… every day.
For nearly a decade, studies have shown that human error is the number one cause of data loss. A 2007 study revealed that “user error” was the cause of at least half of all sensitive data losses, and deliberate or accidental policy violations caused another 25%. In 2015, human error was still the number one cause of data loss at 24%. The numbers are much higher if you include data breaches as data loss, which we have not done here.
So what does this mean for you?
The simple fact is that your data protection infrastructure can't be effective if your staff is untrained, unaware, or unwilling to follow procedures. Employees interact with dozens of different systems in a network, and can accidentally create havoc on almost all of them just through everyday activities:
- Permanently deleting the wrong data
- Physically damaging a mission critical system (spilling a liquid, dropping a storage device, etc.)
- Inserting an infected USB disk that was found in the parking lot
- Opening an attachment that includes malware
- Entering credentials into a phishing website
- Re-using passwords for corporate and personal accounts
- Downloading something “free” from the Internet
- Losing a laptop or other critical item through theft or mishap
Any one of these things can take the employee or network offline. A solid data protection plan can help minimize the downtime.
One of the problems for SMEs is that they are comfortable with their teams. They don't have the security and management policies that the larger enterprises use to protect data. SMEs should take a look at their risks from a few different angles:
Data Access: Configure user permissions to the lowest possible level for users to work effectively. If your employees only need access to email, a couple of applications and a printer, don't give them access to anything else. If you have a web security gateway in place, restrict the sites that aren't necessary or aren't acceptable for use in the office.
Email Security: Deploy a modern email gateway that offers robust protection against spam & virus, phishing, typosquatting, and more. Email is the number one threat vector; most of the attacks against your system will try to get in through an employee inbox. Be sure to choose an email security gateway that offers Advanced Threat Protection and sandboxing. Don't forget to provide ongoing training and reinforcement to the employees on how to identify suspicious emails.
Physical Security: Remind users to keep laptops and other mobile devices hidden while being stored in vehicles, and secure while being kept at home. Don't forget to share the risks of using a USB drive of unknown origin.
User Access: Create user accounts that allow the employees to do their work without nuisance interruptions. Provide standard user accounts for operating systems and keep administrator accounts to a minimum.
SME employees don't always appreciate the importance of security policies that restrict access to websites or applications. Long term employees sometimes resist security policies because they feel untrusted, or they don't understand the need. It may be important to communicate that these policies protect the company, customers, suppliers, and employees. If you're in the middle of managing a cultural shift, you will have to do more than just reconfigure accounts. Make sure you know how much you can tell them about the new security paradigm, and think about how you'll be explaining these changes.
World Backup Day
While most of this post has been about protecting data from your users, this is ultimately a conversation about World Backup Day. We started this week with an infographic outlining the most common reasons for data loss, and we end it here with a reminder why there is a World Backup Day.
We all know that every day should be a backup day. The thought of a single annual backup is ridiculous. And on an individual level, backup is hard to NOT have. Your email is probably backed up by your ISP, your photos by iCloud, your documents by Google or OneDrive. For your company, you may use a backup-as-a-service provider, or you may have deployed a cloud-to-cloud solution that protects all of your Office 365 deployment. These solutions free up your time and allow you to work on other things. There's no changing tapes, no swapping out drives, no taking cartridges to the safe deposit box every quarter. Backup has come a long way.
Still, you do have to make sure these things are working as expected, and these are the things that are often overlooked. Run regular fire drills to test your process. Check your logs and follow up on errors. Evaluate changes in the network to make sure that all the critical data is being backed up. Consult with stakeholders to make sure the value of their data is the same as last time you checked.
And if you're already doing all of that, think of March 31 as the day that the world asks if you missed anything.
Barracuda provides end-to-end protection and recovery for physical, virtual, and public cloud data. Visit our corporate site at www.barracuda.com