Data Security for Non-Geeks
Today is National Data Privacy Day. My specialty is developing application systems for human wellness and business performance. As one can imagine, this involves monitoring and working with particularly sensitive data. Business activities and an individual’s health stats are considered among the most private breeds of data, and a compromise can mean not only losing confidence with your clients, but it can also make very vulnerable data available to a malicious third party. With this in mind, what is one expected to do about the delicate matter of privacy, and how should he approach it?
Good security is mostly good policy. Even a bad thief knows to check under the welcome mat for a spare key. That being said, most of your attacks come in through the front door, so to speak. Here are some general considerations for the non-geek to make when handling security.
Your office security can be locked down completely, but if an employee uses the same password for his Facebook as he does to login to your billing software, your business doesn’t even need to be breached for them to get credentials to your finances. A good password policy and auditing plan can help this, and it’s best to have someone in charge of this. Keep it scheduled and enforce changing passwords, or implement two-step authentication.
If your business runs under a Bring your own Device (BYOD) structure, creating a strategy can be a real pain, but even a simple plan can help avoid huge threats. Catalog each device that an employee may bring that connects to your network. That means phones, tablets, laptops, and even USB sticks. This will give you a real idea of what threats you might be bringing into your network from the outside and will let you know what type of BYOD policies you truly need.
The cloud is generally more secure than your own datacenter. On one hand, you have the security of “owning” your systems when you have in house technology, at least in a geographic sense. However that means all responsibility for those systems fall on you. A reliable third party cloud company dedicated only to the storage, management, and encryption of your systems and data will be dedicated to managing the infrastructure while you manage your business.
Of course that doesn’t mean that the cloud provides perfect security. Always read the fine print to figure out how your cloud provider encrypts and protect your data. If there is a blank spot on any of this in your provider’s terms, you should worry a little.
I know I said this would be non-geek, but IoT (Internet of Things) is now a main stream real concern. Every device you own that shares data without you necessarily interacting directly with it is essentially an IoT device. This includes FitBits, Google Nest, Iris, automatic pet feeders, front door cams, and a whole host of sensory devices. While you willingly allow these devices to monitor and spy on you all day, there are many cases where a third party can be listening in.
To start with, any time a device offers a chance for you to change its default admin username and password, do so. This goes from routers plugged directly into the network to drones. Especially with popular devices, an attacker can remotely access any of these by identifying its signature and become a man in the middle, listening in to your communications. Also, often times the only way to access these devices is through a web or mobile application that is still communicating via WiFi or cell signals. This means that for unencrypted channels anyone on the network can “listen in” to what you’re communicating. At that point your are whispering in a crowed but quiet room. When dealing with any new IoT device make sure the vendor has protected it’s communication with a secure SSH key and an encrypted web connection.
The Rest of Us
Simply keep your antivirus updated. The nature of business now means you will be collecting and sharing a lot of information just to keep operations going, and you shouldn’t trust yourself to be safely discretionary of everything that comes past your email. It won’t catch everything, but it will stop more threats than having nothing in place.
While developers and device providers like my colleagues and myself work hard to create software and tools that take your data privacy into consideration, there are thousands of devices that I can’t account for. Personal privacy is also your responsibility as a consumer, so keeping savvy with vulnerabilities and using basic conventional wisdom should both be on your list at the very least. Thank you, and I wish you a happy, and secure, Data Privacy Day.