In the past, we’ve emphasized the vital role of controlling data access. A single stolen password can grant cyber attackers entry to your network, underscoring the principle of least privilege. Additionally, neglecting to secure newly added network components is akin to only safeguarding half your home with a security system.
The convergence of these concepts highlights the challenge of unintended data sprawl. Ideally, all data would reside on one network with controlled access. Yet, the surge of Software-as-a-Service (SaaS) platforms has made achieving this near-impossible.
Many businesses rely on external software that stores data off their main network. Common examples range from accounting and HR systems to file-sharing platforms like Dropbox, messaging apps such as Slack, and even design software like Adobe.
While some of these programs are managed by IT teams, others are not, and even IT might lack access to certain applications due to valid reasons. This complexity magnifies the task of data awareness and security.
To that end, here are three other common places for sensitive data storage – and what you should consider doing if it is in order to avoid a data breach.
#1 – Personal Inboxes and Computers
Even before Covid it was common at some organizations for employees to send company files somewhere they could access them from home. But in the rapid transition to work-from-home status about a year ago, everyone was scrambling to do whatever they could to be productive. In many cases, this meant sending files from their business email to their personal email and then downloading it to their personal computers. Because of this, there may be dozens or hundreds of company files floating around on personal computers.
Businesses spend time thinking about their data security; but most people don’t implement a data control policy for their home PC. That’s why personal email inboxes and personal computers are two not-so-great places for company data. Most home PCs have at least some programs unpatched and many home networks have open ports. If the computer is hacked, many home PCs don’t even have passwords. And the problem doesn’t go away when the computer does, because most people don’t have their hard drives shredded when they get rid of their PC.
Hopefully, your organization has found great ways to get things done remotely that are both secure and productive in the past year. If so, this is a great time to make sure that company files that made their way to personal emails or personal computers are deleted.
#2 – A CRM or Marketing Platform
As mentioned earlier, SaaS software is popular and most businesses use at least one SaaS product. There’s nothing inherently wrong with having sensitive data stored on a SaaS product’s network. In fact, some of these networks are among the most carefully secured in the world, because so many thousands of companies rely on them being “unhackable.”
The problem is that they don’t have to be hacked for company data to leak out of them. If your IT team isn’t responsible for maintaining access, it’s possible that former employees’ credentials aren’t being revoked when they leave the company. This leaves behind “unmonitored accounts” – accounts nobody accesses or possibly even knows exists. If someone outside the company accessed these accounts with a stolen password it’s likely that nobody would even notice until the data ended up on the dark web.
It’s a great idea for division leads to ensure that each piece of software, with potentially-sensitive data storage, has a policy for data access and maintenance, and that the policy is being followed. It’s far more difficult and dangerous to locate and address years of data sprawl than it is to revisit it at least a couple of times a year.
#3 – On a Post-It Note
If you’re using passwords correctly, they’re hard to remember. They certainly didn’t get any easier when hackers made it necessary to add capital letters, numbers and symbols into the mix. Or when credential stuffing drove the need to use a different password for everything in our lives.
Everyone knows someone who puts their passwords in a notebook in their desk – or worse, on a Post-It note right next to their machine. But if a user’s password is on a Post-It note, you may as well have all of the data they can access on a Post-It note. Everyone who passes by their desk in the office (including vendors and contractors) can easily see it. It also wouldn’t take too strong of an imagination to think of a way that the Post-It note could fall out of a trash can and end up in the parking lot.
As frustrating as passwords can be, make sure your organization’s passwords are being protected! Teach employees not to leave their passwords out on desks. Strongly discourage the use of shared accounts and passwords. Don’t use the same password for more than a few months. Sometimes it can take years for weak passwords to cause big problems for companies. But once the problem arises, there’s no putting the toothpaste back in the tube.
To learn how WingSwept’s cybersecurity services can bring a new level of sensitive data storage to your company, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.