On several professional company association’s IT priority lists, we see the same things as immediate priorities: “Securing the IT Environment” is usually in the number one position. Included in the Top Ten list are three other security related items: Managing IT Risks / Compliance, ‘Privacy’, and ‘Preventing and Responding to Computer Unauthorized Access / Data Theft / Computer Fraud’, which continues to signify that security needs to be taken seriously and remain a priority for all businesses.
While no network can be 100% protected from cyber-security threats, you can implement a number of security ‘best practices’ which significantly reduces the risk of loss or compromise of data to hackers. Below are a list of the top items to protect your business from the vast majority of cyber threats:
Keep Operating Systems and Applications/Programs Updated: Your Operating System needs to be updated regularly to get the latest protection and patches – especially phones, tablets and other devices. Windows, iOs and Linux have options to insure that your system is checking for updates on a regular basis. Schedule it for 3 am nightly, and you’ll probably never notice it.
Use Antivirus / Anti-Malware: The more protection you can have, the better. Make sure you have an antivirus application (beyond thee operating system), and an anti-malware program running at all times on your machines. Make sure that these are also checking for updates frequently, and make sure that they scan your devices regularly. This should include any devices attached to your machine(s) – USB/thumb Drives, Backup hard drives, Network Attached Storage (NAS), re-writeable media, etc.
Strong Passwords Policy: You should require everyone to use complex passwords, meaning at least eight characters with a combination of upper and lower case letters, numbers and special characters. Visit a site like https://passwordsgenerator.net to create strong passwords. If you want to use a Password Manager, that is fine and may make life easier. You should require personnel change their passwords at least four times per year and personnel should not be able to use previous passwords. Use a different password for each website and login, and do not allow sharing of passwords.
Use Automatic Screen Lock: When a device has been idle for more than 5 minutes it should automatically lock and require appropriate user credentials to be entered to regain access.
Equipment Access: You should limit access to resources to only those staff that absolutely need it.
Secure Devices: Any device that contains company or client data should be physically and digitally secured. On-site servers need to be in a secure area and the office should have a security system with monitoring. Mobile devices should be locked, and anywhere you store data, you should have the drives encrypted.
Disposal of Data and Hardware : All physical files and documents with Personally identifiable information (PII) that are no longer needed should be, at a minimum, shredded and/or burned. Workstations and other mobile equipment used for processing client data should be thoroughly reformatted before reuse or disposal, or, ideally, have the hard drive removed and/or destroyed.
Encrypt Backup Data: You should make it a practice to encrypt any backup media on site or off-site. It is a good practice to verify that the encryption and decryption processes are working periodically.
Remove Administrator Access: Other than IT administrators, you should disable all workstations from running in ‘administrator’ mode, as any machine that gets infected will lead to the entire network being infected.
Secure Communications: Any data sent out of your office should be done using secure methods. Use a tool or implement an encrypted email solution for all files containing company or client data.
Secure Connections: Everyone should be utilizing a Virtual Private Network (VPN) or other secure connection. You should always have an ‘https://’ in any website you visit. No work should be accessed on public WiFi and remote devices should have VPNs installed on them as well.
Create and Enforce IT Policies: All businesses should create and review IT policies and provide training to employees for all new and updated policies. Have set polices for BYOD (Bring Your Own Device), working remotely, Privacy, and Encryption.
Educate Employees: Security education is the important step you can take. Only humans will click on a phony email or allow access to their web browser. Employees need to be educated on current cyber security attack methods such as phishing and other email attacks. Personnel need to be skeptical of any messages or emails they did not expect and/or seem strange. They should be instructed how to hover over an email link before clicking or to look at email properties to see if the sender’s email address matches. They should be aware of the threats including ‘ransomware’ and ‘social engineering’ used by hackers to get access to their computer. As a rule – NEVER provide login, password or confidential information over the phone, especially to people you don’t know.
Outsource Security: Hire expertise when implementing security, so that it is done properly the first time. Most IT people have not been exposed to extensive security training or have experience with configuring new devices. Have a 3rd party conduct penetration testing to identify any system vulnerabilities.
Cybersecurity Insurance: Unfortunately, even if you do all the right things, you can still become a victim of a hacker. To protect your business, you should consider cybersecurity insurance. The cost of this insurance has come down considerably in the last decade and firms should evaluate both first-party insurance to cover the firm’s direct losses resulting from an incident (downtime, recreation of data, direct remediation costs) and third-party insurance to cover any damages to client’s whose data may have been compromised.
Seron Security carries $2 Million polices for Liability, Errors and Ommissions, and Cybersecurity Breach Insurance.
While we can not cover every possible security solution, this list should provide you and your company with a good start. Information security is everyone’s responsibility to protect company and client data.