All businesses face the risk of data breach, but
recent studies indicate that small businesses are particularly susceptible.
According to a 2016 report from the Ponemon Institute, 50 percent of smaller
organizations surveyed experienced a data breach in the previous 12
months. New research by Symantec found that small businesses
were victim to 43 percent of cyber-attacks in 2015, up from 18 percent in 2011.
What is the reason small businesses are a growing target? Experts note that it is because more often than not, they don’t have the cyber security in place to keep hackers away.
The precautionary items below, in conjunction with a smaller budget and some vigilance, can protect your business and keep you safe.
1. Employee Training.
A Ponemon report notes, employees are the number 1 cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. Usually due to a innocent mistakes; employees often fall short of basic data security awareness and how hackers operate. Education is the number one, most important thing you can do to lower the potential of data theft.
Offer mandatory cyber security awareness training on the risks that
employees face every day. It’s not just
for your benefit but could be considered a job perk as it will teach them tools
that can use in their personal lives.
Phishing, Ransomware and Social engineering are
growing threats for small businesses, this is where hackers pretend to be a
trusted source in need of confidential data. Through phishing, employees are
invited to click on a link that sends them to a fake website and asks them to
enter there password or it installs a virus on their computer without their
knowledge. Ransomware, we all know, will hold a computer hostage until the
required ransom is paid.
Help prevent employees from falling into these traps by advising them
to:
- Check the legitimacy of the
source before giving out sensitive information - Never open attachments from
people they don’t know - Avoid suspicious links in emails,
websites and online ads - Sign up for Net X Computers Cyber Security Training or
Phishing Training.
2. Secure sensitive information.
The valued commodity that criminals seek to find for profit is sensitive
data. This includes personally identifiable information (PII) and patient
health information (PHI) for employees, customers and patients as well as patented
trade secrets, financial data and other confidential information. In the hacker’s
hands, this info can damage your business, customers and reputation.
Audit your company’s digital file and folders, limit access to files
based on an employee’s need to know. Store paper files containing sensitive
information in a locked drawer, cabinet, safe or other secure container when
not in use. Don’t use removable storage devices, unless absolutely necessary.
Disable USB and Disc drives on computers so employees can’t use them.
3. Dispose of data properly.
Be aware when trashing sensitive data. Shred documents containing sensitive data prior to recycling. Data from electronic devices should be physically destroyed, data should NOT be just deleted or formatted—whether on computers, tablets, smartphones or storage hardware—before disposing of them.
4. Use strong password protection.
Passwords are always under attack and hackers can use a number of
different options to crack them. To prevent them from winning, password-protect
all of your devices whether they are computers, laptops or smartphones, you
should also password protect your network and all accounts. Require all
passwords be changed from default passwords and be set strong, complex and with
a variety of characters that must be changed at least quarterly.
5. Protect against malware.
Malware is “malicious” software, like viruses and spyware that gets
installed on a computer with the purpose to steal sensitive information or
damage it. Malware can be installed when an employee clicks on an infected link
in an email or on a website or uses a malware infested USB device.
To prevent malware, install and use antivirus software on ALL devices and be sure your employees are trained to lookout for suspicious links.
6. Physically control access to your computers.
Create user accounts for each person to prevent unauthorized access and
an audit trail for who used what when. Laptops and tablets can be stolen
easily; make certain they’re locked in a safe place when unused. Lastly, limit
network access on computers located in public spaces, such as the reception area.
7. Encrypt data.
Almost all devices offer this feature, encryption encodes information,
whether it is stored on a device, in the cloud or being transmitted over the
Internet, and only the person or computer with the proper key can decode it.
Encryption is highly recommended and should be required for all devices containing
sensitive information especially laptops, mobile devices, USB drives, backup
drives and email.
Most systems and many software applications have an encryption option
which simply needs to turned on (instructions vary). You can also purchase
encryption programs tailored to your needs whether for an entire drive or just
one file or folder. Secure Sockets Layer (SSL) certificates are the standard
way to encrypt sensitive information, especially on the web, in fact Google won’t
even rank you in a search if you don’t have one.
8. Make certain your operating systems and software are up to date.
Viruses and malware continuously change and software creators must continuously update or “patch” their programs in order to stay secure. This is the reason it is so vital to install updates to web browsers, security updates, operating system updates and antivirus software as soon as they are released. They are the first line of defense against cyber security threats.
9. Secure access to your network.
To prevent hackers from getting access to sensitive
information on your network, make sure you have a firewall in place and turned
on or purchase reputable firewall router or software. Use a Virtual Private
Network (VPN) to provide individuals with a secure way of accessing your
network while outside of it. If you have Wi-Fi (who doesn’t), make sure it is
secure and encrypted, and that your wireless name is hidden so that it can’t be
picked up by outsiders. Also require a password for access and change that
password quarterly.
10. Verify the security controls of third parties.
Many companies rely on third-party vendors for some part of their day to
day operation, whether for payroll, IT support, credit card processing, line of
business software, or to manage their security functions. But there can be
security risks in doing so. If a breach happens on your vendor’s system, your
data could be compromised and you could very well be held responsible for that
loss.
Before hiring a third-party vendor, ask them how they will keep your and
your customers data safe? Investigate
their security standards and question their best practices to be sure they meet
your minimum requirements. Look for vendors that at least:
- Have a strong password policy
- Have strong security policies and
procedures - Regularly preform backups on a
hard drive as well as the cloud - Perform quarterly or biannual
internal security audits - Run background checks on
employees - Require employees to complete
phishing and data security training - Regularly keep up-to-date with
the latest security patches and security software - Have an incident response plan
for responding to and managing the effects of a security attack
Once you have investigated and selected a third-party provider, put a
service level agreement (SLA) in place that explains your security standards
and gives you the right to inspect the vendor to confirm compliance with your standards. Also have them sign a business associates
agreement (BAA) to ensure that you are protected, all companies should be doing
this now days. Even Google and Microsoft has this option available for you.
As Always, if you need any help or have any questions, Net X Computers is here to help. Feel free to call us any time for a Free 1 Hour Consultation 🙂
