Threats to your data, or that of your clients, can come at any time and from any number of sources. Here’s how the data-security setup of your compliance software can make all the difference, along with some DIY steps you can take right now to protect your data
In times of geopolitical turmoil, the threat of being hacked or otherwise cyberattacked is never far from the mind of those tasked with responsibility for the data-security posture of their organization, or those tasked with protecting the brand. Such an attack can happen anytime and emanate from any number of sources, of course; there’s no shortage of private interests out there who might be interested in messing with your data for their own purposes. Any company, then, that depends on data to run its business, or has built its business around the handling of client data, must keep the possibility of cyberattack top of mind pretty much all the time these days.
StarCompliance isn’t a cybersecurity company. We’re in the risk-management business. But as compliance platform providers have evolved alongside the companies they protect, and those companies have become increasingly data-reliant, that risk-management business has evolved to include a strong data-security skillset. You can read about it more in-depth here, but the gist of it is a data-defense posture that uses a sophisticated and robust combination of physical, administrative, and technical controls to keep client data secure. Physical controls include Tier III data centers situated in a locked-server environment, with power and HVAC redundancy and fire-suppression. Administrative controls include a single-tenancy model, third-party application penetration security testing, and role-based access control. Technical controls in the STAR Platform include single sign-on, multi-factor authentication, and encryption of data in-transit and at-rest. Technical controls in the STAR network include firewalls with intrusion prevention systems, web application firewalls, and anti-DDoS protection. Star is also ISO 27001, ISO 9001, ISO 27005 certified, and SOC2 Type II compliant.
All this to say that here at Star we take infosec seriously, enough to have baked the concept into the five pillars we focus our business around (to wit: Multi-Layered Protection - Security And Governance Of Employee Privacy And Data Assets). We have to take it seriously: our business and that of our clients depends on it. Our efforts have paid off. We’ve never had a breach. Of course, we know that most data breaches are the result of human error. Maybe someone responding to a fishing attack that opens the network drawbridge to an intruder. Or a hacker getting through a password-defense because the password was too weak. With all this in mind, here are four DIY steps you can take sooner than later to keep your data secure and your firm reputation intact:
1. LIMIT SYSTEM ACCESS
Sometimes, acting in the laudable spirit of “let’s empower people to get things done,” companies go an application too far—providing access to too many firm systems to too many people. Reduce access to systems that employees don’t really need. That is, instead of providing access to everyone who may ever need access, limit it to those who need to access it regularly. Yes, this may slow business down a little, but it’s a small price to pay to mitigate the kind of risk that can open your firm up to a cyberattack.
2. HACK AND ATTACK YOURSELF
This is exactly what you think it is. Try to break into your own system. Try to find your own vulnerabilities. This could be done by your own infosec team (Star’s does it all the time), or you could hire outside people to do it. These are the so-called white hat hackers. They’re the good guys in the hacking world—ethical hackers who do their level best to break into your systems and alert you to blind spots.
3. MAKE IT A COMPETITION
Data security is a serious business, but that doesn’t mean you and the rest of the firm can’t have some fun with it. Set up challenges for employees: the ones who are alert enough to catch break-in attempts or thwart probes by internal or external infosec teams can win, say, gift cards. But make sure the prize amounts are worthwhile—to boost the fun, the competition, and the participation. Whatever upfront costs you incur for these rewards you will recoup in the form of unsuccessful cyberattacks. Such real ROI to be had on a simple program such as this.
4. GAMIFY YOUR TRAINING
This is something we do yearly at Star. That is, the infosec team sends around a web-based training regimen to all employees annually that is structured like a game. Yes, it’s a mandatory game, but it still has the capacity to engage the learner better than a straight-ahead presentation. It’s very hands-on. Learners interact with mock emails—inspecting the links, images, addresses, etc.—to determine their validity. By the time they’re finished, they automatically know what to watch out for. It's a form of muscle memory.
It needn’t take global events to put corporate leadership on the alert for potential data-security issues. Data breaches can happen at any time, and are in no danger of going away anytime soon. But whether it’s taking data security into account when choosing your compliance platform vendor or taking DIY steps like those outlined above, know that there are proven practices and processes out there to help you secure your data, as well as professionals you can consult to mitigate much of this kind of risk. I’m one of the people tasked with protecting our clients’ corporate brands. Their organizations' reputations. It’s my personal mission, as well as the Star mission, to guard those reputations. In today’s world, being a reputation guardian means being a data guardian.
Mike Ross is Director and Senior Sales Manager at StarCompliance