The key to understanding whether or not your data is safe lies in understanding the threats to it. Most attackers will attempt to come in by several very common avenues.
Every organization will face different threat levels. For example, if you're in finance or are a utility company, you're going to be facing more persistent and creative angles of attack than a small locally-focused shop will. That doesn't mean that there is any one type of business or set of circumstances where you can just forget about security, however. The internet is crawling with hackers and automated malware, and there's always some willing to grab up low-hanging fruit if the right door is left open.
Be sure to consider all of the following possibilities when reviewing your network security policies and procedures.
- "Phishing" and Social Engineering Attacks
So-called "soft" attacks in which hackers attempt to exploit company employees have become much more common than attacks against the software or hardware of the network. That's because they're much easier to pull off and actually have a higher rate of success.
The main angle of attack is by email. Attackers can mass-mail to everyone in the company, but they may also do some homework and try to target specific entities by profiling them using publicly available information. Whatever the case, the endgame is the same; get the employee to either open a tainted email attachment, or to follow a link to an attack site that automatically installs malware.
The most common varieties of malware that will be installed are keyloggers or ransomware. A keylogger sits in the background and records keystrokes, possibly also taking periodic screenshots, and quietly forwards these to the hacker so that they can steal login information and private data. Ransomware encrypts vital files on the network, and the hackers then demand a payment (or two, or three) in return for the password to unencrypt them.
The biggest first step in defeating phishing attacks is to ensure that all email clients used on the network do not automatically download or run attachments! While mass-mail phishing attacks are usually easy to spot, a targeted attack may come from a "spoofed" email address that seems to be legitimate. Employees should be instructed to verify with the other party by phone or instant message if an unexpected attachment is sent or if they are asked to visit an external site out of the blue. As a safeguard against ransomware, you can also run automated "snapshot" systems that periodically send backups of network data to both the cloud and a local storage system.
- Documented Software Exploits
While nearly every business has some data a hacker wouldn't mind having, some are much more interesting than others. For example, a company like Google or Goldman Sachs will regularly employ teams of hackers called "penetration testers" who try to find completely new and novel ways to break into their systems, ensuring they are on the cutting edge of security at all times.
A more "average" business doesn't face this kind of advanced threat. If the data they are guarding isn't particularly juicy, hackers will generally try known exploits against the software they are running and move along if none of them work. So how do you protect against these exploits? Primarily, it's by making sure you have the latest updated versions of each piece of software and app, as they receive continual security patches against newly discovered vulnerabilities. Old, discontinued software should also be replaced with something more modern, as new vulnerabilities will no longer be patched.
- Discarded, Recycled and Lost Devices
Simply moving data to the recycling bin on the desktop doesn't make it disappear. If old electronics are to be sold or recycled and are still functional, they need to be cleaned with a good "hard disk wiping" program like DBAN that scours them to eliminate residual data. If you're simply disposing of an old drive, have it shredded. Don't forget that devices like copiers, printers, and old phones also have internal drives that store data!
Employees losing company phones or devices will happen from time to time, but you can secure against this mishap by mandating strong unique passwords for each device and two-step authentication for logins. It would also not hurt to encrypt data on devices that go out into the wild with a unique key that can be revoked later if they go missing.
- Internal "Turncoat" Attacks
The toughest data security issue to deal with is the possibility of a trusted employee going rogue. Mitigation in this area primarily comes down to identifying privileged accounts and monitoring them appropriately, as well as removing credentials ASAP when such an employee leaves the company.