Effective cyber security guidelines can be confusing and compliance may seem expensive. Yet there are simple and inexpensive tips you can take to secure your sensitive data. The first thing to realize is that being secure is a process and takes time to implement. No one becomes “cyber secure” overnight. There is no magic product to purchase or book to read that will make your organization instantly unhackable & safe from ransomware attack.
Iterative Risk Management Process
At the core of increased cyber security is a risk management process. It sounds much more confusing than it actually is. So what is Risk Management?
Step A – Identify how you are currently protecting sensitive company information and identify current weakness in your protection.
Step B – Implement additional security safeguards to better protect company information
Step C – Go back to Step A & repeat on a periodic schedule
This an oversimplified definition of Risk Management but it illustrates that the process is one that is repeated over and over. This article will focus on some of the things you can do for Step B to accomplish greater security.
Tip #1 – Encrypt all laptops
We are not going to get into the details of data encryption and you don’t need to fully understand what data encryption is to understand the benefits. Many state breach regulations state that if sensitive customer data is encrypted and the data is lost or stolen there is no need to notify customers or report the breach. The official description of encryption is that it is a Safe Harbor under the majority of state regulatory rules but we like to call it the “get out of jail free card”. If you lose a laptop with credit card information and it is encrypted you can act, for breach regulation purposes as though it was never lost. The cost to encrypt a laptop are minor compared to the reputation impact alone should you be forced to disclose a breach. Encryption has minimal effect on using the laptop and only requires a password to be entered when you first startup the laptop.
We have heard arguments from clients that “our laptops don’t have any sensitive data on them so why should we encrypt them?” While it may be true that you did not intend the laptop to contain sensitive information, the fact is it very well COULD contain customer information you only intended to use overnight to complete a project.
There also could be emails with sensitive information; spreadsheets, documents or PDFs could be stored on the laptop; reports downloaded from the bank could be on the laptop. If a laptop is lost or stolen the process of trying to figure out what data was stored on the laptop would likely cost you much more than the cost to encrypt the laptop in the first place. Bottom-line, if your laptops are encrypted you no longer have to worry about a breach trigger at all.
Tip # 2 – Minimize the use of portable devices and the amount of sensitive data on portable devices
In order to reduce the risk of losing company information stored on a portable device, make it a practice to not use portable devices. Raise your employee awareness of the risks of portable devices. Write a memo or send an email to all employees stating that the use of portable devices to store sensitive company information is frowned upon. If employees must use portable devices then the amount of company or customer information stored on the devices should be only the minimum needed.
Another, more secure, way to access sensitive data outside the office is encrypted cloud share. An additional benefit of our Guardian Angel Cloud Share is the ability to perform true collaboration.
Tip #3 – Encrypt all backup storage
No matter what media or where you are storing your backups, ensure that they are encrypted. They aren’t simply your backups, they contain your entire company. If backup data is lost or stolen you could have a very large data breach. Don’t assume your IT people are using encryption as part of your business continuity. Have a conversation with your IT guy and confirm that they are encrypting your backups. Most business continuity solutions support data encryption but it usually isn’t the default.
Tip #4 – Ensure you have a startup password and inactivity timeout on your tablet or smartphone
Mobile devices such as iPhone, Android, Windows Phone and iPad may contain sensitive information. More often tablets & smartphones are used to access company data. In addition, more and more sensitive customer information is contained in emails between executives, administrative assistants, billing departments, etc. Smartphones and tablets are easily lost or stolen and represent a risk to the customer information that they may contain. So what should be done to prevent the breach of information in the event that a smartphone is lost or stolen?
Mobile Device Safeguards
There are many safeguards you can put in place to reduce the risk of data breaches caused by smartphones. Here are 3 safeguards that will go a long way to minimize the impact should the unthinkable happen.
- Refrain from sending sensitive data via email in the first place
- Protect your device by ensuring that a start-up password and inactivity timeout has been implemented
- Implement mobile device management for such devices. This includes remote wipe of company data & device location.
By following these steps you can minimize the likelihood that a lost device initiates a breach protocol.
Tip #5 – Implement good password controls
Passwords are one of the keys to protecting systems that contain company information. The stronger the passwords being used the more protection you’ve enabled. Here are a few tried & true ways to ensure you implement good password controls.
Encourage employees to use complex passwords that have upper and lower case letters, special symbols such as “@ ! $ % &” and numbers. The more complex the password the harder it is to guess or crack. Keep in mind that your employees probably have so many different passwords that they will not be too happy to have another password especially if it is hard to remember. You will have to ensure they understand the importance of protecting patient information and the importance of using complex passwords in order to respond to any employees’ resistance.
Don’t write passwords down
Passwords should not be written down. They should not be stuck to monitors on yellow sticky notes. They should not be on a piece of paper under the keyboard. Passwords, like credit card and social security numbers should be protected and not shared.
Lock accounts after failed password attempts
Accounts should be locked after a number of failed passwords attempts. For example if an employee enters their password incorrectly 5 times the account should be locked and require the network administrator to unlock the account. Account lock outs prevent passwords from being guessed or hackers from using special tools (known as brute force attacks) to break into accounts. Needing to reset passwords may be a little inconvenient, but account lockouts are a very effective way to protect sensitive information from unauthorized access.
Utilize a password manager
One of the easiest ways to accomplish good password hygiene is using a password manager. Instead of remembering dozens of passwords (or worse, re-using the same password dozens of times) you simply need to remember ONE password. In this way you can think up a long 16 character passphrase which makes it extremely effective. Any other passwords you can have the password manger generate a complex password for you and you’ll never need to remember it.
We mentioned a few simple tips that you can easily implement to protect your sensitive data and help you toward increased cyber security. Following these tips will go a long way toward providing increased protection of your employee or customer information. If you would like to discuss implementing these and other safeguards, or learn more about our comprehensive Guardian Angel Cybersecurity Service, feel free to contact us at email@example.com or call our office at (317) 290-8702.
About the author, Rick Rusch, CPA, CITP, CGMA
For over 25 years Rick has helped companies research & select an appropriate ERP accounting software solution. Recognizing the new dangers of the Internet age, Rick has focused on cybersecurity to help clients guard their digital data. Rick has degrees in accounting and computer science.