Data Privacy Day, held this year on Monday, January 28, is the perfect opportunity to take stock in your organization or company’s data security and privacy policies. There were a number of events that day, including a recorded livestream event with the National Cyber Security Alliance and other privacy leaders who discussed the new era of online privacy and provided takeaways about how your company can not only comply, but get ahead of today’s privacy and security issues.
As the technology department for many nonprofits and small businesses, Sinu strives to add value in all aspects of each organization we work with, which includes helping structure policies and sharing best practices to protect data. So while data security is top of mind every day for us, Data Privacy Day prompted us to write this article with some security priorities we hope you will embrace.
The first thing we advise is to remember that data privacy and security starts first and foremost with people. Because the human factor so critical to preventing data breaches, it is important to start with a clear, easy-to-adopt security protocol and clearly communicate expectations to employees in order to minimize your organization’s risk. Even the best policies will fail if they are not understood or enforced.
There are several ways to create a culture of data security within your company, even with a modest security budget. Listed below is a list of data security priorities that most organizations can easily adopt with a little time, good internal communication, and without a large investment.
Enable two-factor authentication for mailboxes and all financial accounts
Two-factor authentication (2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately at hand. It is worth the time to provide a second credential, such as your mobile phone number or an alternative email account, for the added protection.
Install Microsoft Advanced Threat Protection (ATP)
Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses, as well as spoofing and phishing attempts. It also includes features to safeguard your organization from harmful links and attachments in real time, and can trace URLs to provide insight into the kind of attacks happening in your organization.
Use image-based cloud server backups
An image-level backup takes “snapshots” of an entire server or other computer where important files are stored and creates backups called images. Backup images can be used to restore files and folders and can also be used to restore a copy of the entire server or computer, including software and settings, onto the same hardware or new hardware. This is critical if your data is stolen, lost or infected.
Limit local administrator rights
IT best practices dictate that employees not be given local administrator rights (LAR). LAR is the highest level of permission that is granted to a computer user; this level of permission normally allows the user to install software and change configuration settings. It gives someone the ability to shut off the security controls used to protect an organization’s systems, including password controls and anti-malware software. Unapproved software could also be installed, breaking critical applications and causing disruption and downtime. A company can also be exposed to malware, including a number of different phishing scams that can deliberately run code on systems with full permissions if someone inadvertently clicks on a malicious link or opens infected email content. Auditors also frown upon the practice because of its inherent risk.
So this Data Privacy Day, why not make a resolution to implement these four steps in 2019? Making these security protocols, while educating your employees about their important role in safeguarding data and protecting personal data, will have you well on your way to creating a culture of security and privacy in your organization.