We present an article on the threats that entrepreneurs are faced with today. Questions are answered by our Managing Director - Piotr Musiał.
What are the risks for companies resulting from the lack of care for data security?
Each industry is vulnerable to various forms of threats. In general, threats can be divided into two categories: external and internal. In the first of the above-mentioned categories, computer threats such as viruses, Trojan horses, worms and ransomware have been leading the way for years. Its role is to penetrate the victim’s computer and encrypt certain types of documents. The only salvation in such a situation is to pay the ransom in bitcoin. Phishing, on the other hand, allows cybercriminals to steal data such as logins and passwords for electronic banking or credit card numbers. The principle of this method is very simple: a properly crafted e-mail, allegedly coming from the victim’s bank, takes the user to a fake website and asks for confirmation of login details. Unaware users will not even notice that someone has just come into possession of access data to his account and accumulated funds.
In turn, the threats that lurk inside the organization are just as dangerous. Ignoring the basic rules of security may tempt a dishonest employee to steal the most confidential information, such as the company’s know-how or customer base with sales history. It should also be remembered that such activity is not always detectable, not to mention proving the employee’s guilt in court. This is related primarily to the appropriate protection by the employer of the so-called “Electronic ID”.
In the era of mobile devices, social networks and the tendency to share information, their protection becomes more and more difficult. The increase in the number of threats goes hand in hand with technological development, so it should not be expected that the problem concerns only selected companies that process data on a global scale. Every local company will sooner or later be exposed to such a risk because it uses these technologies on a daily basis. The less awareness in the area of threats and security the management and employees have, the greater the risk of data loss or compromise on the entire organization.
What are the effects – global and local? Are there any global, European and Polish reports on this subject?
The effects of data loss are always measurable, although it is not always possible to accurately calculate both the losses and the losses that will only be felt over time. In order to estimate them, it is necessary to know in advance their value, replacement costs and the consequences of their loss.
Among all data processed in the company, special attention should be paid to personal data which, as we all know, are protected by law. Failure to disclose them to unauthorized persons may result in lawsuits and legal sanctions imposed by the Personal Data Inspector.
One thing is certain, each company can lose what is its most valuable asset. The greater the operational range of the organization, the more noticeable the effects are for its clients. Enterprises providing global services based on cloud computing cannot afford to lower their reputation and credibility in the eyes of their clients. As a consequence, it can lead to loss of customers, lower sales rates or even bankruptcy.
It is worth quoting here the conclusions of, for example, recent NIK audits in state institutions. They clearly show that data protection in this sector leaves much to be desired.
What is data security in the company? What should companies remember and what do they forget? How does it work in theory and in practice? Does this issue only apply to large or small companies?
Nowadays, supervision over information security should be continuous. The pace at which newer and newer types of threats emerge is frighteningly high and increases in proportion to technological progress. Companies often forget about this fact, focusing mainly on their own business and everyday problems.
In other words, taking care of data security is nothing more than ensuring their confidentiality, integrity, availability and accountability. In the case of personal data, each company that processes them and owns them, whether they like it or not, becomes their Administrator. In practice, many companies forget that in such a situation it is worth appointing the position of an Information Security Administrator (ABI) and formally entrusting him with the role of a supervisor. In the event of failure to establish an ABI, them its tasks are performed by the Data Administrator himself, which is the most common practice in small companies. Unfortunately, companies notoriously ignore the need to develop and implement a Security Policy – a document that describes what, when and how we protect. If there is no procedure to proceed, we do not count on proving someone neglecting our duties or breaching safety rules.
Taking care of safety is a constant fight with threats. Every company, regardless of its size, should invest in security tools and regularly make its employees and subcontractors aware of what they should pay attention to and what they should absolutely avoid. Statistically speaking, most security incidents are caused by people. It will mainly depend on them whether the company’s data and its clients’ data will be properly protected. At the same time, one should not forget about monitoring the control parameters themselves, as the environment in which companies conduct their business is constantly changing, creating new places of potential information leakage.
What support systems exist on the market, what are they characterized by and what can they do?
