Do You Have a Cyber Security Plan?
Whether you use a third party for your retail website or exchange intellectual property with customers and partners, you need to protect your business information.
It’s the types of breaches you don’t often read about that have longer lasting effects on the effectiveness of your business. The data targets are many; intellectual property, company secrets, employee records, business plans, customer data, financial and legal documents. It’s not only cyber-attacks that you need to worry about. Of the 43 percent of businesses that experienced some type of data breach in 2014, less than one-third were due to cyber-attacks.
Here are 5 things you should think about when locking down your valuable data assets, and no matter how simple, you should have a security plan:
It’s Not Just Digital
The most important aspect of protecting information is clear communication to your employees of your expectations around handling information. A simple security policy can keep everyone in know about Confidential (e.g. employment applications) and Proprietary (e.g. secret copyrights) documents.
Secure Your Premises
Locks, digital entry systems, alarms and perimeter obstacles such as fences are considered deterrents. These simply make an unauthorized entry take longer thus deterring a would-be thief from taking on the job in the first place. Digital entry systems add the further protection of knowing who was on premise and when.
If you manage your own computer systems keep them in a secure area where only authorized personnel have direct access to the hardware. This, along with proper digital access controls for applications that your employees and customers use will improve your security posture significantly.
Anyone Can Read Your Email
Yes, sending documents and information in emails is easy but almost anyone with a basic knowledge of networks and communication protocols can read email relayed through the Internet.
If you have sensitive information to share or collaborate on, use technologies such as Box.com, which has services to send and receive documents in a secure and authenticated manner.
If you use an internal email system, make sure you set up policies that can detect certain types of data such as SSNs, company documents and potentially dangerous attachments, block these at the source.
This practice is known as DLP (Data Loss Prevention) and is the most commonly used form of preventing the problem from occurring in the first place. But nothing is more valuable than simple communication to your workforce of the known dangers of email and your expectations around email usage.
If You Don’t Use It, Don’t Store It
An outdated process or application collects social security numbers when they are no longer needed or used; “we always file the applications and background check results in that unlocked filing cabinet”; “our repeat customers like the convenience of not having to provide or enter their credit card every time they do business with us.”
It’s a balance and you have to make the call, but consider that every time you store information, paper or digital, your liability increases. Even if you store documents or data at a 3rd-party, you are still liable.
Simple dedication to keeping things cleaned up and diligence in assessing real need can go a long, long way. This includes making sure that when computer/PCs and mobiles are no longer used or are being replaced that the old versions are electronically cleaned and recycled.
Social Engineering
It’s not just data and documents that can leak sensitive information about your business and customers. Many times human interaction is the culprit of some very damaging security breaches. Social engineering is an industry term when a fraudster uses relationship knowledge to gain access to information that would be otherwise unavailable.
Once again clear communication to your employees about what kind of information, if any, should be provided to outsiders without proper verification or permission, this could be reporters, competitors, salesmen or just criminals trying to steal from you. The impacts of tipping off the ne’er-do-wells could damage your reputation and lose you money.
Digital Security
Digital security is an area in which businesses sometimes have the least control. When providing digital applications to your employees, partners and customers there are a number things to consider, however, we will only discuss two of the most important; authentication and encryption.
We are all familiar with logging in to a web site with our user name and password. This is known as authenticating and we have all read about cyber-attacks attempting to guess your ID and password.
The most important, and easiest, mitigation for this vulnerability is to communicate and enforce strong password practices with the applications you own. In many cases systems should require password resets every once in a while, this keeps fraudsters guessing.
Sometimes, however, our most valuable digital assets need something even stronger requiring two or even three types of ID. Something you know (e.g. password), something you have (e.g. iWatch) and something you are (e.g. thumb print) is the model for the most secure systems. The thought is that fraudsters would have difficulty getting a hold of two or more forms of identity e.g. user id/password and your thumb.
Encryption is important as it makes data unreadable (including user ids and passwords) while it travels over our internal networks or the internet. This keeps hackers from obtaining access to our sensitive data while it is in flight. Most of us are familiar with https:// we see in our browser address bar and configuring our wireless routers with WEP and WPA. Make sure you are leveraging these technologies when granting access to any application whether internal or provided by a 3rd-party.
Authentication and encryption are very important aspects of cyber-protection, but are too complicated for most to manage. Consult your network specialist.
Security in today’s cyber-world is a complicated and ambiguous matter, but it doesn’t take a rocket scientist to protect your business. There are many simple measures that can be taken that won’t break the bank and will assure the safety of your business’s valuable information. So, no matter how trivial it may seem, get to work on your security planning, create a policy and keep in constant communication.
Source: Cyber Security Intelligence
