No matter how large your organization is, cyber security is something you need to be prepared for. Security breaches can cause loss or theft of valuable proprietary or customer data, interrupt your business processes, affect your ability to communicate with employees and customers, and possibly most importantly, critically damage your organization’s reputation and credibility. While larger businesses may be more valuable targets, small- and medium-sized businesses are targeted as well because malicious actors know they often spend less resources on securing their technology.
1. Make sure the basics are covered
This includes things such as firewalls on all public-facing computers and devices, including your website and email servers. Where possible, data should be stored and transmitted in an encrypted form. All of your organization’s computers should have anti-malware software that is regularly updated with new virus definitions, and operating systems and critical software such as web browsers should be kept up to date with the latest security patches. If you don’t have a dedicated IT staff, you should consider contracting an outside provider to set up a secure infrastructure, and have them review your system at least yearly. These practices are even more important if you handle customer credit cards or medical information covered under HIPAA.
2. Ensure all critical data is backed up.
Whether you store critical data onsite or via an outside firm, you should have a plan in place for what happens if this data is lost or inaccessible. Equipment fails, floods and fires happen, employees make mistakes, and outside malicious actors are an ever-present threat. If you store and use data on in-house servers, you should have some form of automated, regular, offsite data back-ups. This can be handled by in-house IT personnel, or by one of many outside technology providers. Have a plan in place about how your business can continue to operate in the event of your physical site being unusable for a period of time.
3. Destroy old hard drives and other storage media
Most people are aware that they should shred paper documents that have personal information, but it is just as important to destroy hard drives, flash drives, and CDs which may contain sensitive data. Simply deleting the files on a hard drive or flash drive does not erase the information, and even physically destroyed disks can still have information recovered. Best practices involve deleting all the data, and then wiping the data, which involves rewriting the entire disk with zeros, random data, or ideally one run of each. Software can be purchased to do this, and some IT firms offer this as a service.
4. Train your employees for best security practices.
As strong as your physical and technological security practices are, the weakest link of almost any system is the people themselves. Employees should be trained on how to avoid “phishing” scams, which are among the most common entry point to a computer system. Email spam filters can cut down on this, but it is still up to your employees to be safe. You should require email and system passwords to be changed regularly, and enforce strong passwords.
Under no circumstances should an employee insert a flash drive or CD they find into a business computer. Even after training, recent studies have shown a disturbing percentage of employees will still load a flash drive they find in the parking lot into their work computer. Have your employees sign an acceptable-use policy for how data is to be used, and make it known that there will be consequences for failure to comply.
5. Physical access needs to be protected.
As secure as your system is to technical or social attacks, if an infiltrator gains access to your physical equipment, there is little you can do to stop them from accessing your data. This means ensuring that all visitors to your site are checked for credentials and monitored, that all locks are properly maintained and in working order, and that server access is restricted to only authorized personnel. Video surveillance may not be necessary, yet does provide an added layer of security. If you contract outside cleaning services at night, you should have protocols in place to make sure they cannot access sensitive equipment unsupervised.
6. Consider conducting a penetration test.
Even if you think you’ve done everything right, the only way to be sure your system will stand up to a determined attacker is to test it. A penetration test (or pen test) is a service offered by IT services companies whereby they will attempt to break into your system to expose vulnerabilities. There are different levels of depth of these tests, ranging from technical attacks on your internet-facing servers and routers, all the way to social engineering (trying to gain access by manipulating your employees) and attempted physical entry. If they do gain entry, they can give you tips on how to improve your security measures and practices, and often provide those services themselves. This can be an expensive service, but if you are concerned about security and your reputation, spending money now on a pen test can be far less costly than being compromised in the future.