You want your business to grow. You write a business plan. You build a stellar online presence that provides a high-quality user experience. You court your customers. You protect your business by obtaining the appropriate insurance. You genuinely try to prepare and grow your business. If you ignore your cyber security strategy though, you are doing yourself and your growing business a major disservice.
Your cyber security requires collaboration between all departments and employees. Beyond hackers stealing trade secrets, you have resident data to protect. Failing to have an effective plan to protect your residents’ medical information is a major HIPAA matter. Everyday, across the globe, cyber attacks put people's personally identifying information at risk. For example, the 2016 Uber hack leveraged its customer database. Considered a ransomware attack because the hacker demanded a $100,000 payment to release the data, it remained private only because Uber paid it. In this hack, Uber’s users’ information such as names, email addresses, phone numbers and driver’s license information were put at risk and this was only the beginning.
In mid-2017, a larger attack on Instagram resulted in the theft of the personal information of about 1,000,000 accounts. Whether Instagram received a ransom request remains unknown, but just days after the attack, a website was created to store and sell hacked Instagram user data, including that of Selena Gomez and other high-profile celebrities. Whether you run a startup or a corporation, your data security remains of the utmost importance. Make time to make cyber security a priority. Start with the following steps.
Learn What Is Important and Why
Cyber security becomes an afterthought at many companies; something to consider only after an attack has actually occurred. This inefficient method hurts businesses in numerous ways such as:
- Creating fiscal costs from the loss of data, damage to code, and potential equipment damage. (Hackers can "brick" machines and servers remotely, rendering them useless and unable to power on.)
- Loss of customer and public trust.
- Loss of business continuity.
- Cost of equipment replacement.
Have key personnel attend a cyber security workshop where they can learn cyber security definitions, the positives and negatives of a standards-based approach, NIST framework relevance, and steps to getting started on crafting a cyber security emergency plan.
Conduct an Assessment
Every year, assess your computer security and any risks you may encounter, including equipment that is not working correctly. Update your IT systems, including security software to the latest version to avoid potential security breaches. This should include an extensive analysis of available security programs to ascertain if a better choice exists over your current applications. Have your IT department or managed service provider set up security software to update and run maintenance automatically without affecting employee duties and performance.
Use Automated Online Backups
The cloud provides a real silver lining — an automated backup ensures your information is protected and duplicated. Even if you are hacked, you retain a copy of everything that you can access as needed. This means that you can go straight to law enforcement with a ransom demand instead of heading to the bank. Your customer data remains safe when authorities arrest the hackers and seize the stolen data as evidence. Also, you will have a copy to match and make sure data was not altered.
Educate all Employees
Sometimes, the best laid security precautions fail due to an innocent mistake by an employee. One may set up a departmental server that the IT department doesn't know about or we might use a website or SaaS solution to complete our work more efficiently. In an effort to do more for the company, this create a hole in our security. Educating employees remains vital in being able to identify potential security holes or employee malpractices that might put company security at risk.
Ask What Employees Need and Provide It
Each employee knows their job better than anyone. They know what information they need to get it done quickly and efficiently. Ask what they do and how they do it without reprimand. When someone mentions using a tool outside of the company, so long as it is legal, have IT formally integrate it. Some shortcuts, such as those allowing access to people's personal information, computer, mobile systems or health data are not legal. Access to these should be immediately shut down and the applications reported to law enforcement.
Work with human resources and IT to assign permissions by job title, not employee. This makes it easier when one employee needs to fill in for an absent co-worker or assist with an increased workload. Permissions by employee creates a bottleneck, while permissions by job title enables security and efficiency. The purpose of implementing technology should be to allow your employees to be more productive and work more efficiently. Without proper permissions in place, you could end up making it more difficult to access software or applications, ultimately hurting employee performance.
Address employee use of personal and company mobile devices to conduct work and have clear guidelines on meeting this use. Some employees might feel compelled to use their personal devices to get work done and while this is admirable for employee performance, it does put sensitive information at risk. No work should take place on an unsecured mobile device/personal device. You can assign a business mobile device to employees who need to work on the go that must connect to a company VPN before it can be used online.
Institute a Secure Password Program
Create a program to teach employees what constitutes a secure password and require its implementation with all employees. Security experts recommend changing passwords every 30 to 90 days or whenever a new employee is setting up account information to avoid providing application access to previous employees. Hackers use "dictionary attacks" and "brute forcing" to discover user passwords, then leverage them for access. A secure password should consist of a complex combination of:
- lowercase letters,
- symbols, aka special characters,
- uppercase letters.
IT can author an in-house script or you can purchase a program to administer passwords. You can automate the required password change on the first day of each month and set the script or app to only accept passwords that meet the above mentioned rules. This ensures that employees company-wide adhere to policy. Set permissions so that no employee, not even the CEO, may access any company system without adhering to password policies. Create rules that include no password sharing between employees and restrict employees from writing down their password to display. Some employees might write theirs on a Post-It note to display taped to their keyboard, monitor or inside a desk drawer. This is not secure and should not be allowed.
Create an Intrusion Plan as Part of Your Business Continuity Plan
This should include procedures for employees to follow in cases of malware, phishing attempts, or attacks, including immediate contact of the IT department. Teaching people to recognize problems and respond appropriately keeps your business safer. Employees that are able to identify telltale signs of a security breach or equipment not working properly can notify the appropriate department and solve issues promptly.
Building a comprehensive cyber security strategy takes time, but you can start today. Implement rules and cut employee use of unauthorized or unsafe websites, as well as require an immediate change to secure passwords. Work with your IT department or managed service provider to craft a living security plan unique to your business.
Don't overlook your cyber security plan and avoid waiting for an attack to get started on one. Get started today so your data and your residents remain safe.