Dozens of large companies have ended up as victims of data theft as part of a cyber-attack. Well-known incidents such as the Equifax data breach or Target’s loss of customer data have been headlines for years. The results are damaged reputation, loss of customers and even substantial fines.
In response, every large company has increased its focus on network security, data security and employee training. But as these large companies tighten up their security posture, cyber criminals are just moving on to more tempting targets in the form of small-to-medium-sized businesses.
But despite the attention that cyber security receives in the news media, the majority of small-to-medium-sized businesses in the United States still have not implemented an internet and data security policy. This leaves each of these businesses vulnerable to a wide range of cyber-attacks from criminals that know they won’t find easy pickings at the big companies.
The smart response is to secure your systems and develop your own network and data security infrastructure. Improving your security posture and practices will make your company a much less appealing target compared to the guy down the road who hasn’t done anything.
Creating and implementing a data security plan that you can trust may take months of planning and refinement. But the sooner you get started, the sooner your business and its vital data is protected. Here are some early steps you can take as you create and deploy a formal security policy.
Strong Password Policies
This is a basic solution that can be implemented and controlled easily. Most users already understand the importance of passwords, so asking them to adopt specific rules and change passwords regularly is not too big a burden.
A strong password policy includes enforcement through group policies as well as a strict prohibition on sharing passwords or accounts.
Microsoft accounts, google accounts and other suites for business provide an easy way to manage and enforce these policies.
Elements of a strong password include:
- Complex passwords:
Passwords should mix uppercase and lowercase letters as well as numbers and special characters.
- Minimum length:
Length should be a minimum of eight characters and generally the longer the better.
- Word choice:
Users should not use any variation of their own name, children’s names or other personal details that could be easily determined from public records and social media.
- Mandatory resets:
Users should be required to reset passwords regularly and prohibited from reusing old passwords. However, passwords resets should not be so frequent that the users can’t remember their choices because it may prompt them to write the password down in an insecure space.
Many security experts think that strong passwords aren’t enough. Even a strong password won’t be worth the paper it’s printed on if – well – if it happens to be printed on paper and that paper falls into the wrong hands. Even employees who are knowledgeable about technology and security issues may occasionally have to record a password in a way that could be compromised.
Moving beyond complex passwords we have two-factor authentication. This is a system that requires not just a password but another way to verify the identity of the user.
Earlier iterations of this kind of technology used a fob with a numeric code that changed after a specific time period. The user would enter both the password and the code to log in. This is meant to assure that the actual user is who they say they are. But of course, a fob can be stolen nearly as easily as a password. Lost fobs also present not only a security issue but an access issue when a user misplaces it and has to request another one.
Many companies are now using a two-factor authentication system that uses a mobile app. Accessing an app such as Google Authenticator or a text message sent from a service is easier. When a mobile device is lost, it can be locked with encryption or remotely wiped to remove access. Users are also much more likely to notice when they lose their phone than if they misplace a small fob they use once a day.
Deploy a Password Manager
Even though multi-factor authentication is quickly becoming and industry standard, there are still situations where you can’t or shouldn’t deploy it. When that is the case, a password manager is a solid alternative.
Password managers are programs that allow you to generate extraordinarily complex random passwords for any site or service that you use. They are encrypted and stored for you in a password vault. You decide on one master password to decrypt your vault. Every time to visit a website or use an application you just launch the password manager and it fills in the randomized password for you.
This is a huge advantage if you have trouble remembering multiple passwords and logins. You have no temptation to reuse passwords on multiple sites and you are able to memorize a single password or even log in using biometrics such as a fingerprint or facial recognition.
From an Enterprise perspective, providing password managers to all of your employees means you remove a key element of security compromises – user error.
Single Sign-On Service
The biggest players in IT provide multiple services that allow you to sign in with a single corporate account. These come from Google, Microsoft, Apple as well as social network such as Facebook. Similar to a password manager, these services allow you to control access to multiple applications, sites or services with just one password (or biometric login).
While most people believe that giant companies such as Google have the resources to protect your data, the growing popularity of these types of accounts could cause cyberattackers to focus even more on breaking into these types of services.
In the Summer of 2020, several high-profile Twitter accounts were the target of an attack. Authorities believe that the attackers took control of the accounts of celebrities and other verified Twitter users by bribing an inside source for access. In this case, no amount of actual security could have stopped the attack. If a high-profile single sign-on service were targeted with insider help in the same way, the data and accounts of everyone who uses that service would be at risk. Choosing a lower-profile service to control single-sign-on could provide its own form of protections.
Control Physical Access
Much of the protection provided by passwords, encryption and other means can be defeated by a person who has physical access to your system hardware. Securing on-premises hardware behind locked doors and understanding who has access is essential. Security cameras and monitoring have dropped in price considerably in recent years and now come with motion detection, familiar face recognition and other features.
That also goes for your data centers. Companies have taken advantage of the benefits of cloud computing and moved many of their systems and services to off-site data centers. Letting a data center provision and control your hardware can save you time and money, but you also need to understand and approve their approach to security and access control.
Clean Desk Policy
A lock on the server door is essential, but it’s also up to everyone else to maintain the security in their own workspace. Sensitive data can be compromised by anyone at any time simply by leaving the wrong printout out on their desk at the wrong time.
