As we connect more of our business to online networks, cybersecurity is less a theoretical exercise and more about anticipating a future certainty. Emily Keimig, a member of law firm Sherman & Howard’s labor and employment, and litigation departments, worries that not enough business owners take stock of the kind of data they’re storing and who has access to it.
“The No. 1 issue I see causing problems for companies is that they fail to prioritize the value of their data,” she said. “They don’t cordon off data in their network or in the cloud … by subject matter or topic. They allow anybody who has access to the network to have access to everything on the network.”
When Keimig advises companies on data security issues, she has them start by drawing a map of all the different types of data they store and who has access to it.
“For instance, with respect to employees’ data, that’s a discrete data group. It’s also a data group that tends to have a lot of sensitive information in it, and not everybody in an organization needs to have access to that,” Keimig said.
Donnie McLaughlin, cofounder and lead consultant for Cornerstone Partners, a cybersecurity consultancy based in Denver, agrees that business owners need to take stock of how much access employees have on their computers.
“One of the biggest issues that we see, especially with small businesses, [is that] they usually give employees too much access, too much control over their computers,” he explained. Some employees may have local administrator rights on their devices, “meaning you can install whatever program you want without somebody approving it.”
In some cases, builders might need to assess the physical access to their network, McLaughlin noted.
“We actually did an engagement with a construction company recently. We walked right into the trailer, walked past four or five people, sat down at an unlocked computer and gained access, and nobody said a word,” he said.
Passwords and encryption
More sensitive data, whether its employee information or intellectual property, should have additional layers of protection, like password protection or encryption.
McLaughlin said that bad password hygiene is a common problem. Sharing and reusing passwords, and not using strong passwords, expose a business to a data breach.
“There’s a 70% chance that, that password’s going to be their login for almost everything they use,” McLaughlin said. If hackers get their hands on one password, there’s a good chance they can access multiple accounts or networks. He encourages his clients to use a password vault. Password vaults or managers, like LastPass or BitLocker, let firms create and store strong passwords.