Basics of data security
Things to know and initial approaches that every company can implement in the short term
Things to know and initial approaches that every company can implement in the short term
One of the most important aspects of using digital solutions is the security of the processed data. Data security is a topic that is simultaneously very present and very opaque due to its complexity. Or at least it seems that way - which is why we want to go into it in more detail in this article.
Two main areas are considered below: Precautions that should be taken within organizations and the technical requirements that software solutions should bring with them.
We spoke with Oleksandr Sakharchuk, senior software developer at a FinTech (financial technology) company, and Christoph Fichtmüller, our Head of Engineering. They explain that data security should be handled in the same way as normal occupational safety: there should be someone in every company who is responsible for it. Employees also need regular training to keep their knowledge up to date. After all, data security is not just about taking the best precautions in terms of hardware and software, but also about minimizing the risk of human error. In their experience, people are at the heart of cybersecurity, along with corporate culture and compliance. Management should provide structures that promote data security and ensure that employees know how to deal with threats.
Data must be protected for various reasons. For example, the DSGVO (Basic Data Protection Regulation) requires personal data to be treated separately. These may only be stored with the consent of the person concerned, inaccessible to outsiders and only for a certain period of time. In addition, in the corporate context, payment-related information must be handled securely. Furthermore, companies are interested in hiding information about processes or products from competitors that could be of advantage to them.
There are various ways to find out about appropriate measures. On the Internet, companies can find guidance on areas and topics relating to cybersecurity. The German Federal Office for Information Security (BSI) not only provides guides for IT companies, but also for companies in general that use online applications. The BSI site also lists many tools that provide assistance in figuring out how best to protect against attacks.
A decisive risk factor is, above all, the individual. Employees who are not aware, for example, of how to deal with phishing e-mails (e-mails that encourage people to click on attached links) or foreign external storage media are one of the greatest potential sources of danger.
To protect data through log-ins as well as possible, there are, among others, the following possibilities:
According to our experts, 2 factor authentication is the most secure way to secure data in programs protected by log-in. This method involves logging in not only through a username and password, but through a second type of verification, usually through another device, for example, the cell phone. Either an SMS with verification code can be requested or in an extra app the identity can be confirmed. Some methods also use fingerprint or facial recognition. In this way, data and information can be protected from unauthorized third parties who have obtained the password, as there is a second barrier.
A large number of different, complicated passwords does not necessarily mean that data is better protected. To be able to remember these passwords, they are often written down somewhere or stored in the cell phone. This makes them relatively easy for others to access. It is better to use a password manager that requires only one password to access. In it, all other passwords can be stored and managed, as an extension to the Internet browser, most password managers also recognize the page whose log-in is required and offer automatic entry of the data.
Despite all security precautions, it can happen under certain circumstances that data is deleted. To remain operational and competitive in such a case, it is very important to create regular backup copies on other data carriers. These should be encrypted so that they cannot be read by unauthorized persons. For example, they can be stored on external servers or hard drives that are not connected to the Internet. This way they are protected from online attacks. Of course, in the unlikely event of a break-in or theft, these devices would still be at risk - just like printed documents. That's why it makes sense to create protected online backups as well.
In addition to security in the internal handling of data, the security of the software used also plays an important role. The continuous and secure operation of software products is in the self-interest of the manufacturers, which is why they are intensively concerned with data security.
At Tenera, data security is also one of the most important aspects. The systems are built to provide a high level of security right from the start. Our Head of Engineering, Christoph Fichtmüller, has explained exactly how it works:
"Our data, as well as that of Tenera's users, is protected at various levels. For one thing, they are written in encrypted form from the outset. This means that even in the unlikely event that someone gets hold of the data medium, the data cannot be read. In addition, only those servers that absolutely have to are ever connected to the Internet, in order to keep the attack surface as small as possible. This method is called "virtual private cloud" and is offered by Amazon Web Services. These web services are hosted in various data centers around the world, while the servers on which Tenera is programmed are located in data centers in Germany. Especially in terms of security, using a large cloud provider means that the servers are constantly monitored by teams of experts. Furthermore, the data center itself is located on a secured site to which unauthorized persons have no access. Breaking into a guarded data center and stealing data media would be much more difficult than stealing a computer or file folder in a medium-sized business. The biggest risk factor for a security breach is the person who doesn't adequately protect their password or clicks on links in phishing emails."
While there are complex and sophisticated elaborations like the one from the BSI on how organizations should be set up to ensure cybersecurity in the best possible way, for most classic SMEs it is enough to have one or more people who deal with the topic in more detail. If regular training with the latest measures is also held, sufficient data security should be ensured. It is also the responsibility of management to weigh risks accordingly and provide employees with the necessary processes and tools to be able to react properly on their own.
You can find more information on the page of the Federal Office for Information Security.
Map View, Version History, New Attestation Workflows & More Attestation Management - The Latest Version is Here!
Things to know and initial approaches that every company can implement in the short term
Will the next generation of contractors make the industry more digital?