At the beginning of January, Octoly, a marketing firm based in Paris, France, that pairs celebrities with products as part of endorsement campaigns, inadvertently released the personal details of some of social media’s top names from the likes of YouTube, Instagram and Twitter as the result of a data breach. 

Some of the data that was exposed included the true identity of these social media "stars’ and influencers along with their physical addresses, phone numbers, email addresses and other personal details. The vast majority of those that were exposed were women.

It's an all too familiar sequence of events and despite warnings from IT departments, vendors, security analysts and enterprise leaders, organizations just can’t secure their data. While there has been a great deal of talk about security and risk in relation to the data that drives the Internet of Things, it seems that data security around social networks has, to a certain extent, been overlooked. "The greatest risk presented in the Octoly's exposure was human, not financial. The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favor could have grave consequences,” wrote Dan O’ Sullivan, Cyber Resilience Analyst with UpGuard in a recent blog post. There are a number of things that organizations can do however to prevent if from happening to them.

Darrin Edelman, CEO at Token of Trust, a provider of ID Verification solutions to online merchants, has these three recommendations. 

1. Don't Keep Data

The first thing small and large businesses should be asking themselves, according to Edelman, “Do I really need this data?” This is a simple but effective strategy—what you don’t have cannot be breached, leaked or stolen. Having sensitive data about your customers is a liability and it comes with great responsibility. People’s lives and livelihoods are at stake since a breach by your organization could provide hackers with the bit of information they needed to get into a crucial account or make a fraudulent insurance claim.

Related Article: How to Build an Employee Experience That Rivals Your Customer Experience

2. Anonymize the Data You Do Need

If data is for future use, he added, data managers need to consider what data they really need on hand to accomplish goals as a business. Sure, maybe you do need your clients’ location information, but do you really need GPS coordinates accurate to 10 feet? Even better, he said, are cases where you just need to compare a future value to a value provided in the past—similar to a password. “Security questions are an interesting example of these—here you don’t need to keep my mother’s maiden name or my high school’s mascot on file (even encrypted) rather you could store it using the same approach we use for storage of passwords—using an irreversible hash allowing us to test that we have the same result later but not allowing us to extract that data,” he said.

3. Encrypt Everything All Your Other Data

Consider what kind of data you need to get to for operations. If you can figure out how to run your business and involve your users whenever their data is going to be used—you can uniquely encrypt every record—without holding the keys. This makes it much more difficult for a would be hacker to access your data—even if they get into the system.

4. Setup Perform Routing Automatic Backups

For Nate Masterson of Farmingdale, N.J. based Maple Holistics, an online store that sells health food and organic products, the key to securing any data in any network is backup. The dangers that any business or company faces regarding the safety and security of their data is something that will likely be challenge for many years to come. “Depending on the nature of your work, the importance of having secure data will vary. Obviously, there are some details that no company would like to have leaked or become vulnerable such as personal details of employees, financial records, credit card numbers, strategies,” Masterson said.

First, it’s imperative that you make automatic backups a regular thing and that it’s done as often as possible. he advises. If your business relies heavily on databases or keeping track of secure information, you’ll want to ensure that you back everything up on a weekly or at least monthly basis. It’s important that you do so on a device that is secure (such as an external drive), which you can then upload to a separate PC which is not connected to the internet or your place of work.

While some might prescribe using cloud-based drives, Masteron advises against this for really secure data as anything that is online is vulnerable to hacking (with enough effort). Most standard operating systems also have the ability to create automatic updates which you can set accordingly.

5. Add Tracking Software to Workplace PCs

Protecting your data from the outside world is a different matter. There are loads of security measures that you can set up to ensure that data remains safe. Masterson suggests, for example, keeping track of your work PCs with spyware to ensure that there is a record of any harmful actions an employee may make to compromise your security or break your security policy (which every company should have, in written form, signed by both employee and employer) can go a long way in terms of both preventing mistakes from happening, or at least having proof of what happened if they do is one way.

6. Ensure You Have an Up to Date Antivirus That Suits Your Business Needs

You should also ensure that all of your PC’s have adequate and regularly updated antivirus software to prevent them from becoming infected by viruses through accident or on purpose. There are a lot to choose from and the needs of your company will dictate which antivirus you should opt for. 

Learning Opportunities

Always be sure to have regular meetings with staff reminding them of security policies, why they exist and informing them of the latest trends in phishing techniques or methods so that they’re up to date and can avoid making the same mistakes as others. This is simply good workplace etiquette and will go a long way in terms of keeping data and your systems secure.

7. Purposed Servers for Sensitive or Restricted Data

John Moore is a business professor at American Military University, an online university that has a headquarters in Charles Town W. Va. He says he encourages students to be mindful of where data is stored and how it is accessed. One effective way to protect data from being shared on accident is to have a dedicated server for sensitive company material. Access to the data can only happen with the use of a password. Additionally, downloading the material requires an additional password. "Finally, I encourage my students to avoid saving data to removable drives. Too many incidents have happened where the portable drive is lost or is accessed via a wireless breaking,' he says.

8. To Single Sign-On or Not to Single Sign-On

For Zachary Paruch product manager and legal analyst at Termly, a company that provides free website policy resources and web-based policy creation software for individuals and businesses, single sign-on (SSO) is key to enterprise data security. According to him, at the moment most websites and online services offer single sign-on (SSO) capabilities — meaning that users can sign into a website or app using their login information from another site, usually a social media platform. It reduces password fatigue in users, and also reduces IT costs significantly, so for many organizations, the decision to enable SSO is an easy one.

However, small and medium-sized businesses should know that with SSO capabilities come several additional risks. One of these risks is the fact that with different sites and different levels of sign-ons and accounts, more and more user data may be spread across various platforms and servers. As more data is spread across all of these servers, it becomes more difficult for organizations to keep this data protected. Additionally, it becomes increasingly difficult to account for the collection and sharing of this data in a legally compliant way — that is, via their privacy policies. This means that in order to stop the spread of data across social platforms, one huge step organizations can take is to not enable SSO functionality in their website or application.

9. Implement Data Loss Prevention (DLP) Software

Mosaic451, is a cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America. Mike Baker is its Managing Director and he offers these two suggestions. Business must monitor the flow of outbound data and data loss prevention systems can operate at the network level and the host level, these systems are configured with rules to detect important data that an educational facility owns and ensure it is being moved across a network properly and not off-loaded to an unauthorized device.

The rules that these systems operate with have to be maintained and alerts for violations of those rules need to be reviewed and acted upon by the Security Operation Center to protect against PII (personally identifiable information) exfiltration.

10. Web Filtering Technology

Web filtering technology can block the use of social media sites, or at least allows the viewing of social media but disallows posting to these sites (with policy based application aware technology).Providing safe access to dynamic content and personal information is a question that must be addressed internally. Making web filtering policies a collaborative effort between management and all employees can ensure that all needs and viewpoints are addressed.

The ideal mobile device management tool will require the following features.

  • Compatible with all common handheld devices
  • Can function through multiple service providers
  • Can be implemented directly over the air, targeting specific devices as necessary
  • Can quickly deploy next-generation hardware, operating platforms and applications
  • Can allow a business to add or remove devices as needed. If an unauthorized tries to log into the network, it will be denied access.