The start of a new year is a good time to reiterate cybersecurity best practices and what can happen when we get careless. If anyone believes he or she is immune, it won’t happen to them, or the security rules are just too inconvenient, remind them about:
- Target and the 40 million credit and debit cards stolen in November and December, along with the mounting law suits
- It only takes one mistake, i.e., opening an infected attachment or clicking on a fake link in an email
- The loss of a mobile device that has no password or a weak password and contains company data
- One of the many other pitfalls that could enable the bad guys to steal and disrupt the business
Training is one of your best defenses. Businesses are in a constant battle between convenience and security. Ever had an employee use a workaround to avoid security practices because he/she thought it was too inconvenient? An employee who understands the threats to data, what hackers are looking for, and why and how hackers get in is more likely to adhere to security practices instead of ignoring them as overkill.
Make a list of some of the more notable breaches to emphasize the seriousness of following security practices. Some good examples would be:
- Recent cyber heists
- The loss of hundreds of thousands of social security numbers and other pieces of personal information from states such as Utah and South Carolina as well as numerous health organizations
Explain how the breaches were orchestrated. The common denominator in most breaches involved employees opening infected attachments, clicking on fake links in emails, or losing unprotected mobile devices or backup tapes.
Finally, constantly remind employees about cybersecurity tips. Let employees know what their responsibilities are through training and policies. Remember, the attitude toward security is driven from the top. If the top executives and business owner(s) do not follow the rules, neither will the employees. The “do as I say not as I do” attitude will not work. Make the rules simple, easy to follow, and logical. If a rule does not make sense and/or makes an employee’s job more difficult, consider how best to implement the security without disrupting workflow.
For example: I did an assessment for a manufacturing company. Best practices require changing passwords every 90 days. This created a dilemma for the company because in order to change passwords on the equipment, they needed to shut down production, losing valuable hours. So, we implemented a workaround wherein they used very long and complicated passwords and only changed them once a year. In the interim, they watched for potential red flags and would change passwords if something did not seem right.
Best practices are an excellent guide, but they are not one-size-fits-all. Security needs to make sense for your organization. Cybersecurity is not a mystery; it’s primarily commonsense. However, some convenience will have to be sacrificed.
Here are some cyber tips to assist:
- Never share your passwords with anyone, including help desk staff. It’s your password and must be protected.
- A good strong password should include special characters, numbers, and both uppercase and lowercase letters.
- Do not write your passwords down or leave them near your computer. If you need to write them down, keep them secure. You can even use a password keeper, but make sure you can trust the software or app.
- Always encrypt and password-protect sensitive information.
- Always lock your computer when you leave your workspace. It may be tempting for others to get on your computer when you are not around. Same goes for mobile devices. Password-protect them, and set them to lock after a minute or two of inactivity.
- Always store CDs, USB drives, or other removable devices containing sensitive information in locked drawers. This is part of the “clean desk” policy. When you are not around, others, such as a cleaning crew, may come through and have access to everything.
- Any electronic device used to store company information must be properly erased before it is discarded, disposed of, or donated.
- If you are issued a company-owned laptop or other device or if you store company data on your device, make sure that you connect it to the network frequently for security updates and other patches.
- Beware of third-party software applications. They can affect the operation of both your computer and the entire company network.
- Never open email attachments if you are unsure about the origin or reason for the attachment. If need be, contact the sender to verify its authenticity.
- Think before you click on a link.
- Make sure the company Wi-Fi is secure.
- Back up, back up, back up. If you’re not familiar with the recent virus called CryptoLocker, look it up and you will understand why backups are your best defense.