By now, you’ve probably heard a lot about Anonymous, the elusive “hacktivist” group responsible for breaching data security walls of national or even multinational entities all over the world, including Bank of America, the Vatican, and many more – even the FBI. Whether you consider Anonymous to be villains or heroes, it’s time you ask yourself the significant business questions their actions pose. How is it that these hackers are able to break into these major corporations, through what are surely extensive firewalls and security procedures? And when these hackers do get through those outer walls, how are they able to gain access to private or protected data? Most importantly: how can I protect my organization’s data from cyber criminals?
Protecting Your Castle
All feudalism aside, your organization’s network security is structured like a castle. At minimum, a castle has a protective outer wall, a secure inner wall, and at the center is the keep, which contains the people and supplies that require the utmost protection. (Let’s keep the metaphor simple.)
Your castle’s outer wall, your initial line of defense between a hacker and your server, is your firewall. The firewall analyzes data packets moving in and out, restricting certain types of or sources of communication from entering your network. The firewall should be able to identify any sort of weird or malicious code trying to break into your server.
Attacked! *A hacker gets around your outer wall, using a well-disguised virus, or maybe sneaking in through the back door - an exposed port on your firewall. Or maybe a group of hackers bombard your server with information until it’s had enough and shuts down. (This is called a distributed denial of service attack, or DDoS.)*
Your castle’s inner wall, or network security, protects internal entry to your server. This is where the majority of vulnerability exists, because although most organizations have pretty good firewall offenses, internal security on their network is often neglected.
Attacked! *The hackers are in; they’ve breached the firewall. Maybe you’ve neglected your network security, perhaps with something as simple as an easily guessable administrator password. Or maybe your network security is vulnerable by nature: even a relatively inexperienced hacker can gain access here, often due to the availability of basic password retrieval and administrative lockout recovery tools.*
The Data in Your Keep
This is it; the hackers are all the way in, and they’re ready to grab what they want and run. If they gain access to your actual data, there’s only one line of defense remaining: data encryption.
Is your data encrypted?
If so, you’ve foiled the cyber criminals trying to access your private data! Encrypted data could take years or even decades to unlock, rendering it useless at the time of decryption and therefore not worth the hassle to your hacker. If not, those cyber criminals will take your information and use it for their own purposes. Credit card numbers? Social security numbers? Medical information? All free for the taking.
And therein lies the problem that groups like Anonymous so often expose: so many major companies and organizations are storing tons of private data without encryption! (Not to mention, they often cite this as a major vulnerability.)
An experienced hacker can break through all those barriers, including your firewall and your network security, no matter what you do. Your absolute best and last defense is data encryption.
Risk Your Data, Risk Your Organization
There are federal regulations requiring organizations to secure specific information. Therefore, leaving your data vulnerable means additional legal risks to your organization. Maybe you run a social service agency (or business) that provides services to citizens or customers, such as alcohol or drug abuse services or loan counseling services. Maybe your business has access to the homes of your customers, such as a security or locksmith company. If that sensitive information is stored on a database but not encrypted, then you’re putting both your organization and any affiliated citizens at risk.
All organizations should encrypt data, especially:
- Any organization that provides educational services to children or adults
- Any organization that receives federal grant money
- Any organization that receives money from Medicare or Medicaid
- Any organization providing any sort of medical care
- Any organization that stores information that includes name, birth date and/or social security number, especially for persons under the age of 18
Critical + Simple + Inexpensive = Worth It
You can follow some basic guidelines to be sure your data is properly encrypted.
If your data is stored on another party’s server:.. Be sure your service provider uses a secure socket layer (SSL) connection when you retrieve data. You can recognize SSL use by the small padlock icon that shows somewhere in your browser. When you hover on that icon, you can view the details of the security certificate.
When storing protected information on another party's server, it is imperative that the database (or data) be encrypted. This may cost a little more per month, but it's worth it. Also, make sure that the service provider has documented policies for encryption practices, disaster recovery and uptime guarantee.
If your data is housed on your own server… You have two main options. 1. If you have a Windows server, your network administrator or a network professional can install Certificate Services, which allows you to create your own security certificate to lock down your data. Once your data is encrypted, the security key must be copied to a secure location, then stored somewhere that’s not on your server and not accessible via Internet. This way, only the person (or people) with that key can unlock the data encryption. 2. Your other option is to pay for an SSL security certificate from a reputable and well-known certificate authority, such as Verisign. Here is a helpful Wikipedia article offering a comparison of SSL for web servers that includes verification level, cost and more.
Your server is always at risk for attack, so it’s important to keep your data secure. So don’t risk the integrity of your data or the integrity of your organization by overlooking this critical security feature.