised access that result in data breaches. Physical security is another consideration which needs to be given importance. Restrict access to areas where sensitive data is accessible – data storage areas, archives, filing cabinets and server rooms.

When disposing of data utilise specialised data destruction methods and algorithms to permanently delete and supe out unwanted data.

Data breaches lead to loss of credibility and reputational damage together with business interruption, potential fines, and problems with licensing (in case of regulated business). Hackers are always in the lookout to exploit loopholes, usually caused by banal negligence. Manage risk and constantly mitigate it. Prevention is always better than cure. Safeguard your sensitive data. Discover more. Get in touch today!

    We are here to help

    francesco mifsud cybergate your cyber security partner
    Francesco Mifsud
    [email protected]

    I live and breathe cyber security and everything else in the discipline. With around a decade of experience in the industry I have had the opportunity to develop skills in penetration testing, cloud security, reverse engineering & exploit development, application security engineering, management and organisation-wide cyber security strategy. I hold a well-rounded set of security certifications such as OSCP, eWPTX and CISSP and have delivered training & workshops at some of the most prestigious hacking conferences such as DEF CON, BRU CON, BSides London and BSides Manchester.