We’ve written in the past about how important it is to control access to your data. Cyber attackers are only one reused, stolen password away from installing ransomware on any part of your network they can access, so it’s best to use the principle of least privilege.
We’ve also discussed how adding components to your network without securing them is like installing a security system on half of your house.
One area where these two ideas come together is unintended data sprawl. It would be great if all of your data were stored on a single network and network access was granted based on a well-defined and well-documented process. Unfortunately, the rapid growth of Software-as-a-Service (SaaS) platforms has taken something that is very hard and made it nearly impossible.
Most businesses rely on a piece of software that stores data off the company’s primary network. A few common examples include accounting software, Human Resources Information Systems, file sync and sharing platforms (such as Dropbox or OneDrive), messaging platforms (including Slack and Teams), and even Adobe graphics design software.
Some of these programs are generally administered by IT teams. But many of them aren’t. In fact, the IT team may not even have access to some of the programs. There are good reasons for this, of course – especially when it comes to internal IT teams having access to finance and HR software. But this multiplies the complexity of knowing about (and securing) your data.
To that end, here are three other places where your company’s sensitive data may be stored – and what you should consider doing if it is in order to avoid a data breach.
#1 – Personal Inboxes and Computers
Even before Covid it was common at some organizations for employees to send company files somewhere they could access them from home. But in the rapid transition to work-from-home status about a year ago, everyone was scrambling to do whatever they could to be productive. In many cases, this meant sending files from their business email to their personal email and then downloading it to their personal computers. Because of this, there may be dozens or hundreds of company files floating around on personal computers.
Businesses spend time thinking about their data security; but most people don’t implement a data control policy for their home PC. That’s why personal email inboxes and personal computers are two not-so-great places for company data. Most home PCs have at least some programs unpatched and many home networks have open ports. If the computer is hacked, many home PCs don’t even have passwords. And the problem doesn’t go away when the computer does, because most people don’t have their hard drives shredded when they get rid of their PC.
Hopefully, your organization has found great ways to get things done remotely that are both secure and productive in the past year. If so, this is a great time to make sure that company files that made their way to personal emails or personal computers are deleted.
#2 – A CRM or Marketing Platform
As mentioned earlier, SaaS software is popular and most businesses use at least one SaaS product. There’s nothing inherently wrong with having data stored on a SaaS product’s network. In fact, some of these networks are among the most carefully secured in the world, because so many thousands of companies rely on them being “unhackable.”
The problem is that they don’t have to be hacked for company data to leak out of them. If your IT team isn’t responsible for maintaining access, it’s possible that former employees’ credentials aren’t being revoked when they leave the company. This leaves behind “unmonitored accounts” – accounts nobody accesses or possibly even knows exists. If someone outside the company accessed these accounts with a stolen password it’s likely that nobody would even notice until the data ended up on the dark web.
It’s a great idea for division leads to ensure that each piece of software with potentially-sensitive data has a policy for data access and maintenance, and that the policy is being followed. It’s far more difficult and dangerous to locate and address years of data sprawl than it is to revisit it at least a couple of times a year.
#3 – On a Post-It Note
If you’re using passwords correctly, they’re hard to remember. They certainly didn’t get any easier when hackers made it necessary to add capital letters, numbers and symbols into the mix. Or when credential stuffing drove the need to use a different password for everything in our lives.
Everyone knows someone who puts their passwords in a notebook in their desk – or worse, on a Post-It note right next to their machine. But if a user’s password is on a Post-It note, you may as well have all of the data they can access on a Post-It note. Everyone who passes by their desk in the office (including vendors and contractors) can easily see it. It also wouldn’t take too strong of an imagination to think of a way that the Post-It note could fall out of a trash can and end up in the parking lot.
As frustrating as passwords can be, make sure your organization’s passwords are being protected! Teach employees not to leave their passwords out on desks. Strongly discourage the use of shared accounts and passwords. Don’t use the same password for more than a few months. Sometimes it can take years for weak passwords to cause big problems for companies. But once the problem arises, there’s no putting the toothpaste back in the tube.
To learn how WingSwept’s cybersecurity services can bring a new level of data security to your company, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.