We're always keen to simplify cyber security, as we often find that when things get a little more technical (e.g. terms such as 'databases'), key decision makers who need to be engaging in the topic can take it as a cue to retreat.
Although you might not be anywhere near responsible for physically maintaining a database, below are a few basic concepts which should help you think about your data, how to talk about it, and how to secure it:
> Authentication
- A huge number of incidents stem from databases being misconfigured to allow anyone access. As per any other account, databases need to have strong password/2FA and protected admin accounts.
- Following on from the above point - who actually has access to the data in the databases? Who actually NEEDS to have access? In any circumstance, is it easy for someone to access the data and extract it? On that last one....
> Encryption
- Encrypting data makes sure that if it is lost or stolen, it is inaccessible. Recently we've seen the ICO hand out some hefty fines for data breach incidents. Whether or not data was encrypted will likely play a huge part in the outcomes of these sorts of incidents. In short, make sure that any data which, if leaked, would prove incredibly damaging to your company and/or those who it relates to, encrypt it.
> Back up your business critical data
- If anything does happen to that data, then you can restore from those backups. Usual caveats apply (e.g. know what's on them, test them, keep backups separate from internal network, consider using cloud storage)
> Patches/Updates:
- As with any other app, operating system, website, hardware - database software needs to be constantly patched to fix known vulnerabilities.
> Website vulnerabilities
- A common technique to manipulate data in a website's database is to insert malicious code into an entry field, such as an online form. If a website has a vulnerability, those malicious commands can allow attackers to bypass authentication. It's important to at least ask the question to your website provider/in-house teams how confident they are that you're protected against these types of attacks, and what evidence they have to show this.
> If you suffer a cyber attack, please report it.
We always encourage victims to report the crime to ActionFraud via phone (0300 123 2040) or website (
https://www.actionfraud.police.uk).