Sony. Equifax. Yahoo. HBO. Target. The Democratic National Committee.  Each of these entities suffered major losses (financial and otherwise) as a result of computer hacking.  And there’s every reason to believe nefarious players will continue to worm their way into networks to steal or compromise critical data.  This is why a multi-layered security effort is as important as ever — to ensure valuable information is protected from those who want to commandeer it for their own benefit.

Why Layered Security is Important and What You Need to Know

Multi-layered security is pretty much like it sounds. It’s multiple levels of protection so that if one barrier is breached, there are more behind it to stop people from getting access to your information.  Think of it like this.  If you live in an apartment building, there’s probably security door you have to pass through on the way in.  Then there might be a doorman or a keycard for the elevator.  Then your door has a deadbolt as well as another lock on the doorknob.  And finally, you might even have an alarm or a smart home device, like a motion-activated camera.  If at any point, a person doesn’t have a key, they’re stopped in their tracks.  And with the alarm or the video camera, the system will immediately issue an alert should there be a break in.  All these steps are designed to protect your valuables and deter villains from attacking your home.  A multi-layered security system is a digital version of this for your network and the files it houses.

The data you store on your computer or network is valuable to you and your business.  But if it falls into the hands of a hacker, it could compromise a transaction, your intellectual property or bring your entire business to a halt.  A network breach in 2011 compromised customer data for 77 million Sony PlayStation accounts, resulting in the PlayStation Network being shut down for more than three weeks.  Others break into systems and try to extort money from their victims.  This was precisely the case with HBO, where hackers implied they wanted a $6 million ransom. And of course there’s Equifax. The break in resulted in the stock losing around one-third of its value – about $4 billion in market capitalization – in just one week.

You might think that simply protecting your information from the outside is enough. But that’s not the case.  A 2015 study from Verizon said that about half of all security incidents came from inside the company walls.  In fact, according to the report, 20 percent of all compromised data is related to employees stealing information, misusing it, selling it or engaging in similar activities.  For example, in 2014, a Tufts Health Plan employee stole data (including names, Social Security numbers and dates of birth) for nearly 9,000 customers. And there are countless of other cases just like this.   When sharing confidential and highly-sensitive information during M&A due diligence you are at an even greater risk of a potential data breach.

How to Keep Your Data Secure

You need to have a strategy and then implement a plan that protects data at all its potential touch points.  While a critical first step, it’s not just a matter of ensuring that your firewall is secure.  You also have to ensure your vendor’s platforms are built with bank-grade security.  To return to the earlier analogy about the apartment building, that’s similar to only having a front door key.  It’s a main line of defense, but it’s not enough.

Develop A Set of Data Security Standards

A layered approach includes a number of logical, physical, and proactive measures to protect data.  The first step of implementing a layered security strategy is to create a checklist of security tools you need in in place.  You should have multiple security safeguards in place that fall into each of the following security standard categories:

Administrative Safeguards

Administrative Safeguards are documented, formal practices to manage the selection and implementation of security measures that protect information and guide the conduct of personnel in relation to the protection of information.  Security tools to consider are:

• Risk Management Analysis:  You should have a team in place to conducting regular penetration testing, vulnerability scanning, patching updates, and monitoring any unusual activity to handle potential issues.
• Data availability and redundancy: In the event something happens to your data at one location, you need to make sure you have a data backup plan and data recover plan.
• Information Access Management:  You need the ability to give different users different level of access to data and information.  Look for a security solution that has the ability to create custom security profiles and remotely revoke access to data.

Physical Safeguards

Physical safeguards consist of practices to manage the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion.  This includes the following safety measures:

• Facility Security Plan:  Ensure your security vendors has a data host that is SSAE 16 certified, proving that they meet high standards for security.
• Access Controls & Validation Procedures: When it comes to servers, make sure you know who has access and how they can enter those facilities. Things like security badges and multi-point authorization can keep controls tight.

Technical Safeguards

Technical Safeguards are processes that are put in place to protect and to control information access and data that is stored, transmitted and shared over the network.  These include:

• Encryption: You want a high-level like TLS 1.2 AES 256-bit encryption for internet browsing and data transmission key encryption at 1024 bits.
• Logins and Passwords: Passwords are a key element of defense. But it’s important to use them in a way that tracks when people log in to files and what documents they view. Also, logins should be encrypted, have minimum lengths and required resets.
• Audit Control: You want full audit logs and real-time reporting of any and all user activity to help detect any data breaches

SmartRoom is a secure virtual data room that was designed to offer precisely these features because we’re laser focused on helping organizations protect their information. We also make sure that our data centers are SAS 70 Type II compliant, meaning that an outside auditor can come in and assess their effectiveness.

Hackers seeking targets is just an unfortunate reality in today’s internet-connected world.  But there’s something your business can do to guard itself against being its next victim.  And that’s ensuring both your internal systems and vendor application’s like your virtual data room are built with multiple layers of security.

Learn more about how SmartRoom’s virtual data room multi-layered security system can protect your data.