Safeguarding sensitive member and client information needs to be a priority for organisations as data breaches become more commonplace and harder to prevent.
Organisations hold data that is valuable, and vulnerable, to high-end cyber criminals, disgruntled staff, and competitors, says Nigel Phair, Director of the Centre for Internet Safety at the University of Canberra.
Information that identifies individuals is most at risk.
Stealing names is not much of a threat, but when combined with a date of birth, address or Medicare information, names become extremely valuable, says Phair.
The size of the organisation also doesn't exclude a company from cyber risks. Identity theft is rife and even a tiny not-for-profit has data that is valuable, he says.
Personal data from not-for-profit organisations has the same value as big companies, but it may not be as well protected.
The most common errors that leave organisations vulnerable to attack by hackers are:
- Not maintaining software
Many organisations don't install security patches immediately, leaving their databases vulnerable to attack. Phair recommends installing updates and security patches, and ensuring antivirus software is up to date. Some organisations are still using Windows XP. Microsoft is not supporting it and there will be no more security updates. This means these organisations are unprotected and must change to a new operating system, he says.
- Careless passwords and system access
The first thing hackers go for is system privileges, says Phair. System privileges give people permission to view and modify computer files or databases. System administrators must not use default passwords and should regularly change them.
- Disgruntled insiders
Organisations should consider encrypting data to reduce the chance of theft by an insider. Disgruntled staff members or contractors who feel they haven't been paid enough may steal or maliciously alter data for money or revenge, says Phair.
- Lack of staff training
Staff need to understand what information is important to the organisation and the risks if it is compromised, he says. It all comes down to risk management. Make sure staff use strong and unique passwords that are changed every 90 days.
- Be alert for phishing
Phishing refers to a specially crafted email from an attacker that looks legitimate and attempts to trick you into divulging information. Be suspicious of links or attachments delivered via email that you didn't ask for, says Phair.
In other words...
- Big or small, all organisations need to protect their data frrom hackers.
- Keep software up to date and ensure passwords are strong and changed regularly.
- Encrypt data to reduce risk of insider attack and train staff appropriately.
Already a member?
Login to view this content