Ten years, tens of millions of dollars later, a defense contractor built an almost perfect system for the US government to protect the Health Care data of all those who passed through doors of hospitals and clinics affiliated with the military insurance provider Tri-care. So well done was the system, that it took an unlucky turn of events, namely an employee losing an entire set of backup tapes in a car parked in a parking lot, for the system to be compromised. And compromised it was. Not only personally identifying information on every member and former member of the military was swiped, but also all of their medical histories.
Given that this only happened several months ago, it serves as merely another indicator for businesses that keeping data secure is getting tougher for everyone. In fact, there have been so many internal and external attacks over the past decade that many experts are calling for a re-architecturing of security software to try and gain some of the lost ground back. For small businesses that value data, protecting it can therefore seem like a daunting task. How can they consider approaching the same levels of security when larger companies are failing so miserably?
Fortunately, there are several common sense approaches to making one’s data secure that can help even the odds.
1. Airgapping equipment:
One smaller company was having trouble with their internal network being hit by scripting attacks on a non-hardened router. Despite configuration changes, the automated scripts were often able to take down the router or beat it within a few hours of being attacked. Although painful to do, it was determined that the company’s accounting server and clients were to be pulled off the network and kept in a different room to function separately without an active internet connection in a practice known as airgapping. Airgapping makes it simple to determine where breaches are because there is no physical way to attack the network segment without physically being there. The same line of logic was followed by a large defense contractor several months later. They pulled all humans out of their data center and only authorized a few employees to have access to local machines.
2. Using a cipher to change passwords:
If you’ve seen the movie ‘National Treasure‘, you’ll know that the founding fathers of the United States used cipher codes to communicate with each other when they wanted things to remain confidential. In the same way, changing passwords of employees on a regular basis via a centralized system is something that several firms have adapted successfully. Using a central server to generate code, similar to the satellite passwords that used to be generated via a credit card sized receiver, is preferable.
3. Training employees in social engineering tactics:
It doesn’t have to be a formal set of classes- but according to some of the most famous hackers in history, you simply don’t have the same types of problems with your internal data that you do when someone from the outside is able to finesse key pieces of data from your workers without them knowing it.
4. Training employees in information ethics:
Once you have taken care of warding off external threats to your data at a human confidence level, you still should realize that almost 68% of the value in data heists or thefts or breaches is perpetrated by the 20% of thefts orchestrated by internal workers. It therefore follows that training workers in philosophies like ITIL or Informaethics should pay dividends for years.
5. Sandboxing internet connections:
One of the key benefits of virtualization for desktop users is that one can run an entire desktop on top of another desktop. A Linux instance can therefore run on top of a Windows instance in a completely different volume. What that means for small businesses is that they have a free and easy way of creating an internet sandbox that can store all data virtually without it interfacing or interfering with the worker’s core productivity machine. The cloud, usb drives, and specially configured network drives can be used as a medium of data exchange. In actuality, among companies that utilize this type of security methodology, workers change their habits quickly and the amount of actual data interchange is minimal.