Ten Best Practices to Prevent Data and Privacy Breaches

If you follow the guidance in these ten best practices you can prevent the vast majority of attacks.

The antics of groups like Anonymous and LulzSec over the past few months have made data breaches seem inevitable. If information security vendors like HBGary and RSA Security aren't safe, what hope does an average SMB have? It is true that there is no silver bullet, and no impervious network security, but there are a variety of things IT admins can do to prevent network breaches and protect data and privacy better.

The Web safety and online identity protection experts at SafetyWeb.com and myID.com helped put together a list of ten different data and privacy breach scenarios, along with suggestions and best practices to avoid them.

1. Data Breach Resulting From Poor Networking Choices. Names like Cisco and Sun are synonymous with enterprise-level networking technologies used in large IT departments around the world. Small or medium businesses, however, generally lack the budget necessary for equipment like that. If an SMB has a network infrastructures at all, it may be built around networking hardware designed for consumer use. Some may forego the use of routers at all, plugging directly into the Internet. Business owners can improve network security and block most threats by using a quality router, like a Netgear or Buffalo brand router and making sure to change the router password from the default.

2. Data Breach Resulting From Improper Shredding Practices. Dumpster diving identity thieves target businesses that throw out paperwork without shredding it. Most home shredders will suffice for small businesses in a pinch, but a commercial shredder is a wise investment if private information is printed and shredded daily. Make sure that documents with sensitive information or personally identifiable data are thoroughly shredded before disposal.

3. Tax Records Theft Around Tax Time. On a similar note, businesses need to pay extra attention to incoming and outgoing information related to taxes. Businesses must ensure that tax returns are dropped off at the post office and refunds are collected promptly from the mailbox. Identity thieves often steal tax returns from an outbox or mailbox.

4. Identity Theft Resulting From Public Databases. Individuals, especially business owners, often publish lots of information about themselves in public databases. It is a sort of catch-22 because a small business owner wants to maximize exposure while still protecting individual privacy. Businesses are registered with the county clerk, telephone numbers are in the phone book, many individuals have Facebook profiles with their address and date of birth. Many identity thieves can use information searchable publicly to construct a complete identity. SMBs need to think carefully about how and where to gain exposure for the business, and consider the consequences of sharing sensitive information publicly.

5. Identity Theft Resulting from Using a Personal Name Instead of Filing a DBA. Along those same line, sole proprietors that do not take the time to file a Doing Business As application are at a far higher risk of identity theft due to their personal name, rather than their business names, being published publicly.

6. Bank Fraud Due To Gap in Protection or Monitoring. Business owners know that it is vital to balance their accounts every month to ensure that checks are not being written out of business funds by embezzlers, but many businesses rarely, if ever, check what kind of credit accounts have been opened under the business name. Monitoring services like myID.com can alert business owners when new credit accounts are opened fraudulently.

7. Poor E-mailing Standards. Many businesses use email as if it is a secure means of communicating sensitive or confidential information. The reality is pretty much the exact opposite. Emails are available to a number of people other than the recipient, and there is generally ample opportunity for email communications to be intercepted in transit. It's more appropriate to treat emails as postcards, rather than sealed letters.

8. Failing to Choose a Secure Password. Use secure passwords. Please. In fact, many security experts are recommending the use of a pass phrase, rather than a password. Pass phrases are several words long, at least three, and are far more secure than passwords. A pass phrase like "friday blue jeans" can be typed far quicker than a complicated password, and it doesn't need to be written down on a scrap of paper stuck to a monitor to remember it.

9. Not Securing New Computers or Hard Drives. Businesses that do not have a dedicated IT department or information security administrator should seriously consider using outside consultants to secure and lock down PCs and hardware. If the security controls available within an OS like Windows 7 are enabled and properly configured, most data breaches can be thwarted.

10. Social Engineering. Social engineers are individuals that call and claim they are from another organization. Social networks like Facebook and LinkedIn are also at risk for attackers attempting to exploit the social framework to gain access to sensitive information. The attacker may even claim to be with a firm that a business owner does business with. If someone you do not know calls on the phone, or contacts you by email, or through a social network, be sure that it is the person you think it is before revealing passwords or confidential information. Better yet, have a policy in place dictating who is allowed to reveal such information and under what circumstances.

If you take a look at these ten scenarios within your business, and follow the guidance provided, you can prevent the vast majority of data and privacy breach incidents

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsonline privacysoftwaredata protection

More about BuffaloBuffaloCiscoetworkFacebookNetgear AustraliaRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts