Improving digital security – 10 helpful tips for publishers

Improving digital security – 10 helpful tips for publishers

Making sure content and systems stay safe is one of our top priorities, which is why there is a lot of work that goes into keeping the Atypon platform secure. But publishers need to manage and improve their own digital security — going way beyond the platform. This is a process and not a one-time thing. If you don’t know where to start, here are 10 steps that everyone should consider implementing to keep data and systems safe.

Security awareness training

Common causes for security problems are email, unknown devices like USB drives, and data leaks. To combat these issues, implement an annual training program for all employees.

Examples of topics that should be included in training:

• Phishing and how to reduce exposure
• Proper use of unknown devices like USB drives
• How to properly secure a device in a public location
• Proper etiquette when handling data, especially PII or sensitive data
• The importance of multi-person approval processes for any sensitive process, one that involves finances, customer data, granting access to sensitive systems, etc.

Antivirus and browser protection

We’ve all known for 20+ years that anti-virus is necessary, but it is surprising how many organizations have a minimum level of protection, or don’t update their software once it is installed. A good program needs to cover all desktops, laptops, and servers with antivirus preinstalled. This includes frequent updates to the virus definitions or heuristics used to identify threats. Also, some government contracts forbid the usage of antivirus tools from Kaspersky (see statement from CISA for more details).

Cataloging and protecting data

A company’s most valuable asset is its data. Specifically, knowing exactly what type of data is stored and how it’s being used. Why is this so important? Here are a few examples:

• Under GDPR and other privacy regulations, certain types of data cannot be held indefinitely and should be deleted once they are no longer needed or useful. This varies from one type of data to another.
• These rules also stipulate that a person may request all data related to them be updated, deleted, or provided. To comply with the request, it is necessary to know where all the data resides.
• Data may reside in multiple locations. If a system suffers a breach or failure, it is necessary to know what data it held to determine the impact.
• Under certain government contracts, the contract itself may be considered sensitive or classified information, which means it cannot reside in a common repository accessible by people that don’t have a need to access it.

A simple way to start is by collecting the locations where data is stored, and then cataloging the types of data held in those systems.

Vendor management

Your organization relies on many vendors, including suppliers and service providers. Having vendors can certainly be a strong part of a secure system, but policies and processes need to be established around managing them. Before working with a new vendor, they should be assessed for security practices. Many contracts will include clauses around safeguarding data, and you should research independently and ask questions of your vendor before trusting them with sensitive information. Here are common questions for vendors, especially if they are processing data on your behalf.

Are they GDPR compliant?

If a vendor holds data on your behalf, where does that data reside, and what happens to the data when the contract is terminated? If data is to be transferred between different vendor locations, what locations are involved and how are transfers done?

Do they have certifications or audits?

Most vendors, especially software and service vendors, will have something similar to a SOC audit (System and Organizational Controls audit) or ISO 27001 certification. If the vendor services government agencies, they will most likely have audits and certifications from NIST. Inquiring which audits and certifications have been completed is a great way to assess the vendor’s security practices.

Do they have processes in place if they experience security issues?

Combining this with the previous item of cataloging data will help with visibility on where data is held. If the vendor processes data, what process will the vendor follow if there is a loss of functionality or breach?

The importance of incident response plans

Even an organization with the best security could have a breach. Develop a classification system for events, such as classifying them by severity and impact. A high severity event with little impact will be handled differently than a low severity event with high impact. Determining factors could include whether users were impacted and for how long, if data was lost or breached, if contractual obligations to customers and users were not met, and if there could be a material impact on the reputation or revenue of the company.

The following points should be addressed as part of the response plan:

• Develop courses of action and conduct simulations or walkthroughs to make sure everyone is ready to act.
• Specify roles, so everyone knows what to do. This may include vendors, crisis management teams, communication teams, local/state/federal authorities, etc.
• Identify who needs to be notified either due to contractual obligation or by law. This may include notifying users, shareholders, or even government bodies and other regulatory authorities.
• Ensure that all duties have been assigned and stakeholders looped in.

When an event occurs, no one wants to have to guess as to what steps are needed. Having the plan will ensure a faster and smoother response.

Physical security for your organization

Like other considerations such as antivirus, this is a subject that everyone has known about for decades, if not centuries. Security is only as good as the weakest link, which might be something that exists physically rather than digitally. All locations should have strictly controlled access, especially to any important data or servers. You must pay close attention to any areas that might be easy to access by conducting security audits. Also, remember that in addition to bad actors, your hardware needs to be safe from weather, animals, and natural disasters (such as earthquakes and fires) as well.

A common mistake regarding access is to assume that the threat comes from outside the organization. Most security issues arise from people within the organization. This is why concepts such as “least privilege” or “zero trust” are important because they are built on the idea that only those people that need access to something should have it, or that no one should have any access until it is needed. This reduces the chances that an area or system is compromised.

Usage of cloud services

Much of our collective data exists in the cloud, which can serve as a reliable way to store and access necessary information, but it brings along with it a few key challenges. Choosing the right provider is important, focusing on one who believes in security. Make sure data is encrypted, and carefully control access and permissions to data and encryption keys.

Not everyone needs to be able to get ahold of all the information in your organization. As mentioned above in Vendor Management, any cloud service provider should be able to provide their SOC or ISO reports that demonstrate the proper security practices are in place.

Staying secure while working remotely and traveling

Data might be most at risk while employees travel or work from unsecure locations. Many organizations use a VPN, which can make a huge difference in keeping data safe. But if an employee is sitting in a public location, it may be possible for someone to gain access to sensitive information just by looking at the employee’s screen. Public Wi-Fi should be avoided as it’s the least safe option.

The following are just a few items that should be taken into consideration:

• Require all employees who are outside the office to use a VPN or similar technology when accessing company systems.
• Make use of multifactor authentication for access to any company system
• Avoid public Wi-Fi as much as possible, if not completely. Employees should have alternative means such as using their company-issued mobile device as a hotspot for access.
• When in public locations, make sure laptop screens are secure either by using privacy filters or avoiding open locations. This includes avoiding voice or video calls in which sensitive information will be discussed and could be overheard by others.

PCI compliance

It’s important to adhere to the Payment Card Industry Data Security Standard (PCI DSS) requirements and to conduct regular security assessments and audits. If processing credit card information, even if the data does not reside on any systems, companies need to be compliant to PCI DSS 4.0, the latest as of March 2024. Any vendor involved with credit card processing will need to be compliant too.

Determining what needs to be done to be compliant involves reviewing the information made available by the Payment Card Industry Security Standards Council.

Special steps needed for government contracts

As is so often the case, government contracts require special handling and comply with regulations such as FISMA (Federal Information Security Management Act) or NIST SP 800-171. In almost all cases, any requirement to meet a regulation, standard, process, policy, or mandate, will be specified within the contract with the agency. One of the key exceptions, however, is if customers have signed contracts with government agencies that have requirements for subcontractors. A good step to take is to have part of the contracts process specifically call out and make note of any regulation that is specified in the contract. Having a catalog of requirements that can be easily accessed and searched will help clarify what steps you may need to take.

To learn more, check out our recent Atypon webinar on 3 important privacy and security changes affecting your organization.