It’s Cyber Security Awareness Month: Learn tips to protect your company’s online security
This blogpost originally appeared on our Arrowhead corporate blogpost. It’s been tailored to better meet the needs of Tribal Nations.
These days, we’re connected everywhere we go, increasing the need to protect your company’s online security. Your employees can access company emails from personal cell devices and PCs. And when employees work from home or coordinate with vendors, they share files back and forth. All expose your company to a cyber breach. Since October is Cyber Security Awareness Month, we’ve prepared a list of tips to show you how you can protect your company’s online security.
We’ve said it before, but it bears repeating: Cyber criminals don’t care how big or small your company is. They only care if you’re vulnerable and that they can get in and steal personal, medical or financial data quickly; then they’re on to the next network. So don’t think that, if you’re just a small enterprise, you’re not on their radar.
“While cyberattacks on big companies can generate vast quantities of valuable data for cybercriminals, these companies are typically well defended,” said a recent PropertyCasualty360 article, adding, “Although small- to medium-sized businesses are less valuable targets for these criminals, their IT systems are also easier to penetrate.”
Indeed, more than half of U.S. businesses experienced a cyberattack in a one-year period, according to a 2017 study by The Hartford, as reported in Business Insurance. How to protect your company’s online security? Have a sound cybersecurity policy and procedures in place.
These tips run the gamut of using strong encryption and separate WiFi for guests, to how to safely dispose of old cell phones. While we can’t guarantee these will successfully block all hacking attempts, these will definitely slow down hackers, hopefully leading them to decide to look elsewhere for easier pickings. Let’s get started.
1. Back up data regularly
This is one of the least expensive cybersecurity precautions that you can take. While this may seem like an obvious tip, you’d be surprised by how many people overlook it.
You should back up all documents – HR files, databases, spreadsheets, financial records and accounts payable and receivable files – along with data stored in the cloud as well. Be sure to store your backup data in a completely separate physical location.
2. First line of defense: your software
Invest in a firewall with anti-virus tools. Your first line of defense is a robust firewall. The FCC recommends all businesses start here, as you take steps regarding how to protect your company’s online security. The firewall creates a barrier between your data and would-be hackers looking to steal your IPs.
Employees working from home or in the field on mobile devices need a firewall on each device as well. Encourage your employees to implement firewall software that makes sure their home and business networks align with each other. Employee compliance – and that means everyone – is crucial; otherwise, they may open more holes than they close.
Anti-malware software. Antivirus software isn’t enough, so add another layer of anti-malware software. Just as there are many types of malware, such as phishing, ransomware or a virus, there are different types of anti-malware you may need to consider. Each attacks differently; the solution that stops one may not stop another.
Phishing is especially important to stop because of the sheer volume of phishing emails that employees continue to click on, said TechDay in a best practices article. Quoting a Verizon study, they said 30 percent of employees still open emails that are phishing for your proprietary information.
Multifactor IDs. Multifactor identification helps to close the holes that may open from genuine mistakes of employees. It’s typically recommended to connect one of the forms of ID to the cell phone (e.g., a numerical code is texted to your smartphone which you must enter on the screen to continue). Thieves are more likely to be thwarted, since they don’t have the PIN number and the password on a phone they don’t own, said TechDay.
Safe Passwords. Again quoting the Verizon study, TechDay’s article states that 63 percent of all data breaches occurred because of passwords that were weak, lost or stolen. Ironically, nearly the same number (65 percent) of companies don’t enforce a formal password policy. We doubt the similarity of these two numbers is a coincidence. One weak password can compromise your entire network. Require employees to change their passwords at least quarterly.
Implementing password management software allows users to leverage different sets of login and password combinations for different applications. It also allows users to easily and regularly change passwords to comply with regulatory standards. Secure password storage tools such as LastPass or KeyPass will maintain the necessary level of password protection.
Patches. Verify that all operating systems, software and programs, such as web browsers, are fully patched and up-to-date. Updated software and systems will install patches for vulnerabilities that developers have identified, instantly removing those vulnerabilities.
You can find a checklist of additional ways to secure your technology here, courtesy of StaySafeOnline.org.
Related: Retail data breaches: How you can learn from others’ mistakes
3. Second line of defense: your employees
Unfortunately, not all cyber threats come from the outside. The root causes of data breaches are primarily by a negligent employee or contractor, said PropertyCasualty360. Even with the best employee training, a company can decrease the likelihood of a breach via a phishing attempt to about 20 percent, which most of us would consider still too high.
Educate and train employees on newest threats. None of the strategies work unless employees know how to implement them correctly. Train all employees on proper use of the network, particularly when a new security policy is added. It’s important to stay a step ahead of would-be hackers. That means you’ll need to update employees as often as you install patches and updated software. Continually.
Provide regular employee training that’s specifically geared towards phishing attacks, ransomware and social engineering campaigns. PropertyCasualty360 recommends quarterly training at a minimum to remind employees of this constant threat.
4. Close the back door
Careful cybersecurity begins with mindful physical security. Be careful and thoughtful as to whom you give access to sensitive digital assets. Vet all third-party IT vendors scrupulously. An employee or contractor who copies your proprietary information onto a portable drive and then walks out the door can cause as much damage as a cybercriminal who hacks your network from across the globe. Should an employee or contractor be fired or leave your company, quickly block future access to these assets.
5. Using Wi-Fi in the field
Typically, Wi-Fi hotspots just aren’t safe, because 95 percent of Wi-Fi traffic unencrypted. That nice lady sitting opposite your employee on the train just might be a hacker, ready to penetrate your corporate server, rendering all digital assets vulnerable. Here are a few thoughts that can make Wi-Fi a little safer, but user beware.
- Before logging in, set all websites to “HTTP secure.”
- Access the company’s VPN before logging into a company network.
- Anytime a user name and password are required to gain access to a website, STOP.
- Don’t access bank, credit card or brokerage accounts or subscription services via a Wi-Fi hotspot.
Related: Tribal laptop and mobile device security measures
6. Have a plan for being hacked
No matter how vigilant you are, there’s still a chance you’ll eventually be hacked. It’s usually not a question of “if” but “when.” Remember these three critical best practices: Don’t wait to acknowledge the issue. Immediately work to remediate the issue. Communicate the issue and how you’re working to solve it or have solved it. To best defend against such an event, we also recommend advance preparation:
- Prepare a plan to handle potential consequences if a cyber intruder hijacks your network. The ability to fulfill these tasks may be rendered useless: bill paying, accessing account information, collecting payments, withdrawing or adding funds, running payroll and performing many other bookkeeping and financial activities normally conducted online. Determine a Plan B to handle these tasks.
- If a cyber hack occurs, document all actions taken. This will be extremely useful if your client is sued following a cyber event.
Cyber Security Awareness Month is sponsored by StaySafeOnline, part of the National Cyber Security Alliance. One of their programs is CyberSecure My BusinessTM that helps small-to-medium-sized entities learn to be more secure online. For additional help, view their list of free online security checkups and tools.
Cybersecurity Best Practices All Small Businesses Should Follow
Playing it safe: Cybersecurity for small- to medium-sized businesses