Let’s distinguish between two groups of such tools. The first group consists of tools that increase security and greatly affect the level of protection of our data. These are certainly anti-virus software and e-mail spam filters. More and more operating systems and web browsers meet and come with a default high security level. For what? So that the IT-unaware user and his data are properly protected from the very beginning of his adventure with the computer.
It should not be forgotten that effective prevention has a chance to work only if all resources and information assets in the enterprise are protected. In large enterprises, IT departments use domain solutions that cover all computers and servers operating in the headquarters and branches. This has its advantage, as it allows you to easily and quickly standardize the level of security for a large group of devices and end users.
The second group of tools includes software that plays an auxiliary role. You can list here all kinds of systems that support business and operational processes, and at the same time ensure effective protection of the information processed in them. The times when login and password were the basic access protection are long gone. At the moment, two- or three-level authorization of access to the application using security certificates, vpn tools or sms tokens is becoming a standard. Even if someone acquires our login and password, they will not gain access to the data without having the appropriate certificate or even a device authorized in our infrastructure. Therefore, it is important that the CRM or ERP class software meets the security requirements that are adequate to the level of protection that satisfies us. Unfortunately, many software vendors are not aware of it or do not want to be aware of it, and they leave the responsibility in this area on their customers. For this reason, the key parameter when choosing an IT solution is increasingly becoming the security criterion, i.e. software compliance with recognized norms and standards that are in force in the industry.
When we talk about data security, we usually mean electronic systems, but what about other elements, e.g. physical, awareness of employees, etc.?
Exactly. Physical actions of third parties, such as theft, destruction of information assets, computer equipment or important data carriers are more and more often a threat. Data security also includes physical protection of buildings and rooms in which they are processed, as well as servers that are susceptible to the environment in which they operate and like to fail. Therefore, it is not worth saving on measures and solutions that protect us against complete data loss.
There are many ways to protect yourself from these threats. One of them is making regular backups of data that are important to us from the point of view of our business. Companies that do not make regular backups must take into account the fact that data loss means no possibility of their recovery or restoration.
Another way to reduce the level of risk is to use redundant solutions, i.e. solutions that can maintain business continuity in the event of a failure. We are talking about RAID arrays, data clusters or HA solutions (ang. High Availability).
The situation is different in the case of data protection that we store in paper form, such as HR documents, contracts, invoices. Their digitization will not save us from losing the originals, but at least we will not lose the information itself, which is the most valuable for us. There are specialized companies that deal, among others, with storing such documents in properly prepared storage centers and centers.
Speaking of protection, one should also mention the human factor, namely the users’ lack of awareness of the threats that lurk. Hard security should always be supported by activities aimed at improving the awareness of the employees themselves, but also of the management staff. For this purpose, it is worth considering whether the company has appropriate instructions, procedures and policies for individual areas of the company’s operation. Does the company continuously provide an adequate level of training for all staff in the field of prevention and actions in the event of a security incident? The so-called Soft security is very important and should not be forgotten when developing security and business continuity plans.
The company wants to improve data security – which it should do step by step
First of all, you should approach the subject within common sense. A very important element from which it is worth starting is developing the classification of information that the company processes, identifying information assets with their location and indicating the people who should have access to them. The next step is to prepare a risk analysis that will answer the following questions:
• which data is critical for us from the point of view of running a business?
• which data should we protect in particular?
• what will be the consequences for the company of their loss?
The prepared risk matrix will facilitate the selection of appropriate tools and measures aimed at securing data in such a way that the expenditure incurred on these measures does not exceed the losses that we will experience after the loss or long-term unavailability of this data. Based on the results of the analysis, we should describe the processes, identify the owners of these processes, prepare appropriate regulations and procedures, and then implement them and verify them regularly. In addition, those who participate in the process should have a predetermined role as well as responsibilities.
It is also worth investing in appropriate IT tools enabling the recording and automation of daily activities as well as proper control of these activities. Wherever possible, it is recommended to aggregate data into central collections, as the information that remains scattered is much more difficult to control and secure. Thanks to such tools, access to information is much faster, easier and, most importantly, safer.
Enterprises that can afford to invest in security can use specialized companies that have know-how and have ready-made solutions in the field of implementing and maintaining information security systems. Therefore, an increasingly common standard in the European Union countries is to have certificates confirming the appropriate level of safety and quality of services provided.