5 Intranet Security Tips in the Era of Data Breaches

An organization’s intranet can be a gateway for hackers to HR-level data. By doing five things, you can keep your company’s intranet safe and secure.

You see articles with these headlines seemingly constantly now: “How I hacked hundreds of companies through their help desk” or “How I hacked 40 websites in 7 minutes.”

A common theme of the modern digital world: Hackers can easily access a company’s resources and begin wreaking havoc.

Many are familiar with the more-publicized data breaches of the last few years, such as Marriott in 2018, where the data of 500 million people were exposed, or the data of 143 million individuals being compromised in the Equifax breach of 2017. Also in 2018, Facebook got hit with a data breach impacting 50 million users, but it came on the tail end of a particularly bad media stretch for the company. The security failing only exacerbated public perception. There was also perhaps the most galling and terrifying hack of the last half-decade: Ukraine’s power grid in 2015.

Hackers are game to find any vulnerability in a company’s potential attack surface. Oftentimes, the first point of attack for a shady suspect is the company’s intranet. HR-level data often resides there, and because it’s not always a top company priority, its security can fall to below-average, making it an easy path to exploit.

You need to have an intranet for increased collaboration and productivity, but it absolutely must be safe, secure, and compliant.

What are the best practices for ensuring those conditions are met?

Get specific on those permissions

Multi-tiered security is often construed in terms of permissions, i.e., Brad from sales should not be able to view executive team meeting minutes. While permissions are a crucial aspect of multi-tiered security, it goes beyond that.

Every user and content item within an intranet needs specific viewing, editing, and creation rights.

Consider Google Docs and Drive. Anything you produce in Google Docs, you can set specific security permissions relative to who you’re sending the end link to.

Intranets need to function the same way, both to protect proprietary internal information and reduce susceptibility to hacks.

Authenticate like an enterprise boss

Authentication needs to be unified across all business applications, which means internally and with any apps hosted in the cloud.

This is relevant, as many organizations are deploying an average of 935 cloud-based applications that employees may need to accessOpens a new window at least once in a work year. With that many touch points on the attack surface, you need to make sure your authentication is robust.

The best practice here is to use Security Assertion Markup LanguageOpens a new window or SAML. It’s ultimately an XML-based markup language for security assertions or statements that service providers use to make access-control decisions.

Active Directory Authentication

This helps keep information consistent and up to date.

The basic principle of Active Directory ties to permission-setting and multi-tiered securityOpens a new window . Everyone has a way to log in to the main system/database they need access to. What they can actually see once there is based on permission control. Once a directory service for Windows servers, it now more commonly refers to a broad range of directory-based, identity-related services.

The best practice here is for employee profiles to be self-managed, which prevents the need for manual syncing of information. Manual sync periods can be more easily exposed to hackers.

Must-read compliance

GDPR is here to stay, and we’re even starting to see the first financial repercussions of GDPR compliance not being met, with Google being hit with a $57 million fine from France.

With some of the concerns about big tech since 2016, there’s increasingly a chance that the U.S. will adopt a federal privacy law as wellOpens a new window .

As privacy laws become more common, it’s crucial for organizations to make sure their intranet is compliant with local regulations.

Organizations should be setting up a security policy and/or GDPR group policy on the intranet that all employees should read and accept as having read and understood. This provides compliance for your business that all your employees understand their obligations.

Anonymous data

If you are hacked or compromised, the hacker should not be able to identify specific individuals or teams from the data they capture.

Data-masking is one common concept here. Data-masking hides data elements that users of certain roles should not see and replaces them with similar-looking fake data, which are typically characters that will meet the requirements of a system designed to test or still work with the masked results. Data-masking is often used by those who need to test with sensitive data.

Data encryption involves converting and transforming data into scrambled, often unreadable, cipher-text using non-readable mathematical calculations and algorithms. Data encryption is often used to protect data that is transferred between computers or networks so that it can be later restored. 

Who has your back?

Your intranet is essential for employee collaboration and to truly foster The Knowledge Economy — but that’s all for naught if it’s not safe and compliant. Who wants to share work and collaborate together on an intranet under constant fear that your information could become exposed? Security and compliance is the engine of the team collaboration car. Without it in place, the car might still be beautiful and look fun to drive, but you won’t get very far.

You need to find someone who can keep your user data safe and your proprietary information protected, so you can, in turn, do your best work.