In this era of connectedness, increased telecommuting, smartphones that keep staff connected to the office and cyber criminals constantly waging attacks on businesses, you need to do all you can to protect your firm’s, employees’ and customers’ data.
It’s a heavy lift to try to set up protocols for the various areas where hackers and bots can infiltrate your company’s database, and for a small company the task could be overwhelming. But if you approach your cyber security by focusing on the main pinch points — your greatest vulnerabilities — you can put together a coherent and effect cyber defense.
You can divide your focus among five distinct areas and create clear initiatives for each:
The first vulnerability is your office and your network hardware, where even a small oversight can lead to significant losses in hardware and data. Strong security controls of physical environments are a critical foundation for your business.
What you can do: Always lock your network closet or room and other sensitive locations. Use high-security locks and numbered, physical keys with restrictions on duplication. If it makes sense for your business, install video surveillance at entrances and exits. Don’t trust your memory — maintain a device and computer inventory.
Numerous people encounter your firm’s data, including full- and part-time employees, contractors, interns and clients. Anyone who has access to business devices, spaces and apps is vulnerable to unwittingly giving away information.
What you can do: Call us to confirm that your cyber liability insurance reflects your actual risks and that you have the correct coverage and riders you may need. You should conduct security-awareness for your staff (and new hires) regularly to show them what you expect in terms of protecting your company’s data. This can include theft prevention and minimizing data leakage, to protecting sensitive data and what to do in the event of a suspected breach.
Also, train them how to detect social-engineering hacking scams. Cover how these scams work by trying to trick your staff into clicking on links in e-mails that contained phishing, malware or ransomware. They should look for spoofed names or e-mail addresses in the e-mails which will often ask employee for passwords or to click on an attachment.
Applications may be cloud-based or stored on devices. While it can be challenging to manage the many apps people use on their devices, there are best practices for keeping data away from the people who want to use it against you.
What you can do: Ensure that all apps that your staff use on company-issued phones use two-factor authentication (and strongly urge them to follow this practice if they are using their own devices for work). Restrict app permissions to only the few people who should really have it. Also set the apps to automatically update, so as to ensure you are always using the software with the latest security patches.
Finally, enable security notifications so that suspicious activity, such as adding a new user without approval, doesn’t go unnoticed.
Smartphones and tablets hold most — if not all — of your most sensitive data. Working remotely is gaining popularity, and with that comes a responsibility to learn how to treat your devices like the highly valuable possessions they are.
What you can do: Enable remote wipe and location tracking on your employees’ tablets and smartphones in case of the devices being lost or stolen. Do not use public Wi-Fi. Your employees should only use trusted Wi-Fi, VPN or their mobile hotspot.
Require a password, PIN or biometrics to unlock phones. And, because there will be sensitive documents and e-mail on your employees’ devices, be sure they have enabled local data encryption. Double-check this, as not all devices will have it turned on by default.
Your network is at the heart of your company’s connectivity and operations. It connects to all of your company’s devices and apps, as well as to the internet. This is the gateway to your business, so it should be regularly maintained and kept secure.
What you can do: For the visitors and vendors who occasionally need to use your network or internet connection, create separate guest and private networks. Do a little research or ask a trusted IT expert and use the latest Wi-Fi encryption standards.
Finally, so much of network security is about management. Know which employee has what equipment by logging and auditing access to devices. Don’t wait for disaster to strike; proactively monitor, manage, update and secure devices, along with creating strong passwords.
If you are a small business, all of the above is likely overwhelming, but if you put together smart processes and planning you can reduce your risks, such as:
- Having processes in place for handing out equipment (keys, laptops, mobile devices) when hiring, and how to handle technology during terminations.
- Planning and holding scheduled cybersecurity training.
- Using a password management tool for all of your staff.
- Calling us about cyber insurance.