How to Keep Your Company Data Secure

Most of her Tuck classmates graduated with an industry-focused outlook, like brand marketing or investment banking. Alison Connolly T’11 just knew she wanted to live in Denver. After several years as an independent consultant, Connolly met the founders of DarkOwl. That’s when she fell in love with an industry: cybersecurity.

Of course what Connolly finds fascinating, most corporate leaders find cold-sweat terrifying: millions of stolen login credentials, credit cards, and social security numbers, plus an abundance of weapons, drugs, and other illegal goods that are for sale or are simply on display on the darknet, an untraceable network of websites that aren’t indexed or searchable like the Internet we are all familiar with. As director of strategic partnerships for DarkOwl, Connolly sells subscriptions to the company’s proprietary database of darknet content, a kind of search engine of hacker activity, updated in real-time. With it, companies, governments, and investigators can track and monitor any relevant data hacks and breaches and limit the damage that comes from having proprietary information exposed.

We asked Connolly for advice about how companies can keep their data secure.

The biggest threat is that we’re all human

Organizations tend to be overly suspicious about ‘insider threats’ when in reality the much bigger threat stems from the fact that employees are simply human: we leave our laptops at conferences, use weak passwords, log on via unsecured wifi networks, click on attachments from strangers, etc. When you plan cybersecurity efforts, realize that employees acting in good faith are often the weakest link.

The C-suite is the weakest link of all

The best targets are the people highest up in an organization. If a hacker gets their hands on their credentials, not only do they have access to the most information, but an email sent from their account—regardless of who is really sending it—will carry the most weight with clients and employees. The C-suite gets more emails than anyone else, and we’ve seen time and again that because they’re so busy, they actually tend to be more lax with cyber safety protocols. They think they’re immune to their own policies. Top executives also are on the road a lot, making them more likely to use an easily-hacked public coffee shop or hotel wifi network for sensitive activities when perhaps they shouldn’t.

Look both internally and externally

Most companies pay the most attention to internal cybersecurity, like firewalls, looking through logs for outliers in volume, and monitoring email traffic. But corporations can’t just sit inside the fence waiting for attacks. The average time between a company being hacked and realizing that it has been hacked is greater than 200 days. To shorten that time gap, they need to look externally to places that the hackers themselves are using—places like the darknet—for an indication of leaks. DarkOwl monitoring, for example, would alert you right away if any email addresses and passwords from your domain were posted on the darknet. That can often help trace the breach to a specific office or even a single point of sale credit card machine. Ten years ago, companies thought, “Why would we need to monitor our social media presence?” I think the darknet is on a similar trendline. Every organization is going to have to monitor it in some way to stay ahead of the potential threats they’re facing.

Two-factor authentication is a no brainer

Eighty-five percent of breaches are caused by someone with access to credentials and passwords who shouldn’t have them. Once they’re inside of the network, they can act as an employee and wreak all kinds of havoc. If everyone has two-factor authentication, employees need a username and password to log in, but also something the employee physically has, like a mobile phone or a token, making it much more difficult for threat actors to impersonate them. That may have once seemed like overkill, but these days, it’s just a no brainer for everyone.

All devices are work devices

We want to be able to access our personal and business email everywhere, but that blurs the lines between a work device and a personal one. Whose job is it to secure an employee’s personal device? Is it them? The company? Apple or Microsoft? Wider device access to company information brings convenience and productivity, but also exposure to risk. Companies need to have a say in the security of employees’ personal devices if they’re used for work.

Build a culture of data protection

While nobody wants to have a company culture of paranoia, it is important to educate employees about cybersecurity—things like phishing schemes and password hygiene—and make sure they feel some ownership around the policies that exist to protect their info. In addition to proprietary information and customer data, a company has plenty of personal data on employees themselves—social security numbers, bank routing numbers, W2s—so everyone has skin in the game.

Fess up if you mess up

I know our IT department well, and I never feel embarrassed to ask them, “Is this legit? Is this phishing?” Or to tell them that I messed up and clicked something I probably shouldn’t have. Build an awareness with employees that it’s ok to say you might have messed up, or that something seems a little off. Transparency is key. Don’t make employees so worried about the consequences of making a mistake that they’re embarrassed to say, “I messed up.” And make sure if they do, they know who to tell.

Hear more from Alison during her latest visit to Tuck as part of the Britt Technology Impact Series presented by the Center for Digital Strategies. In the video below, she explains what the darknet is and why it’s important in determining if you or your company have been hacked.