Words to Keep Your Data Secure
As presented in “Time to Get Serious: Protecting Your
Company from Cyberattacks” by Rob Rudloff beginning on
page 24, cybercrime is on the rise and affects companies of
all sizes. Being unfamiliar with common cybersecurity terms
could put your company’s data at serious risk.
While security should be a concern whether your data resides
on-premise or in the cloud, the increasing use of mobile
devices and cloud services is adding a new dimension to the
discussion. In fact, more than half of contractors don’t currently have a mobile security plan in place. 3
Here are some key terms to understand, especially when
putting together a mobile security plan and talking with
cloud service providers.
Malware: Any type of malicious software that infects computers and mobile devices is called malware. Different types
of malware include viruses, spyware, worms, and Trojans.
Ransomware is a relatively new and more sophisticated form
of malware that encrypts your files until you pay for a code
that will unlock them.
Network Eavesdropping: Usually difficult to detect,
network eavesdropping is an attack in which the hacker
intercepts data communications being transmitted across
either a wired or wireless network.
International Organization for Standardization
(ISO) 27001: The ISO 27000 family of voluntary standards
offers best-practice specifications for securely managing
financial data, intellectual property, employee details, and
other information. (You may already be familiar with ISO
9000 quality standards.) ISO/IEC 27001 is a well-known
standard and focuses on how to securely manage sensitive
company information. 4 The platforms upon which many
SaaS applications are built will often be certified by a third
party that they meet ISO 27001 requirements.
Service Organization Control (SOC) Reports: SOC
reports were created by the AICPA to address the increase
in the number of businesses outsourcing various functions to
service organizations such as cloud computing providers. “The
SOC 2 and SOC 3 reports both look at a service organization’s
controls related to the security, availability, processing integ-
rity, and the privacy or confidentiality of information the sys-
tem processes.” The reports help provide assurance regarding
the confidentiality and privacy of information processed by a
cloud service provider. 5
Authentication: Any time a password is used to gain authorized access to information, authentication occurs. Ideally,
employees have the convenience of single sign-on (SSO) –
that is, only one username and password is needed per person
to gain access to multiple corporate and cloud-based services,
which enhances productivity.
With that convenience, however, comes some obvious security concerns if an employee’s SSO password is lost or stolen.
To strengthen security, especially when using SSO, technology providers are moving toward two-factor authentication (2FA) or even multi-factor authentication (MFA).
With 2FA or MFA, your employees would be required to
provide at least two forms of authentication to verify their
Some examples of additional authentication methods include
a secret question (e.g., What was the name of your first pet?)
and the use of a security “token” (e.g., a USB that automatically transmits authentication data when connected to
a computer). Additionally, there is the still sci-fi-like method
of biometric authentication in which fingerprints and retina
scans are used for identity verification.
Encryption: While you are probably familiar with this term,
the process of transforming data into an unreadable format
is vital to data security. For example, you might encrypt data
at rest (data stored in your databases, files systems, laptops,
and mobile devices) as well as data in transit (typically information moving over the Internet or other network).
Bring Your Own Device (BYOD): It is becoming increasingly popular to allow employees to use their own devices for
work purposes. In fact, a recent IT survey of construction
companies showed 56% allow it. 6
Virtual Desktop Infrastructure (VDI): VDI is a remote
desktop service that allows employees to use any hardware