In today’s high-pressure, technology-intensive business environment, the reliance upon information to drive business and decision-making is higher than ever before. And accompanying this explosive growth in information generation and sharing has been a dramatic rise in Security concerns – cyber security and information-protection is no longer optional for organizations, irrespective of industry.
Here are 14 tips on how to improve information security at your business without spending a lot of money…
1. Educate all employees on the importance of cyber security. Explain the need to avoid risky behavior – such as downloading music or videos from rogue websites, or opening attachments and clicking on links found in unexpected email messages. There are plenty of free and inexpensive materials online to help with this task. This costs very little and can prevent many problems – once employees understand that they are targets, their thinking changes in ways that can make a world of difference.
2. Don’t give every employee access to every system and piece of data. Instead, create policies governing who has physical and/or electronic access to which computer systems and data, and implement controls to enforce such policies. Give people access to the data that they need to do their jobs but not to other sensitive data. Many major breaches – from Sony to Bradley-Manning-WikiLeaks – would likely have been minor incidents had data been segregated properly.
3. Ensure that each person accessing a system has his or her own login credentials.
4. Ensure that everyone uses proper passwords – Do not require overly complicated passwords as they can actually weaken security by encouraging people to write passwords down or use repeating characters. Passwords should not be easily guessable based on personal information (e.g., your pet’s name) or found in the dictionary. I like combinations of words and numbers (e.g., Goats7Phones3Keyboard) rather than requiring special characters and mixed cases.
5. For especially sensitive systems, consider using multi-factor authentication; software-based multi-factor authentication products can be relatively inexpensive and well-worth the investment.
6. Encrypt all sensitive data when storing it or transmitting it. There are plenty of free and inexpensive tools available to do this. Note: If you are not sure if something should be encrypted, it probably should be.
7. Backup often. Most businesses do not backup often enough.
8. Do not maintain backups attached or connected to production networks – this is a common mistake. If malware (e.g., ransomware) gets onto the production network it could corrupt the backups as well. Ideally, maintain offsite backups in addition.
9. Create, and enforce with technology, appropriate social media policies. Don’t pretend that policies alone will ensure that employees don’t make inappropriate social media posts – you need technology to help with this task as people make mistakes – and some of these mistakes can prove costly to your business. Many breaches begin with criminals crafting spear-phishing emails based on overshared information on social media.
10. Make sure you have policies and technology to address the risk of people bringing personal devices to work. All access to the Internet from such devices – or from devices brought by visitors to your office – should be done via a separate network than is used for company computers. Many routers come equipped with such a capability.
11. If your business processes credit card transitions, be sure to comply with all credit card industry rules such as the most recent version of PCI. Never store credit card security codes or debit card PIN numbers.
12. Use appropriate security technology by defining functional and security requirements and choosing accordingly – and ensure that all such security technology is kept up-to-date. Internet security packages that include anti-virus software, firewalls, etc. – which are generally inexpensive – are necessary on all computers (desktops, laptops, tablets, smartphones, etc.).
13. All portable devices should have remote wipe capabilities; do not forget to enable the remote wipe functionality when setting up these devices.
14. Hire an expert to help you. The cost will likely be well worth it. You go to a doctor to make sure you stay healthy, you go to an accountant to handle your accounting – why would you try to protect all of your data by yourself? Even a few hours of advice can pay for itself many times over in terms of time, money, and aggravation saved down the road. Hackers are roping in experts – you should do the same.
Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!