It’s 2017 and I am sure that you are succeeding at your personal resolutions, but what about those related to your business. Cyber security should be a primary focus this year. You may think that your company is “too small” to be on the radar for an attack, but it’s actually the opposite. Cyber criminals succeed because small and medium-sized businesses do not invest in cyber security. In turn, that makes you the perfect target.
A select number of people make it their mission to “win.” Gamblers have that mentality, but so do hackers. There is a common denominator in this – money. Cyber criminals are always looking for ways to bypass the system, just like those who seek out “insider information” to bet on horses.
Outside of cyber criminals working with intent, turn your focus to the Internet of Things (IoT), disgruntled employees/internal threats, lack of technical knowledge in the workplace, working with the wrong IT Managed Services Provider (MSP), to name a few. The scope of cyber-attacks is much broader than a simple “hack.” Compromised company data can result in monetary losses to a company of any size. This information can include, but is not limited to, personal employee information, financials, credit cards, and bank accounts.
Below are the Top 6 Security Resolutions of 2017 that don’t “break the bank”:
Is there a password policy that your company abides by? Are password parameters enforced? Do password changes happen company-wide every 3 or 6 months? If you answered “no” to any or all of the above, it is time to make some changes. The first place to start is educating employees on what makes a good password. If everyone is using their birthday, the word “password” or a significant date in their life that can be found all over social media, they should be changed – immediately – so that your systems are not compromised.
Every password for every site should be different and include multiple characters. More importantly, the passwords should not live on a post-it on your desk, in the notes section of your phone or iPad, or saved on your computer in a personal file. Your device may be lost or someone might find that piece of paper, on your desk, with your passwords. Though highly unlikely if you work closely with your colleagues, but do you spend time with the cleaning crew?
There are a number of password management applications out there that will generate strong passwords for you. Your only requirement is to remember the password that gets you access into that application. Password updates and changes should be proactively monitored by your IT Managed Services Provider (MSP) for security purposes.
In terms of mandating a password change, there are different schools of thought. If employees are required to change their password every 180 days, they may have a tendency to change or add one letter or number. Alternatively, they may change their current password to a weaker one so it is easier to remember. Neither scenario is effective and could put your company at risk. Mandated changes need to be enforced with a policy that includes a set of rules to ensure that strong passwords are implemented and used properly.
Bring Your Own Device (BYOD – “it’s time to pay attention”)
Do you provide all of your employees with a laptop or desktop? Do you allow employees to use their own laptops? If you do not, can they still access email or company information on their phone, iPad or any other type of device? There is no longer the great divide between being “online” and “offline” these days. These worlds have collided primarily due to our own free will. Don’t you find it that much easier to address a work related issue almost immediately, regardless of the hour, rather than letting it fester until you get to it in the morning? What about a question from your boss? Probably the same answer – respond now.
BYOD (Bring Your Own Device) allows employees to use their own devices in the workplace, rather than using those administered from their company. Employees are much more familiar with their own machines, making them easier to use. They can respond to requests faster, are more comfortable in your work environment and have the freedom to work at any hour, which tends to lead to an increase in productivity and job satisfaction.
Given that mobile devices are inherently moving targets used outside the organization’s protective walls (firewalls, threat management, etc.) it is vital to put a firm-wide policy in place to limit the exposure to security risk. Once this policy is established it is important to educate employees on best practices, implement effective device management and support and enforce the policy.
Mobile Device Management (MDM) streamlines the set up and device enrollment process to make it seamless. They proactively secure mobile devices by specifying password policies, enforcing encryption settings, and selectively wiping corporate data, to name a few. Some provide the capability to monitor and report on the devices by providing software and hardware inventory. Work with your IT Managed Services Provider to determine which MDM solution is best for you.
A standardized password policy makes it more difficult for a hacker to break into your systems. Have you heard of the adage, “cyber criminals don’t discriminate?” It does not matter what size your company is or how strong your passwords are, there are still countless numbers of criminals that are capable of accessing your systems. One way might be to use a USB to boot up a whole new operating systems to access files. If you have an internal IT staff member, I am sure that heightened security is on their docket. However, time constraints related to putting out day-to-day fires may not allow for this type of proactivity.
Encryption is one of the strongest ways to deter a security breach. It converts information electronically into another form that can only be read by approved groups. It turns information into a code that is deemed “unbreakable” and requires a key to decode it.
When you encrypt data on mobile devices, unauthorized users won’t be able to read it if they can’t access it. So if an employee, drops their phone during a night out on the town, your data should be safe. Regardless, when a device is lost or stolen, the BYOD policy should outline the protocols to report these incidents.
Secure Remote Access
As touched upon under BYOD, employees require 24/7/365 access to information, for personal and professional reasons. Outside of the firewalls of your organization, it’s important to have secure remote access to company data and business applications. If employees can access it, so can others if they try hard enough. Moving towards secure remote access provides freedom to employees to work at any time and provides business owners the peace of mind to allow them to do so. Companies need to provide a secure mechanism to access systems remotely if they’re going to work outside of the office.
A safe way to achieve this is again, strong passwords for all business applications combined with establishing a Virtual Private Network (VPN), which creates an encrypted connection over a less secure network. Identity authentication of the person is required and can be set up to validate the device connecting to it. Some choose to specify devices to ensure that operating systems, patches, anti-virus/anti-spam/anti-malware are all up to date.
Are you working from Starbucks, JFK Airport or the Shake Shack and accessing company information? Public Wi-Fi to hackers is as easy as walking through an open doorway. Deem public network access off limits if employees cannot access a secure network. Implementing a secure remote access system increases employee productivity and job satisfaction by allowing them to utilize the benefits of mobile devices in the workplace.
Implementing a secure remote access system allows your organization to stay current, if not ahead of the times, and take advantage of all of the benefits associated with the use of mobile devices in the workplace.
Who is Working for You?
How extensive is your screening process for new employees? Is it based on a gut instinct, a handshake or an extensive background check? This may be a given in any organization but it is important to catch people at the door before giving them the keys to your kingdom. Carefully screen potential employees to reduce the risks of welcoming a newcomer with malicious intent.
Keep your Employees Informed
Do your employees know about phishing schemes, ransomware, or what constitutes social engineering schemes? It is important to educate your employee on the cyber schemes out there today and what they should be looking for. In addition, users must be aware of security protocol, such as those mentioned above, that your company institutes. Knowledge is power. Educating your employees makes them aware of the potential risks and vulnerabilities out there so they can proceed with caution. Established security protocols still are not a guarantee that your systems will not be compromised, but it will definitely keep them at bay
Depending on your business needs and dedicated staff, IT Managed Services Providers can maintain all or part of your IT environment. Contact The TNS Group today to learn how collaborating with an MSP can mitigate security risks.