Did you know that your organization’s biggest security risk is your employees? Since the Internet is constantly evolving, and new risks appear every day, cyber security awareness training is fundamental to keep people up to date on what the threats are, how to spot them, and most importantly how to avoid them. We’ve previously written about the importance of security training it here.
Security awareness should be part of your business’ DNA and practiced both top-down and bottom-up.
Password123 is no longer considered a good password, but was it ever really? (NO!) Why are passwords so importance you ask? While the answer may seem obvious, to some it’s not so clear. Passwords ensure the security and confidentiality of data that is stored on various computers to each employee. Would you drive a car with okay breaks? Probably not, you should be treating your passwords with this same regard. Small business owners should frequently review all passwords being used in their systems and update them. If any are deemed un-secure, change them.
DarkReading said it best when they said, “despite the hype, most attacks exploit known vulnerabilities. Make sure you are investing adequate time in patching your systems. It’s not glamorous, but it is extremely effective.”
In an ideal situation, your security defense should prevent you from ever having to fall back on your recovery plan. However, today’s world that does not cut it with consumers, and they want to be assured that if their information ever does fall into the wrong hands, that you have a plan to recover it. Having a recovery plan can cut down response time, and allow your systems to be up and running faster. This will save you money, time and most importantly help to repair any reputational damage caused by an attack. (Check out this tips and tricks for large organizations here!)
The very first tip in securing your sensitive data is figuring out just what it is. Every organization has it, whether it’s financial records, employee’s personal information or customer credit card details. Knowing where this information is stored, computers, servers, data centers is the first step, the following will help ensure that it is protected.
This step can take time, and not every SMB has the resources or patience to do this, but the safety of your data could depend on it. Determine what employees and external business partners really need to have access to in terms of network and applications in order to do their jobs. Keep a record of these accesses, and consider a two-factor authentication. When employees leave, ensure their access is immediately revoked.
Make sure to document your security policies in a knowledge database so that network admins, security staff, and even application teams understand exactly what is going on – and why. This is particularly important when setting up rules to support new applications, because when an application is decommissioned or moved, you’ll want to reverse that rule. But you won’t be able to do so if you don’t know about it.
Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other “over the network” attacks and attempts at security breaches.
Stored data, filesystems, and across-the-wire transfers all need to be encrypted. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.
According to ObserveIt, “to strengthen and clarify the education you give your users, you should clearly outline the requirements and expectations your company has in regards to IT security when you first hire them. Make sure employment contracts and SLAs have sections that clearly define these security requirements.”
Despite a glut of research into new ransomware variants, low-tech threats like phishing attacks and viruses pose a more prevalent threat to small businesses than ransomware, according to a recent survey of SMB owners.
Basic technology can stop an attack even if the end user makes a mistake since many of the phishing attacks leverage known weaknesses. Here are five best practices to mitigate the risks of phishing attacks:
(Read more about phishing here!)
The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt leave it out.
No matter how well you follow these best practices, you might get breached. In fact, nearly half of organizations suffered a security incident in the past year. If you do, having a response plan laid out ahead of time will allow you to close any vulnerabilities and limit the damage the breach can do.