News and analysis
March 04, 2012

Simple Steps to Keep Hackers From Stealing Your Data

Michael Enos gets his daily reminder of the threat hackers pose to his organization from an unlikely place: his backyard chicken coop.

As chief technology officer at Second Harvest Food Bank of Santa Clara and San Mateo counties, in California, he says he “goes from operating a high-tech perimeter around data at work to overseeing a low-tech perimeter around the chickens at home.”

And one of his most lasting high-tech lessons came from the low-tech henhouse.

“I built what I thought was a very secure coop, but my mistake was assuming the hard ground was a sufficient and secure floor,” Mr. Enos says. “I failed to recognize the possibility of an animal digging underneath, and it cost me several chickens. I am constantly reminded in my professional role that you have to look at all your vulnerabilities and be constantly vigilant of security breaches.”

Mr. Enos says many nonprofit organizations underestimate the threats to their networks, particularly donor data or client medical or personal information.

He offers these tips for protecting your network and data.

Hire a friendly hacker

Nonprofits can hire good-guy hackers, known as “white hats,” to test their cyber security using the latest hacking techniques. White hats should test your internal systems as well as mobile devices and wireless security. “It’s a best practice to have someone do a security-vulnerability review periodically—quarterly, if possible,” Mr. Enos says. “That’s your best way to make sure you’re staying a step ahead of the hackers.”

Limit the risks from within

While the word “hacker” usually evokes an image of a sinister outsider hunched over a computer, organizations often face serious threats from inside the organization through intentional or careless breaches. Senior managers should be frequently briefed on the potential risks, and employees should clearly understand policies governing data security, including how it relates to laptop computers and mobile devices. Mr. Enos recommends frequent training sessions and updates to make sure employees keep information security top of mind, know how to spot suspicious activity, and understand the ever-evolving risks.

Plan for a crises

Some recent high-profile data breaches, including an attack last spring that hijacked PBS’s Web site and replaced it with a cartoon image, make it clear that hackers can be one step ahead of the most high-tech and vigilant organizations. To Mr. Enos, that highlights the importance of evaluating potential risks and then determining how your organization would react, including developing a plan for dealing with questions from the media, communicating to those whose information was compromised, and assessing the costs associated with the breach. Mr. Enos recommends the PCI Security Standards Council as a useful resource for guidance in handling a breach.

Keep in mind the complexity of an information system

Mr. Enos advises not to think of security as an egg, which, once cracked, dumps all its contents at once. Rather, view it from the perspective of an artichoke that requires peeling many layers to get to the heart. “Look at your information security as being protected by many different layers so that if one layer is compromised, there is an alert in place to contain the problem,” Mr. Enos says. “If you have several levels of controls, it helps you minimize the risks.”