A South African database containing sensitive personal data, which appears to have originated from a traffic fine payment platform has been leaked according to iAfrikan (full article here).
It appears that this information was backed up but then stored in a publicly accessible web server where anyone with access to the link could access the information. This is more of a case of negligence than a data breach, but there are simple, practical steps you can take to prevent this from happening.
Identify your sensitive data
Whether it is personal information or other sensitive company information you need to know what this information is and where it is being stored. A data classification policy can really assist in making sense of how to classify your data. There are many free templates available online that could get you going in a matter of hours.
Once you have classified your data, ensure that only staff that have had the necessary training and the need to access this information, has access to it. Only staff members that know how to secure databases should be working on databases that contain privileged information and no one that does not need to access these databases should be able to access them.
Encrypt the data
Ensure that even if the databases that store privileged data are not publicly accessible on the internet, the information in them is still encrypted. This will ensure that even if someone manages to access the data, they would still not be able to make use of it. There are some simple tools freely available online that allows individuals to encrypt their data but if you are a large corporation or have a large amount of privileged information in your enterprise, you will need to look at capable, scalable and low impact database encryption tools like Vormetric Enterprise Database Encryption.
Ensure that your website is secure
Even if you don’t store massive amounts of sensitive data in publicly accessible web servers, you still need to make sure that your domains are secure and that your customers can securely connect with your company through its website. The best way to know this is to look for the ‘Secure” tab with a little lock in the address bar of your web browser. This ensures that your website is secured with a TLS certificate. If you don’t have this, some web browsers will not even open your website, alerting the user that it is insecure and you stand the chance of losing many potential customers.
Make sure you send your emails securely
One of the largest causes, if not the single largest cause of sensitive information being lost or stolen is email. Email is linked to the human factor and people many times don’t think before they send. In this way huge amounts of sensitive information could leave your company without you even being aware.
In addition, Phishing (the practice of obtaining sensitive information about a person or company through email by pretending to be a reputable company or someone they know) is on the rise and over 95% of all attacks on enterprise networks are as a result of successful spear phishing attacks. Email could be your largest single point of failure when it comes to losing confidential information and not enough companies are taking the steps to prevent data loss through email. The major reason for this is that email is difficult to secure and employees don’t want to take additional steps to secure their email. Unfortunately, no company can run the risk of not securing email anymore and there are solutions that integrate seamlessly into your business, without the hassle of extra steps having to be taken.
Cybercrime is on the rise and securing your information infrastructure is not negotiable anymore. If you would like to speak to someone who has been at the forefront of the industry for 12 years, with the necessary, knowledge and experience, backed up by best of breed information security products, please make contact with LAWtrust today by clicking on this link.