Small and midsize businesses (SMBs) spend less on cybersecurity than larger organizations. SMBs collect data that cybercriminals want; customer, employee, and vendor names, addresses, social security numbers, dates of birth, driver’s licenses, and insurance information. This information is everything a criminal needs to commit identity theft and other cybercrimes. Some reports indicate that 71% of data breaches happen to businesses with less than 100 employees. You don’t have to be one of the large companies to get attacked. Employing best practices can help protect your company against cyberattacks and data breaches.
The following are best practices that you can take to minimize the chance of data breaches.
1.) PASSWORDS/PASSPHRASES
- Use strong passwords or better yet, use a phrase instead of a word.
- Consider using passphrases. When possible, use a phrase such as “I went to Lincoln Middle School in 2004” and use the initial of each word like this: “Iw2LMSi#2004”
- Make the password at least 10 characters long. The longer the better: longer passwords are harder for thieves to crack.
- Include numbers, capital letters and symbols.
- Don’t use dictionary words. If it’s in the dictionary, there is a chance someone will guess it. There’s even software that criminals use that can guess words used in dictionaries.
- Change passwords. Passwords should be changed every 60 to 90 days especially if you are not able to implement multi-factor authentication.
- Don’t post it in plain sight. This might seem obvious, but studies have found that a lot of people post their password on their monitor with a sticky note.
- Consider using a password manager. Programs or Web services let you create a different very strong password for each of your accounts, but you only have to remember the one password to access the program or secure site that stores your passwords for you.
- Consider using multi-factor authentication. Set up multi-factor authentication that requires a code that is displayed on your phone. This way hackers cannot access an account without having physical access to your phone.
2.) EMPLOYEE SECURITY TRAINING
95% of data breaches are caused by employee mistakes. It is critical to ensure that employees understand the risks to sensitive information and the threat of data breaches. Phishing and ransomware are leading methods of attacks. Employees need to know how to spot phishing emails, phishing websites, and the dangers of email attachments. Training needs to take into account the dangers of hacking, stolen mobile devices, posting sensitive information on social media, and other causes of data breaches. A good training program will continually remind employees about the dangers of data breaches and how to avoid becoming a victim. Cybercriminals are developing new scams and attacks everyday and employees should be made aware of these scams.
3.) Encrypt Data
Lost laptops, smartphones, and USB drives continue to cause data breaches. Many businesses don’t realize how much sensitive information is on mobile devices. Sensitive information could be in emails, spreadsheets, documents, PDF files, and scanned images. The best way to protect sensitive information is to use encryption. Under many federal and state regulations, encryption is a “safe harbor.” This means if a mobile device is lost or stolen and the data is encrypted, then the incident would not result in a reportable breach. Customers and affected individuals would not need to be notified.
Types of encryption:
- Mobile device encryption. Laptops, smartphones, and USB drives can all be encrypted. This will protect any data that is on these devices.
- Email encryption. Emails could contain sensitive information and should be encrypted. Secure email will protect the data that is sent.
- Workstation encryption. Like laptop encryption, desktops and workstations can be encrypted to protect any data stored on them. Workstation encryption is very important in the event of a break-in and theft of workstations. Without encryption, a stolen workstation may result in a data breach.
4.) DATA BACKUP AND DISASTER RECOVERY
Backing up data will protect your business from data loss due to damaged servers or malicious code such as ransomware. A fire, flood, explosion, or natural disaster can destroy systems that contain valuable information. Having up-to-date data backups and a disaster recovery plan will help recover and restore valuable information. Many businesses go out of business after a data breach because they can’t continue to operate without having access to customer information, business process documents, financials, and other necessary information. Data backups ensure that data is recoverable. It is recommended that automated backups occur that securely copy data offsite. Data backups should be tested often to ensure the data is able to be recovered.
5.) PERFORM A SECURITY RISK ASSESSMENT
A security risk assessment (SRA) is a critical step to understanding the risk to your business and sensitive information. An SRA will inventory customer, employee, vendor, and sensitive data, identify how you are currently protecting the data, and make recommendations on how to lower the risk to the data. Many organizations do not truly understand what data is critical to the organization, what kind of data it is (e.g., confidential), how it is being protected, or what the risks are of not protecting the data. An SRA will help you to understand your risk of phishing scams and ransomware, the dangers of lost mobile devices, the risk of insider threats, and how prepared you are in the event of a disaster. Without a thorough understanding of risk, it is difficult to implement the safeguards needed to protect your business. Cybersecurity is a business risk and needs to be evaluated and mitigated just like other business risks.
Kevin Urso, President
Connected Technology
(631) 724-6504
kurso@connectedtechnology.com
