Data breaches, cyber protection and your tribal company
This article first appeared in Arrowhead’s corporate blog and was modified for our Tribal clients and producers.
How much have you invested in cyber protection for your tribal entity, be it training, network protection or other measures? If you’re like many small companies, the answer could be very little to none. However, we shared in our last post how even small companies may be vulnerable to hacking. Storing both personally identifiable information on your employees and financial data about your customers or partners potentially makes you a goldmine to cyber criminals and can be highly damaging, should you be compromised. What’s more, online digital storage has greatly increased vulnerability to cyber attacks.
Now that you’re convinced your tribal business has at least a chance of becoming a target, what can you do about it? While this post is not intended to provide an in-depth, soup-to-nuts discussion, here are the top seven steps you should take to protect your data.
1. Perform a security audit
Determine what data needs extra protection, such as customers’ personal information, your financial records and your employee records. For tribes with clinics or hospitals, your patient medical information is also potentially at risk. Note where this information is collected, housed and where/how it moves: from your servers to various types of cloud storage via third-party vendors, and on mobile devices and email.
2. Cyber protection for your data and files
This is the crucial second step, which includes back-ups, network security, passwords and encryption.
Network security. First, ensure that anti-virus software, intrusion detection and firewalls not only keep malware and hackers at bay, but also let you know when they’ve been penetrated. That means have robust anti-virus and anti-malware software and install all updates – immediately and on all devices. Never skip this step.
Back up. Make sure your files are backed up regularly – and test the backup to see that the data is indeed fully recoverable. Do this and you’ll never worry about paying for ransomware on your system.
Passwords. You know the drill; now do it. Never continue using the password provided by the vendor. Never use “Password 123”. Make your password strong and not easy to guess – it should not be an actual word, but a combination of letters, symbols and numbers. Hackers have an automated tool that combines dictionary words and numbers in what’s called a “dictionary attack” to be able to quickly hack easier passwords.
Encryption is quite effective as a security measure, particularly when data is in transit, such as on a laptop or thumb drive. If stolen, thieves won’t be able to use the data. Encryption software is readily available and shouldn’t cost you an arm or a leg.
3. Train your staff
Because the majority of the time it’s human error that causes a data breach, whether through lost equipment, use of an unsecured WiFi or unknowingly downloading malware from an email or website, your staff needs to be super-vigilant with your company’s cyber protection. Train them on what a phishing email looks like. Ensure they use secure passwords and won’t provide secure information over the phone. Training also puts them on notice that you are watching their activity.
Consider limiting access to data you need to secure. The fewer the employees with access, the more secure the data. For those who need temporary access, provide a temporary login and then terminate that login afterward.
4. Create security policies – and enforce them
Your staff needs to understand clearly written security and cyber protection policies and consequences when they’re not followed. For instance, no personal devices can access secure data via an open WiFi. Any mobile devices that do access that data should have up-to-date security software. All potential employees should be thoroughly vetted to screen out potential inside hack jobs as much as possible.
5. Control vendor access
Carefully choose vendors who store your data on the cloud, ensuring they have the right protections and security measures in place. Jon Neiditz provided this checklist in his blog post on Big Data Tech Law:
- What does the vendor offer in third-party audits and certifications?
- What else can the vendor promise about their safeguards?
- Will the vendor know if there is unauthorized access to your important data, and will they tell you at the first signs of such access?
- What rights, if any, will you give the vendor in your data, or to any data derived or created from your data?
- How, if at all, can the vendor share your data with any other entities, and other what conditions?
- How will you get your data back at the end of the contract, or how will the vendor protect what it keeps?
- If the vendor has access to your systems, how have you limited that access to what the vendor needs to do its work for you?
6. Plan for a data breach, in spite of your cyber protection
Assume that someday, it’s going to happen. What are your next steps? How will you contain the breach? What data security experts will you call in? How will you inform your customers, employees, vendors and others? Where will you direct clients and employees to report any suspected loss? What are your legal obligations? Take the time to think it through, then write down your plan, including all contact information, in one file. Encrypt and save on a thumb drive, then store in a safe place.
“If you respond right, an incident that could really hurt your business can actually build trust,” said Neiditz.
Using up-to-date cyber protection to secure your business’s data is a multi-step process that takes time and expertise. Implementing these practical solutions makes it tougher for hackers to slip in; hopefully they’ll move on to easier pickings because your infrastructure is not worth the trouble of hacking into it.
Keep employee data safe
7 ways ransomware could invade your company
What are the leading causes of data security breaches?
8 Tips to Protect Your Business and Secure Its Data
Top 10 Ways to Protect Your Company’s Data