You and your business are worth a lot of money, whether your bank accounts show it or not. The goldmine lies in your data, and everyone wants it. Competitors want to hire the employee you just fired for the thumb drive full of confidential files they smuggled out. Data thieves salivate over your Facebook profile, which provides a how-to guide for exploiting your trust. Cyber criminals are digitally sniffing the wireless connection you use at Starbucks to make bank transfers and send confidential emails.
Every business is under assault by forces that want access to your valuable data: identity records, customer databases, employee files, intellectual property, and ultimately, your net worth. Research is screaming at us—more than 80 percent of businesses surveyed have already experienced at least one breach (average recovery cost: $6.75 million) and have no idea of how to stop a repeat performance. These are clear, profit-driven reasons to care about who controls your data.
Here are five information-espionage hot spots that your business should address now:
- Lousy training. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption, and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property. See the video above for an example of bridging the worlds of personal privacy and corporate data security.
- Human weakness. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed, or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses. Strategy: Immunize your workforce against social engineering and poor decision making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access, and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontier that thieves are exploiting is your employees’ social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation.
- Wireless surfing. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel, or café. Both connections are constantly sniffed for unprotected data being sent from your computer to the web. Strategy: Have a security professional configure the wireless router in your office. Here is your laundry list of things to ask her to do. She will understand the terminology: utilize WPA-2 encryption or better; implement MAC-specific addressing and mask your SSID; while she’s there, have her do a security audit of your network; to protect your connection while surfing on the road, purchase an encrypted high-speed USB modem from one of the major carriers (Verizon, Sprint, AT&T) and stop using other people’s free/fee hot spots.
- Inside spies. Chances are you rarely perform a serious background check before hiring a new employee. That is short-sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out a “digital door” when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check using a product like CSIdentity.com’s SAFE before you hire instead of wasting much more money cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background jump-starts your intuition and discourages dishonest applicants from the outset.
- Mobile data. In the most trusted research studies, 36–50 percent of data breach originates with the loss of a laptop or mobile computing device (smart phone, thumb drive, etc.). Mobility, consequently, is a double-edged sword, but it’s a sword that we’re probably not going to give up easily. Utilize the security professional mentioned above to implement strong passwords, whole disk encryption, and remote data-wiping capabilities. In addition, physically secure this goldmine of data down when you aren’t using it. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption, and remote laptop-tracking and data-wiping capabilities. Set your screen saver to engage after five minutes of inactivity and check the box that requires you to enter your password upon reentry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it.
Your espionage countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hot spots above is a savvy, incremental way to keep spies out of your profit margins. But it won’t start working until you do.