The first steps in creating a solid cybersecurity plan are to identify and define what cybersecurity means for your business, what you need to protect, and where everything is located, but once you have that, the next step is to determine how you're actually going to protect everything you've identified and defined.
This week we want to talk about all the security measures you should take to protect your business data. This includes:
- Updates and Backups
- Taking Extra Precautions with Customer Data
- Next-Gen Security
- Employee Training
Updates and Backups
While it might seem like a hassle to stop what you're doing to update operating systems, applications, and browsers, and we will be the first to admit that the cost of updating hardware can often be hard to wrap your head around, all of these things are vital to your business. Manufacturers and developers release updates for a reason. The majority of them contain security patches for known vulnerabilities to help protect your devices and business from cyber criminals. Most operating systems, applications, and browsers can be set to update automatically during off hours. Our recommendation is to set as many things to auto-update as possible, that way you're protected without even thinking about it.
In a world where everything can change in an instant, having reliable and secure backups is no longer an option, backups are an integral part of protecting your business and planning for the future. Your business data is at risk every day from things like:
- Hardware failure (another reason to update hardware)
- Human error
- Cyber attacks
- Natural disaster
Having consistent and reliable backups can be the difference between losing two hours of data or two weeks. One is an inconvenience but the other can cause major data loss, downtime, lost revenue, unhappy customers, and reputation damage.
And don't forget to put your backups to the test every once in a while!
Take Extra Precautions with Customer Data
Lately we've heard a lot about customer data protection, especially from people talking about GDPR or the California Customer Privacy Act of 2018. Nationally the US doesn't have anything as comprehensive, but that doesn't mean you shouldn't be doing everything in your power to protect the data you collect on your customers.
Develop a Data Strategy
If you're storing information on customers you should absolutely have a well thought out data strategy and be able to answer these questions:
- What is your vision for/how are you using the data?
- Do you need all the data you're collecting?
- Depending on what you're collecting, if it's breached, what are the consequences?
In regards to the data security of confidential customer information it's important that you're:
- Not collecting information you don't need
- Following all legal and ethical data storage guidelines
- Obtaining any necessary permissions from your customers to store and utilize the information
- Only giving access to those who need it
The golden data storage rule? Protect your customers data like you would want your data protected.
Turn on Multi-Factor Authentication
If hackers can't get into your network, they can't reach your databases, and therefore can't gain access to your customer information. Multi-factor authentication is an approach to account security that requires multiple forms of identification from a user to verify their login credentials.
Something the user knows - Usernames and passwords
Something the user has - Authentication codes
Something the user is - Biometric authentication
The implementation of MFA can seem like a daunting process for a lot of business owners, but it shouldn't be. The fact is, MFA is already widely used, and for many accounts it's as easy as one-click to set up. It's also highly probably that your employees have implemented MFA on their personal banking, online shopping, and social media accounts. For more information on MFA check out our blogs on Multi-factor Authentication Basics and what Multi-factor Authentication is protecting you from.
Next-gen security is really an umbrella term for a category of security systems that go above and beyond simple security measures and analyzes the full infrastructure in a more comprehensive way to detect and prevent new and increasingly sophisticated threats. "Next-Gen" solutions include:
- Advanced end-point protection systems that monitor the individual device behavior to ensure attempted intrusions or exploits don't even come close to your device. Unlike antivirus that is looking for something specific, like malware, AEP systems look for certain behaviors like changes to system files, out of the norm logins, or large data downloads or uploads.
- Intrusion detection systems that monitor the flow of data across your network 24/7. An IDS is designed to identify and alert administrators to all malicious, unauthorized, and odd behavior.
- Intrusion prevention systems that take action to protect your infrastructure. Where an IDS detects threats, an IPS is configured to respond automatically, shutting down threats to your network in real time, often without any involvement at all.
- Mobile device management solutions that allow you to verify employees are following security protocols, wipe the device if lost or stolen, and verify updates are being applied.
Next-gen is obviously a broad term but the security practices it encompasses could save your business in the long run.
Train your Employees
Your employees are simultaneously your first line of defense and a liability if untrained. The Willis Towers Watson cybersecurity risk culture survey shows that 90% of successful cyber attacks can be pinpointed back to human error. For busy employees that don't know what to look out for it's all too easy for them to fall prey to well-crafted phishing emails or click on one wrong link while searching for something online.
Create a culture of security by making it a common topic around the office, posting cybersecurity tips, providing employees with continued training, and informing them of the most common and the newest security threats facing your business.
These are our top four tips on how to best "Protect IT". For a total look at how to create a plan for your business check out our comprehensive cybersecurity guide.
While those were our four big tips, check out these other tips from the National Cybersecurity Alliance on how to "Protect IT".
Obtain support contracts. All software and hardware should be covered by the developer or manufacturer for system failures. Put contracts in place for security incident response as well.
Segment your network. Not all devices need to be interconnected. Restrict user access to servers. Work and home connections also need a firewall.
Wifi. Should be encrypted. Protect your router with a strong passphrase.
Email. Encrypt sensitive content. Use spam and malware filters to help stop phishing and other attacks. Use strong authentication when available.
Cloud services. Ensure there is a commercial contract with a vendor accepting security responsibility. Know where your data is being stored and who has access to it.
Payment Card systems. Isolate payment systems from less secure programs on a separate computer. Utilize trusted tools and anti-fraud services.
Cyber insurance. Consider obtaining insurance to cover risks.
Account access. Require strong, unique, passphrases across systems. Implement strong authentication when available.
Remote access. Encrypt and use strong authentication. Antivirus and firewall protections should be in place, at a minimum.