While you will obviously make every effort to screen employees and control access, keeping your public workspace and private offices free of sensitive data is the responsibility of everyone in your organization. Printouts, written account information or customer data should never be left at an unattended desk. Customer data especially should be secured at all times when not in use because of the inherent risk when you lose that kind of information.
Software and Firmware Patching
This one can’t be stressed enough. Security holes in software and hardware are found every day. Manufacturers respond immediately by issuing patches to close them. But if you aren’t updating your systems regularly, including software and firmware patching, you aren’t getting these protections.
Your IT staff or any of your managed service providers should be handling this on a regular schedule for your large servers or cloud-based systems. It may require some downtime, but it’s worth the effort to gain the peace of mind that comes with a fully secure system.
Beyond the server side of things, there are many other devices that attach to your network. Collectively, these are known as “endpoints.” Every endpoint on your systems needs to be just as secure as your servers are. Even printers, security cameras, smart TVs and anything else with a WiFi or Ethernet connection needs to be updated and maintained regularly. Again, your IT staff can probably handle these updates
The other type of endpoints is your user’s devices. Your company policies should stress the importance of regular updates and maintenance on all desktop and laptop computers. Windows, Mac and Linux devices should have automatic updates enabled when at all possible. Group policies should allow your central IT staff to issue regular updates that they have approved and should also allow the staff to control when and how every device is updated.
Mobile devices that connect to your network (either company-owned or user-owned) should also be kept up to date with the latest patches. Many companies choose to enforce the use of Mobile Device Management (MDM) programs for all devices that connect to company WiFi, email servers or VPNs. An MDM blocks access to your systems if the users hasn’t enabled certain security features on their device such as a lock code.
Require VPN and Cloud Storage for Remote Workers
As more employees opt to work remotely, the management of their systems becomes more difficult. Workers with access to your internal servers should be required to operate with a virtual private network (VPN) at all times.
This way their device’s communication with your servers are protected by your own network standards rather than the standards or the home network or coffee shop they happen to be connected to.
The increasing use of cloud-based or browser-based productivity applications such as Office 365 or Google Documents offers the ability to ensure that all of your company’s information – even down to individual files worked on by users – are secure inside a trusted network.
Using these providers has the side benefit of adding the ability to block the use of USB storage devices on individual computers. When all of a user’s files are in the cloud or accessible via VPN, there is no reason for a remote worker to ever copy them onto a small device that could be lost.
Use Secure Off-Site Backup
While you examine the physical security of your on-premises equipment and locally stored data (including any paper files you may still need), you will also need to create a plan to protect yourself and your data from any event that could affect them. This includes natural disasters, fire, or building issues such as plumbing problems.
Taking steps to deploy redundant off-site backups isn’t directly related to cyber attacks but having a complete backup has saved many organizations from being the victim of a ransomware attack. Ransomware is a form of malware that encrypts local data and won’t release the decryption key until you pay. You can avoid having to pay to decrypt by discarding the compromised system and then restoring from a full backup. The actual process to restore and clean your system is complex and time-consuming, but at least if you have full backup you know that it’s possible to recreate your system’s data from the ground up.
Understand Your Partners’ Security
We have addressed the physical security of your data center. You will also need to assess the network security practices of all partners. This includes not only data centers, but also other service providers such as your eCommerce integration, payroll processor or any other organization that handles your data.
Many organizations have begun requesting security certifications such as a SOC 1 report from every potential partner company as a condition for signing an initial contract. SOC reports are a set of data security standards that are regarded as an authoritative baseline for any security program.
This becomes particularly important when you are dealing with any form of payment processing or storing of credit cards. The Payment Card Industry (PCI) has a very specific set of standards for handling card and transaction data. Anyone that accepts credit or debit card payment needs to be in full compliance with these standards.
When approaching new partners or renewing existing contracts, you should request a full certification of their security standards. Also, you will need to be prepared to provide similar information for your own organization. The added benefit of having a complete security program is that you won’t have to scramble to fulfill this kind of request when it comes.
Deploy SSL Encryption
Your web-facing services and sites should be secured with SSL encryption. This provides authentication and encryption when outside users connect to your systems.
SSL is required for payment portals and other secure transactions or data entry but is also regarded as the default standard for delivering web content securely. SSL has become the industry standard, so at this point it would be almost more difficult to find a web host that does not automatically provide SSL.
Other forms of encryption may be necessary for applications that store and use customer data. Be sure to ask any providers about their standards for encryption.
The last major requirement is probably the most important. Your employees need to understand and abide by all security policies. This includes the policies that may slow down their work processes. Employees who don’t know or refuse to follow established security policies are the biggest threat to your cyber security.
This means you need to provide effective training and certification to ensure that your users can do their part to secure your organization’s network. Developing a good training program might end up being the most challenging element of your security planning.
Your training needs to communicate your security policy and procedures to both technical and non-technical personnel. It needs to capture their attention long enough to let your policies sink in without boring them, but it also needs to be complete and comprehensive.
Users need to understand both the risks of not following your technical policies, but also the need to protect from social engineering, phishing and other attempts to breach your systems.
That may sound difficult and potentially expensive, but the investment will pay for itself when you realize the cost of even a single data breach or attack that could have been prevented.