Keeping your sensitive business and customer data secure has never been more critical. Whether you are a small business or a national corporation, you can’t relax your defenses against those criminals seeking to take advantage of lazy cybersecurity policies. Virtually all business owners consider information security to be one of the most pressing issues they face today and nearly two-thirds of all small business owners are incredibly concerned about cybersecurity.
Small and mid-sized businesses are right to be concerned since these businesses are especially vulnerable to information theft. Nearly half of all cyber attacks target small companies, and a full 60 percent of these businesses go out of business within six months of the attack.
What can your business do to combat information theft? Good cybersecurity is a continuing process, one that involves battling cybercriminals on a variety of fronts.
How to put good information security systems in place
One of the most critical parts of any business information security plan is to put systems in place to protect the sensitive information of your company and customers. Whether you are a retailer dealing with customer credit card numbers or a non-profit handling birth dates and Social Security numbers, letting this information fall into the wrong hands can be disastrous, both for you and for your customer/patient.
To best protect this information, you need to have systems in place that securely store the data to which you need regular access and destroys one-time use data.
If your company uses any cloud-based storage solution, research your current vendor and understand their data policies – their laziness is your liability. Implement end-to-end encryption for all digital storage solutions. In general, there are two states for your data: at-rest and in-transit. At rest, your data is not being accessed but merely is “resting” in a database. Data-at-rest should be encrypted using either the AES or RSA encryption methods. Data that is in-transit should be encrypted with HTTPS, SSL, TLS, or FTPS.
Physical security measures are also necessary. If you keep physical copies of sensitive data, such as patient records, you need to make sure that these records are kept securely locked away when not in use. These measures include things like instructing employees to lock the screen to their PC or mobile devices when they walk away from their work, even if only for a few minutes. For businesses that still have physical data records, this means locking the cabinet where files are stored or placing the data in a locked desk drawer when away from the work area.
Another aspect of good information security is limiting the number of people who have access to sensitive information. Ideally, you want to limit the number of people who “touch” the data as much as possible. Unfortunately, not all cybercriminals live outside your building, and internal crime can be as much a threat as external attackers.
The entrance and exit times for staff should be regulated and monitored to prevent unauthorized access and mitigate opportunities for collusion. Cybercriminals can potentially gain later access to the building by learning the keypad code to the doors. The employee might not even see the person across the street using binoculars or suspect the person who enters the door with them, saying they have business in another department. It’s important to instruct employees never to share their entrance code and to keep the keypad shielded when entering their code.
Proper access control needs to include teaching your employees good password habits. It best to require your workers to use unique logins for each device and each software application. Good passwords need to be at least eight characters in length and include small and capital letters, as well as numbers and special characters. These types of logins are much more difficult to hack than the name of an employee’s pet or child. According to a recent Verizon investigative report, 91 percent of data breaches are the result of weak passwords. Implementing good password “hygiene” is a significant step toward good cybersecurity.
Another aspect of controlling access is to develop an exit strategy for when employees leave the company. Revoking their access to email and social media accounts is vital and helps you avoid an embarrassing headline. It’s also a good idea to have all of their company emails forwarded to a department supervisor and change all of their passwords in their work accounts.
Another way to control access to company accounts is two-factor authentication. Also known as 2FA, this process requires two independent pieces of information for a successful login. This is usually a security question, access code, or physical card. 2FA makes it difficult for criminals to hack company accounts without the required information or device(s).
Creating a culture that promotes good cybersecurity
Good cybersecurity requires a continual effort from all of your employees. They need to be aware of what phishing schemes look like and how to avoid placing the business at risk by opening a suspicious link. They also need to be mindful of unauthorized people wandering around where they shouldn’t be, how to enter/exit the building and log into programs and devices without exposing sensitive information to unauthorized persons. All of these issues should be addressed in your employee handbook.
Keeping sensitive information protected from cybercriminals doesn’t have to be an impossible task. It merely requires an ongoing, concentrated effort that puts systems in place that address data control and access to information, as well as creating a culture that emphasizes and rewards attention to security.