In today’s world information is more important and more readily available than it has ever been. The flip side of this coin is that there are many new risks that surround data. To counter those risks, information security measures, such as clean desk policies, firewalls and Two/Multi Factor Authentication, play a crucial role in most aspects of our lives – in the workplace as well as our private lives.
The GDPR imposes the obligation on data controllers to ensure the security of personal data by using appropriate technical and organisational measures. We can refer to this as the GDPR’s ‘security principle’ and it concerns the broad concept of information security. Failure to comply with this principle could result in an organisation losing millions of euros, face legal prosecution, and suffer devastating damage to its reputation.
What is information security?
One common misconception is that information security and cybercrime are something that only the IT department has to worry about. Information security is not the job of a single department or one person. It is an ongoing process which requires a complete team effort and each employee plays a key role in this process. The human factor, what employees do or don’t do, is one of the biggest threats to information security.
Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction”. This may mean protecting them from attackers invading our networks, natural disasters, power failures, theft, vandalism, or other undesirable states.
Three of the primary concepts in information security are confidentiality, integrity, and availability, commonly known as the CIA triad:
- Confidentiality is a concept similar to privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to access it.
- Integrity refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner, including deletion.
- Availability refers to the ability to access our data when we need to.
Common measures in the information security toolkit
Strong and frequently changed passwords
One of the most essential security practices we can do is setting strong passwords for our devices and accounts.
Although passwords are only a single factor of authentication, they can, when constructed and implemented properly, represent a relatively high level of security. A strong password should not be predictable or easily guessed such as 1234, your name or date of birth. Instead, use a combination of uppercase and lowercase letters, numbers and symbols to make our passwords hard to guess and break via automated password cracking software.
In addition to constructing strong passwords, each device/account should be protected by its very own password to mitigate the extent of the damage if one password should be cracked.
The biggest issue with handling multiple strong passwords is that they can be difficult to remember. This might encourage us to take steps to remember our passwords, such as writing them down and posting them in a visible or easily discoverable place, perhaps under our keyboard or on our monitor. This completely defeats the purpose of having a password if someone comes snooping around our desk. To avoid forgetting your passwords or storing them unsecurely you can rely on password managers. There are a variety of open source and proprietary ones only one search engine search away.
If available, we should activate Two/Multi Factor Authentication to make it even harder for the person that is trying to hack into our accounts. This adds an extra layer of security after the username and password input by requiring the input of a constantly changing code sent via a text message or a software token. In other words, this approach secures your accounts by a combination of something you know (a username and password) with something you have (a phone).
Safe web browsing
Whenever we log in on a website or enter (sensitive) information, like passwords or credit card numbers, we need to make sure that this is safe to do. One crucial thing we can do here is to look for a security padlock symbol next to the URL bar before submitting information to a website. By clicking the icon, the certification of the page you are visiting will be displayed and the presence of a padlock symbolises that your traffic to the website is encrypted and cannot be easily listened in on. Another way to do this is to ensure that the URL starts with ‘https’ (the ‘s’ standing for ‘secure’) and not with ‘http’.
Next, we should also check the website address itself. If the address has changed or something doesn’t seem right, it might be that you are navigating on a fraudulent website. Attackers are able to copy a webpage to look identical to the legitimate one with the goal of tricking us into submitting our precious information to them.
Emails are another way we might accidentally give access to sensitive or restricted information. If we share sensitive information, we should always make sure to use secure email encryption. Email encryption is the process of disguising the content of our email messages to protect them from being read by unwanted parties. Sensitive information such as social security numbers, passwords, login credentials and bank account numbers are vulnerable when sent via email. If a hacker can’t read our message because it’s encrypted, they can’t do much with the information.
But email encryption is not a solution to all our email security problems. ‘Phishing attacks’ are a common way to introduce a virus to our systems via email or to gain access to our information. Attackers masquerade as a trusted entity of some kind, often as a real or plausibly real person or a company the victim might do business with to gain the email recipient’s trust. The malicious actor then either proceeds to ask for sensitive information directly or asks us to click on a malicious link or to download an attachment that infects our device with malware. So be cautious and think twice before acting on a request that you receive via email.
Similar to passwords for account logins we should also use (strong) passwords/PINs for our devices. Unprotected devices and protected devices that are left unlocked when unsupervised can be exploited easily. So always lock your computer and mobile device before letting them out of your sight!
It is not uncommon for devices to get lost or stolen. To avoid information getting into the wrong hands it is a good idea to back up our data, enable device encryption and the possibility to remotely wipe the data from the device.
Next to physical dangers devices are especially vulnerable when they connect to unsafe networks. Don’t connect your devices to unencrypted WiFi networks, or hackers may be able to intercept your network traffic. Those are networks that don’t require a password to connect to or merely open a browser window pop-up asking you to input a password. If you can’t avoid using such a network, make sure to use a VPN (Virtual Private Network) on your device. This encrypts your traffic and makes man-in-the-middle attacks almost impossible.
Physical security and social engineering
When people think about information security, physical security is often a second thought. Organisations tend to focus more on technology-orientated security measures and fail to notice the physical security of both digital and physical assets.
Physical security is important for two categories of vulnerabilities. Firstly, attacks by nature like floods or fires. Although the information itself will not be misused, data may be lost permanently. Secondly, attacks by a malicious party that enters the building and steals devices, accesses the organization’s internal systems, and commits other acts that could result in harmful consequences to an organisation, such as financial loss or damage to its reputation.
Physical security is an important step to limit the dangers of social engineering – the art of manipulating people to give up information without noticing. Criminals use social engineering tactics because it is usually easier to exploit our natural inclination to trust than it is to discover ways to hack software. Social engineering attacks may happen online, on the phone or in a physical location.
Two common forms of social engineering are:
- Pretexting is when a scammer contacts a victim under a pretext to extract information. The scammer commonly pretends to be a person of authority or someone that can use the information to help the victim. For example, the scammer claims to be an auditor that needs access to your company’s financial records to check compliance with applicable bookkeeping laws.
- Tailgating/Piggybacking is when an unauthorized person follows an authorized person into a secure or restricted area with the consent of the authorized person. When you hold a locked door open for someone, it may seem like a polite gesture; however these actions have the potential to cause significant damage to a business.
There are a couple of ways we can protect ourselves from tailgating and piggybacking: Report or question strangers we see in areas where they shouldn’t be and verify their reasons for being there. Additionally, locking doors and places where data is processed to avoid unauthorized persons from accessing them.
If we want to keep our data secure from all the described dangers we need to stay vigilant and do our best to enhance the security of our data. There are plenty of small but essential measures we can take to make it hard for malicious actors to get their hands on it.