Businesses increasingly feel the effects of a data breach. The results range from compromise of client or customer data to third-party control over the entire business operation. The direct costs can be significant and when legal liabilities and the cost of cleanup, lost productivity and the effects of stolen data are added up, they can threaten the viability of small businesses and seriously harm big ones.
Security measures not only shield you from financial risks but also from the business impact and reputational harm caused by a breach. We present 5 actions you should take to provide legal and practical safety for your business and its customers.
First things first. You need to know what’s happening and what the risks are that can hit your business. The two main risks to look at here are Ransomware and Phishing.
Ransomware is malicious software that encrypts your data, hiding it from you – and then demands payment for access. Massive attacks like the 2017 global Wannacry outbreak cost companies and governments hundreds of millions in damage, from dysfunctional systems to recovery costs. There are solutions, and Nextcloud actually provides no less than two powerful tools to detect and recover from ransomware attacks, with the latter developed by researchers from the university of Konstanz in Germany. Learn more here.
Phishing is a trick used by scammers to try and get information from you – often used to impersonate you to steal from your contacts or simply to steal directly from you. Check carefully who you receive mail from and don’t open attachments or even the email from unknown contacts. Note that faking an account from an official looking account is not hard, be it from Google, Yahoo, Paypal or a business you work with! Train your employees to ask a colleague for input if they’re suspicious about an email.
Consider blocking attachments and require documents to be exclusively exchanged over your Nextcloud server. Sent Customers and partners an upload link: no more anonymous, unexpected attachments! The Nextcloud Outlook Add-in makes it a breeze to sent a public upload link to a customer and even notifies your users when the recipient has uploaded files.
We already mentioned training employees. This goes beyond people: make sure you use two-factor authentication, have a strong company firewall and anti-virus software (Nextcloud offers built in virus scanner support). Take care to configure systems properly: computers should ask for a password to be entered after a period of inactivity, for example.
Passwords are a special thing. We’ve learned, over time, that the typical policy of picking ‘complicated’ passwords that are regularly changed does not work. People are not good at remembering random strings of characters while computers are quite good at hacking them, especially if people, on each change, just add a number at the end. P@$sW0rD16 is a far less strong password than it is hard to remember. Passphrases are the future – including the famous CorrectHorseBatteryStaple from XKCD.
Nextcloud can not only enforce a password policy but even automatically check against the list of breached passwords by security researcher Troy Hunt.
Encryption is important in two ways. First, it does of course make it significantly harder to steal data. And second, it goes a long way in showing your business has done its best to secure data, decreasing liability in case something goes wrong.
There are encryption solutions for laptops and mobile devices as well as a number of layers of encryption employed by Nextcloud to secure data transfer and storage, learn more in this blog.
With Ransomware such a big threat, having good backups is crucial. While Nextcloud has versioning built in and ways to use that to recover from ransomware attacks, this is no substitute for good backups. Regularly backup your business data so you’re well positioned in case of an attack!
Nearly the opposite of backup, retention policy is usually very low priority in businesses. But there are legal reasons why some data should stay around for a certain period, while other data, like customer information or credit card data, should be deleted as soon as possible to avoid it becoming a target for hacking. Keep an eye on your retention policy! If data is stored on Nextcloud, its built in tagging and retention features can help you ensure data stays as long as is needed – and not longer.
Even after all these precautions, there is a chance of a security breach. Be sure to have a plan for dealing with one. The GDPR requires you to inform your users, for one, and many countries have laws that require you to inform a government agency. You’ll need to involve a lawyer to review risks, and having a plan that’s got legal review can even help you reduce liability.
The risk a data leak poses for businesses is significant, and having proper precautions and a plan makes all the difference. Think about it!
Using a File Sync and Share solution, or as they’re called these days, Content Collaboration Platform like Nextcloud means you immediately cover several of these point, but there’s data beyond what is in your private cloud.