Keeping your data safe: Access Control

Cyberattacks are commonplace today. Malware such as viruses, worms and more recently ransomware not only corrupt your data or hold it hostage, but also inflict irreversible damage on your brand and business. As a norm, most businesses these days do invest in anti-virus, maybe a business-class firewall. But, is that really enough? The answer is–NO. Because, they often overlook one important aspect–access. Ask yourself, how easy is your data to access? How can you strengthen the walls that keep your data safe? Read this blog to find out.

Role-based access

Always follow a role-based access permission model–meaning people in your organization have access to ONLY the data they REALLY need. Generally, the higher the designation, the deeper the data access permission and stronger the rights. For example, someone at the executive level may not be able to edit your MIS spreadsheet, but a manager should be able to.

Formal password controls

No matter how good your cybersecurity, you need to ensure the protocols are followed at the ground level. Enforce policies regarding passwords strictly and hold violators accountable. Examples include-

• Password combinations – Ensure your staff follows the recommended best practices when selecting passwords so there are no ‘easy-to-crack’ passwords. Passwords should be complex: a random mixture of upper and lower case, numbers and symbols. They should also be a minimum of twelve characters. Adding just a few extra characters (non-repeating) greatly decreases the chances of an easy crack.
• Password sharing – Thoroughly discourage password sharing across your organization. No matter who asks for it, passwords shouldn’t be disclosed unless authorized as per the protocols.
• Password uniqueness – Every account should have a unique password so that if one is compromised, the same credentials cannot be used to compromise other accounts.
• Password age – Passwords should be changed periodically.
• Multifactor authentication – Enable secondary authentication when possible.

Patches and Obsolete Software

Reputable vendors regularly issue security updates for software—including on phones and tablets. Old software reaches end-of-life when the vendor will no longer issue patches. Access your data from systems with unpatched software leaves you at risk of compromise.

Hardware driver and firmware updates have become as important as software updates to protect against threats. Again, reputable vendors issue regular updates and equipment will reach and end-of-life as well.

Don’t ignore physical security

Virtual security is a must, but so is physical security. Though there is only so much physical access controls can do in keeping your data safe in the BYOD era of today, don’t overlook this aspect. Installation of CCTV cameras, biometrics/card-based access to your workspace/server rooms, etc. also have a role to play in data safety from the access perspective.

Papers with sensitive information should never be left unattended, in the open—say in a printer tray or on your desk when you leave your office. Locked drawers, locked file cabinets and safes should be used.

Mobile devices should be encrypted and have strong screenlocks that activate on short idle time limits.

Training & reinforcement

Finally, train…train…train. You need to train your employees on the protocols for data security and access so they don’t mess up accidentally. Conduct mock drills, refresher trainings, follow up with quarterly audits, and use positive and negative reinforcements to ensure everyone takes it seriously. Because, at the end of the day, no cybersecurity software is good enough, if the best practices related to data access are ignored.