Whether it is the shockwaves of the SolarWinds attack, the loss of 1000s of police files from the UK government, the controversy around the WhatsApp privacy update, or yet another ransomware attack, each day brings a reminder of the vulnerability and the value of our data. European Data Protection Day on 28th January is therefore a vital opportunity to focus attention on the steps that organisations must take to protect their company data.
Aron Brand, CTO at CTERA has compiled his list of five top tips for keeping company data safe. We thought this might be useful to you. If so, please feel free to use the piece in its entirety or as you feel suitable. You’ll find the copy below.
Build high walls around data you store in the cloud:
- Ensure that you generate and own your data encryption keys, and no one – not even your cloud provider – can access or control them. Completely protecting your data from any third party will ensure your data is not exposed in the event of a hack.
- Understand options for multi-cloud deployments and for developing a private cloud that can be fully deployed in your datacentre where critical assets can be stored.
Instil a secure “zero trust” culture internally
- Email security: Enable advanced phishing protection enabled in user mailboxes and remind users often not to click on suspicious links in email
- Patching VMs: For technical teams, take extra care to install security patches on your virtual machines and cloud instances, focusing especially on Windows machines and Active Directory. If you own server machines that have not been updated recently, run Windows Update ASAP.
- Zero trust: Assume there are malicious actors in your internal network and do not assume your networks are secure. Local networks, traditionally considered a “trusted haven” for storing data with lax levels of internal isolations, are now proving to be dangerous places – with local threats lurking and attempting to spread laterally, attempting to steal or encrypt your data. Enforce the use of strong passwords and have users update them regularly, even for their own laptops.
Backup, backup, backup: There is no excuse for not backing up files. But not all backups are the same. Simply copying files to an external drive is not an effective data protection strategy. For secure and reliable protection, organisations should:
- retain at least one previous version of their files for a specific retention period (minimum of 30 days)
- keep these files in a read-only repository that is physically separated from the main copy
Question your IT providers: When choosing a new IT provider, organisations must make sure to ask specific questions to ensure prioritised security during the engineering and design of the product. This has become particularly critical given the current landscape of massive ransomware and supply chain (e.g. SolarWinds) attacks. Ask your provider:
- Are they performing periodical security assessments by a third-party penetration testing lab to identify system vulnerabilities? And if so, can you see their latest report?
- Have they implement stringent supply chain security, using certifications such as Open Trusted Technology Provider Standard (O-TTPS)?
- Do they have FIPS 104-2 (Federal Information Processing Standard) certification?
- Are there references from customers to back up their expertise?
- Do they offer an SLA for time between a vulnerability being discovered and providing a security patch?
Secure your remote file access: Remote work has become the new normal, and providing fast data access to remote and home offices has become a top priority. Becoming more distributed creates higher demand for data protection. Whether you enable remote access via laptop, VDI, or in increasingly popular global file systems, ensure your preferred method respects corporate security policies and, even better, delivers consistent access control from any user device or location.