Policies you can adopt today to minimize your risk
By Conway Center member Total Technology Solutions
We generally think of Data Breach as something that happen at large corporations – Target, Equifax, Anthem. But if you are like many small or mid-sized businesses, you also have a lot of data on hand. You process customer’s payments via credit cards or have recurring payments memorized in your accounting system. You are custodians of customer information including email addresses, phone numbers, addresses and sometimes social security numbers. You have sensitive employee information stored in your systems. You have confidential company information communicated via email, so your email has tons of sensitive information as well. Whether you work in Insurance, Medical, Service Industry, this information needs to remain secure.
Breaches in the past several years have shown that no entity is safe from one. Hackers have gone after cities (City of Atlanta recently), States, hospitals, police departments, schools, restaurants, retailers – big and small. Data also suggest that 43%** of all cyber-attacks are targeted at small businesses and 60% of them may go out of business within 6 months of such attack.
What kinds of proactive steps can your business take to minimize breach?
1. Have a Security Policy and Systems Usage Policy in place
Everyone needs to be aware of these policies – it would be one of your onboarding documents. Set expected responsible use of computers, networks, define specific no-nos as examples. Make employees aware that their use of company asset is subject to monitoring.
2. Set a password policy that requires complexity.
Include policy to expire all passwords every 90 days. Getting access to these passwords is lucrative for hackers to break into a system because it overrides the traditional cybersecurity measures of a firewall.
3. Do not use computers under the admin account or with accounts with admin rights.
A sure-fire way to let intruders have their way with your system is when you set users up with full access/admin rights. User accounts should have limited access and users cannot install, uninstall approved or unapproved apps without engaging a supervisor or IT.
4. Run antimalware software that covers files, spam, DNS, rogue websites.
Stay up to date on installing all software updates.
5. Schedule regular and automatic backups.
Test by restoring data from these backups. Have backups copies offline, sometimes online backups can be compromised along with the production systems.
6. Create guidelines on safe email and social media usage, train users regularly to have it top of mind.
Users are the biggest weak link in a cyberattack (63%* of all breaches) and hackers know how to exploit unsuspecting users. No security measure can protect from a willing participant (witting or unwitting) from an intrusion. Providing adequate training to all users is key.
All businesses large or small, need to treat their data like a critical asset. (Think of what just happened to Facebook, they obviously did not value their primary monetizable product enough to guard it adequately). Data is today’s currency and business rise and fall on their ability to work this resource. We not only have to protect it, most businesses are liable by regulations to be compliant (HIPAA, HITECH, PCI, Sarbanes Oaxley Act, GLBA ). Users need to be trained to “think before they click”, to spot signs of spam and phishing emails and to become an effective line of defense against cyberattacks.
Al Kharel is the CEO of Total Technology Solutions. He has over 25 years of experience bringing innovative and viable solutions to organizations, large and small.
Sources: nytimes.com, TCDI.com, net-results.com, *thebestvpn.com, **smallbiztrends.com