Cybersecurity threats are all around us—from hackers causing mischief to organized crime syndicates pursuing financial gain to nation-states conducting espionage. The primary goal of cybercriminals is to gain access to corporate and/or personal data. The value of this data isn’t just for primary use. For example, opening new credit card accounts or hacking into a company server. A vibrant market exists in the Deep Web for selling credentials and sensitive information to other cybercriminals.
In this article, we cover some of the best practices to protect sensitive information and your own privacy.
Classify Your Data Accordingly
Responsible information management begins with understanding the types of data being handled and classifying it accordingly. The growth of social collaboration and new ways of collecting data and storing content exposes organizations to evolving security risks.
That’s why it’s important to classify, label and protect the contents that are being used, both inside and outside of organizational boundaries. This also allows the classification for content that has sensitive information in it, such as credit card numbers or social security numbers.
Five classifications define the level of protection applied to emails and content.
Personal is used for personal use only, and only contains nonbusiness data.
Public is used for business data specifically prepared and approved for public consumption.
General is used for business data not intended for public consumption but can be shared with external partners as required.
Confidential is used for sensitive business data that could cause damage to the business if shared with unauthorized people. Some examples include contracts, sales reports, and security assessments.
Highly Confidential is used for very sensitive business data, such as personal employee and customer information, passwords, and pre-announced financial reports.
Access Should Only Be Given to the Right Individuals
Identity and Access Management allows the right individuals to access the right resources at the right times for the right reasons. Employees should be granted authorization based on business needs and in alignment with the Identity and Access Management policy and process.
Multifactor authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. This may also be referred to as a two-factor authentication when only two methods of verification are needed.
Multifactor authentication works by requiring any two or more verification methods, which would include:
- something you know, typically a password or PIN;
- something you have, such as a trusted device like a phone; and
- something you are—your fingerprint, facial shape, or other unique attributes that can’t be replicated.
Delegate Minimum Level of Access to Users and Systems
Users and systems should only have the minimum level of access necessary to perform their defined functions. All unnecessary levels of access should be disallowed. Privileges should be allocated on a need-to-know basis and, where possible, event by event so that accounts have only the minimum level of access for their functional role and only for as long as needed to complete the task.
For access to sensitive infrastructure, applications and data, use a strategy of just-in-time and just-enough-administrator access. This will allow tracking and auditing of privileged accounts to control the amount of privilege access to sensitive resources. Persistent administration credentials leave many organizations exposed to harm as intruders can use them to navigate laterally on the network and cause further harm.
It is important to leverage these best practices through enterprise identity, security and cybersecurity technologies.
Maintaining appropriate protections for data based on its value or risk for the organization is the cornerstone for privacy. Additionally, tightly controlling access to infrastructure, applications and data to those who have a business need and only for the time needed is a critical step in helping ensure your organization is protected from intrusion and disruption.
At the end of the day, taking the appropriate steps will help protect your sensitive information and your own privacy, both online and offline.