What an Annual Cyber Review Can Look Like
The Small Business Administration, the Federal Trade Commission and the American Bankers Association offer a number of suggestions aimed at helping businesses protect their files and devices and their company and customer information from cyberattacks.
Start with a Plan. Begin by understanding your business risk profile. What are you trying to protect and where are you most vulnerable? Identify devices, servers and vendors that store company date and customer credit card and other information. Know what vendors supply the software you use, and how secure their practices are. Also, take a broader look at protecting your financial and bank data, personnel information and intellectual property.
Review Policies and Procedures. Re-evaluate your security policies and procedures that determine access controls to acceptable use. Have you added new products and services or entered new markets that altered the operations of your business? Who has access to information in your company and the log-in credentials to conduct transactions?
Train Employees. The weakest link in a security plan is employees. From day one, explain the importance of your organization’s data security practices to employees. Conduct regular training that outlines your company’s practices and how to spot new risks, security vulnerabilities and identify theft. Create a culture of security by demonstrating what you expect and making security an essential part of employees’ duties. When employees leave, terminate access immediately.
Warn about Phishing. Educate employees on the dangers of spear phishing – emails containing information that makes them look legitimate. Require independent verification of emails requesting sensitive information. Train employees not to reply to email when they do not recognize the sender, and not to use links, phone numbers or websites contained in the suspect email.
Cover the Basics. Implementing the basic steps of cyber hygiene will protect your business and reduce the risk of a cyberattack.
- Update Software. Update and apply the latest patches to your operating systems and software, including anti-virus software and antispyware, apps and web browsers. Set updates to take place automatically.
- Secure your Network and Files. Safeguard your Internet connection by using a firewall. Back up files offline, on an external hard drive or in the cloud. Control physical access, too. Make sure you also store your paper files securely.
- Encrypt Devices. Encrypt devices and other media that contain confidential, sensitive and proprietary information. This includes laptops, smartphones, inventory scanners, digital scanners, removable devices, backup tapes and cloud storage solutions.
- Use Multi-Factor Authentication. Enable multi-factor authentication to access areas of your network and sensitive information. This requires additional steps beyond logging in with a password.
- Require Strong Passwords. Use passwords for all computer hardware, including routers, laptops, tablets and smartphones. Require strong passwords of 8-12 characters that are a mix of UPPER and lower case letters, numbers and symbols. Passwords must not contain personal information, like part of a TIN, or be easily cracked, like “password,” “qwerty” or “12345678.” Never leave devices unattended in public places and avoid pubic WiFi.