Headlines continue to abound about the data breach on Facebook.

Completely different from the hacks of sites where credit card information was stolen from major retailers, the company in question, Cambridge Analytica, had the right to use this data.

Unfortunately, they used this information without permission and in an openly misleading way for both Facebook users and Facebook itself.

Facebook CEO Mark Zuckerberg has promised to make changes to prevent this type of information misuse from happening in the future, but it appears that many of those adjustments will be made internally.

Individual users and businesses still need to take their own steps to ensure that their information remains as protected and secure as possible.

For people, the process to improve online protection is quite simple. This can range from abandoning sites like Facebook entirely, to avoiding so-called free game sites and quizzes where you are asked to provide access to your and your friends’ information.

A separate approach is to use different accounts. One could be used to access important financial sites. One second and others could be used for social media pages. Using a variety of accounts can create more work, but it adds extra layers to keep an insider out of your key data.

Businesses, on the other hand, need a more comprehensive approach. While nearly all employ firewalls, access control lists, account encryption, and more to prevent a hack, many companies don’t maintain the framework that leads to the data.

An example is a company that employs user accounts with rules that force passwords to be changed regularly, but do not change the credentials of their infrastructure devices for firewalls, routers, or switch passwords. In fact, many of these never change.

Those who use web data services must also change their passwords. A username and password or API key are required to access them, which are created when the application is created, but again rarely changed. A former staff member who knows the API security key for their credit card processing gateway could access that data even if they were no longer employed by that company.

Things can get even worse. Many large companies use additional signatures to assist in application development. In this scenario, the software is copied to additional companies’ servers and may contain the same API keys or username / password combinations that are used in the production application. Since most are rarely changed, a disgruntled worker at a third-party company now has access to all the information they need to get the data.

Additional processes must also be taken to prevent a data breach from occurring. These include …

• Identify all devices involved in public access to company data, including firewalls, routers, switches, servers, and so on. Develop detailed access control lists (ACLs) for all of these devices. Again, change the passwords used to access these devices frequently, and change them when any member of any ACL on this path leaves the company.

• Identify all passwords for built-in applications that access the data. These are passwords that are “built into” the applications that access the data. Change these passwords frequently. Change them when anyone working on any of these software packages leaves the company.

• When using third-party companies to assist in application development, set independent third-party credentials and change them frequently.

• If you use an API key to access web services, request a new key when the people involved in those web services leave the company.

• Anticipate that a violation will occur and develop plans to detect and stop it. How do companies protect themselves against this? It’s a bit tricky but it’s not out of reach. Most database systems have built-in audits, and sadly they are not used correctly or at all.

An example would be if a database had a data table containing customer or employee data. As an application developer, one would expect an application to access this data, however, if an ad-hoc query was made that queried a large part of this data, the properly configured database auditing should, at the very least, provide a alert that this is happening. .

• Use change management to control changes. Change management software should be installed to facilitate management and tracking. Block all non-production accounts until a change request is triggered.

• Don’t trust internal audit. When a company audits itself, they typically minimize potential defects. It is best to use a third party to audit your security and audit your sources.

Many companies provide auditing services, but over time this author has found that a forensic approach works better. Analyzing all aspects of the framework, developing policies and monitoring them is a must. Yes, it is a hassle to change the entire device and embedded passwords, but it is easier than facing the court of public opinion when a data breach occurs.