Your personal data is at risk. So is your organization’s data. This isn’t alarmism. It’s reality. The number of data incidents (and the number of people and records affected) hit a fresh record in 2021, according to the Identity Theft Resource Center.
While many of these incidents affected people and organizations without adequate data protection protocols in place, some affected firms that had invested in such protection. The incident that resulted in data releases from more than a dozen international fiduciary and legal services providers, including Asiaciti Trust and Fidelity Corporate Services Limited, occurred despite some victims’ finding no clear evidence of digital intrusion.
Total protection is unrealistic to expect. But it is possible to make yourself and your organization less appealing to would-be data thieves. Implement these data protection strategies today for a safer, more productive tomorrow.
1. Require Two-Factor Authentication (No Exceptions)
More and more software programs and cloud accounts require two-factor authentication these days. Your organization should reward those that do and be wary of those that don’t.
Where 2FA is an optional program or account feature, don’t give your employees the choice. Make them use it as a condition of access. Don’t rely on whitelisted IPs or other workarounds; these unfortunately are not foolproof.
2. Avoid Insecure WiFi Networks (And Use a VPN If You Must)
If a WiFi network doesn’t require a password to access or isn’t equipped with basic encryption, don’t use it. You’re more likely to encounter such networks in public, where other users you don’t know and can’t trust lurk. Take advantage of 4G LTE or 5G where it’s available, using your mobile device’s hotspot (the extra data cost is worth it).
When you absolutely must access an unsecured WiFi network, use a virtual private network. This won’t totally protect you from digital snoops or attackers, but it’ll make your device less attractive and your data less legible.
3. Use Enterprise-Grade Anti-Malware Software
Don’t skimp on anti-malware protection. Your competitors certainly aren’t.
As with a VPN, the overhead cost of high-quality malware is a small price to pay to make your organization less attractive to the bad guys. Just know that for it to work as intended, you’ll need to outfit all of your devices, including employee-owned devices, with the same level of protection.
4. Keep Your Software and Platforms Up to Date
Outdated software, operating systems, infrastructure — all threaten your organization’s digital security. The longer you go without applying available updates or patching known issues, the more time malicious actors have to probe your defenses and find exploits.
Avoid this fate by developing a digital update strategy, scaling it across your entire organization, and following a strict schedule. Yes, this will increase downtime, but the alternative is far worse — indefinite downtime and possible data loss.
5. Shore Up Your Email Security
You, or at least the person in charge of your organization’s digital security posture, can probably recite the most important email security best practices from memory.
Now it’s time to practice what you preach. Many organizations don’t.
6. Maintain a Strict “SSL Only” Policy
Your organization’s network should not be accessing insecure websites. Not even on secure WiFi networks. There’s simply too much risk involved and too much room for human error.
Make sure your employees know this. Many don’t pay attention to website security certificates when they’re in a rush to get things done. A simple “SSL only” policy should do the trick — if the website doesn’t have an up-to-date security certificate, don’t use it.
7. Hold Third-Party Vendors and Contractors to the Same High Standards
This might be the most important data protection strategy of all. You have less direct control over your vendors’ and contractors’ security practices, but that doesn’t mean you don’t have any cards to play. You can make strict data protection — all of the above and more — a condition of doing business with your company.
Hope for the Best, Plan for the Worst
These best practices can reduce your exposure to data incidents that threaten your organization.
Unfortunately, they’re not foolproof. You’d be wise to consider — and plan for — what could happen after a successful intrusion.
This plan should contemplate what information to disclose and what to keep under wraps. As Fidelity Corporate Services Limited and Asiaciti Trust both noted in their official response to the Pandora Papers incident, international regulation and professional ethics preclude the disclosure of detailed information about affected parties, but that doesn’t mean you can’t divulge what occurred in general, limited terms. Nor does it preclude confidential notifications to affected parties once any investigation permits.
No one wants to imagine the worst. But it’s best to plan for it, just in case.