Prudent data security for businesses extends well beyond their IT department. Every employee represents a potential proneness to security vulnerabilities. Considering the average data breach costs $12.7 million to remedy, an increase in cyber-security should be a priority for every type of business, especially now, when most data is digital and cloud platforms reign supreme. Fortunately, companies can take many relatively simple and affordable steps for more cyber-security.
Have Employees Undergo Comprehensive Training
With an ample amount of today’s data available only digitally, cyber-security training should be more pressing than ever. Employees should undergo regular training sessions on the do’s and don’ts regarding cyber-security. Strengthening employee awareness surrounding cyber-security matters will do wonders in reducing the chances the business is prone to a cyber-attack. After their training is complete, companies should implement a protocol to ensure employees are following new policy designed with cyber-security in mind.
One of the most crucial aspects to convey in cyber-security training is to stress the dangers of giving out login credentials. It’s especially important to never give out login credentials via email, since email addresses can be easily spoofed by hackers under the guise of coworkers, friends or family. IT departments should have a protocol in place that requires a human-to-human exchange of login information if necessary. Even an IT department should never request sensitive login data via email or chat.
Another tip to stress during training is to use different passwords for each website or application. If employees have the same login information for every site they use, all it takes is one site to become vulnerable to hackers for them to acquire access to all your accounts across the web. Businesses can help stress the importance of using different passwords by requiring employees to change their password every few months. When creating these new passwords, it is important to remember that the old motto that a password made of a combination of symbols, numbers, and upper and lowercase letters doesn’t hold anymore. Hackers don’t think like humans, they think like computers. To retaliate against this, create passwords that are long strings of words or even sentences that have a personal meaning to the user.
An additional aspect of training to incorporate includes informing employees about the dangers of working on public Wi-Fi, since hackers can exploit security vulnerabilities to obtain personal information for those connected. In general, an effective training cyber-security training program will fill employees with skepticism and doubt regarding any request for digital information. This skepticism is ultimately a very good thing in solidifying a company’s level of cyber-security.
Craft a Contingency Plan for Data Breaches
Ideally, a cyber-security attack will never occur, though it’s unlikely every employee will abide by protocol and the IT department is completely foolproof. Companies can do everything possible to prevent a cyber-security attack, though they should also have a contingency plan in place so they can respond accordingly if a cyber-security attack does occur.
A business’ contingency plan should be available to all employees, pored over and studied throughout cyber-security training sessions. The business should also test the contingency plan and put it into action as if the cyber-security attack is occurring. One aspect of the contingency plan should involve routine backups of data on all computers, including spreadsheets, databases, documents, human resource files and accounts receivable/payable files. Backing up files can save millions of dollars and considerable headache if a serious hack does occur.
Provide Additional Resources of Learning
People tend to learn in different capacities. Some learn best in a group setting, while others ingest information most optimally by reading by themselves at home. Although in-office training may be enough for some to gain understanding about cyber-security, others may do better with take-home material. As a result, it’s prudent to provide additional resources for learning about cyber-security.
The U.S. Small Business Administration provides several resources for cyber-security learning, including a list of cyber-security tips. Additional resources help employees gain an even better understanding of cyber-security issues, making it more unlikely they will make themselves and the company prone to a cyber-security attack.
Equip Every Computer with Cyber-Security Prevention Tools
A single compromised computer can open up a business to millions in cyber-security damages. Antivirus and spyware software can help prevent such a catastrophic attack. One of IT’s primary duties should be to ensure cyber-security software is running and operating on all computers, in addition to receiving regular updates. There are a variety of software options. Whatever the software of choice, it should be available on every business computer without exception. Optimally, you can choose cyber-security prevention tools that coexist with present infrastructure, such as a premium option for a pre-existing cloud platform that offers enhanced security.
Secure the Networks
Companies that operate off Wi-Fi should ensure the Wi-Fi network is not broadcasting its service set identifier, while also password-protecting the network. Disabling the SSID broadcast of the router is possible via its setup page, with which IT should be familiar. Additionally, each computer should be operating behind a firewall, so suspicious incoming and outgoing connections undergo monitoring for security purposes. Secure networks will make things much more difficult for potential unwanted intruders.
Separate Payment Processors From General Browsing
Most businesses work with a bank or card processor to help process payments securely. Ensure greater security by isolating payment systems from one another, helping prevent confusion and catastrophic losses if one payment system is vulnerable. The shift from magnetic strip payment cards to more secure chip card technology has helped cyber-security on the payment processor front, though businesses should still be prudent of vulnerabilities in payment processor systems. Hacking of payment systems does occur, even among very large businesses like Chipotle, so it’s important to monitor payment systems alongside a company’s overall network and infrastructure.
Monitor Employee Accounts
Especially in a business world where cloud storage and virtual collaboration is a reality, businesses should be very attentive toward physical access on computers and networks. Each employee should have a unique ID and login credentials with monitoring capacities, requiring a strong password. Laptops and mobile media should be locked up, so a potential intruder can’t make away with them. Additionally, check administrative privileges often to ensure only key personnel and IT staff have access.
Take Control of the Cloud
Cloud-based storage provides the ability for employees to collaborate in real time and access files from anywhere. Due to its low cost, effectiveness and flexibility, the cloud isn’t going anywhere anytime soon. As a result, businesses need to regard its potential security flaws as they embrace the technology.
Fortunately, many cloud-based platforms, like Google Drive, back up files automatically, though IT departments should be aware of the backup settings just in case. Regardless, it’s often prudent to pay for premium cloud security, while undergoing routine checkups regarding who can access what.
Controlling mobile information, which includes cloud-hosted data, is pivotal to maintaining strong cyber-security. Cloud-based platforms should be secure and monitored. There should also be a protocol in place for whenever employees want to access information remotely, with clear rules set on how they can work remotely, if at all.
Implement Multifactor Authentication
Tech giants from Google to Yahoo use multifactor authentication for logins, primarily due to its advantages if data becomes compromised. With multifactor authentication, hackers will be out of luck unless they also steal your cell phone and know your security PIN. Using a cell phone as a second factor of authentication is very useful, since an account can be locked when the system detects an attempted login from a different computer or IT address, until the user provides their mobile-sent PIN.
Multifactor authentication may not prevent against mishaps on its own, though authentication goes a long way in minimizing the damage after data is compromised, to the point where a hacker is unable to obtain any information of value if they are locked out due to multifactor authentication.
Establish a Protocol for Incident Reporting
Hacking attempts, like an email phishing scam, can occur continuously if there is no blowback. Eventually, they may succeed if the efforts are persistent. Businesses should do their best to stop hacking attempts right when they occur by taking the proper precautions upon the first incident, which can include reporting the attempt to authorities. At the very least, businesses should use each cyber-security incident as a teachable moment. For example, all employees can pore over an attempted phishing scam, so they have a better understanding of knowing what to look for, while also acknowledging its prevalence of occurring.
Provide Examples of Cyber-Security Attacks
Even when undergoing comprehensive cyber-security training, some employees may question the likelihood of a cyber-security attack. They may assume the business is safe as long they don’t give out login information. In this case, it’s a good idea to provide examples of cyber-security attacks, particularly among businesses at a comparable or bigger-budget level. Recently, Uber had to pay hackers $100,000 to delete sensitive data after a massive cyber-security attack — one of many examples of a company which fell victim to hackers despite extended resources and a reputable name brand.
All these steps are possible for business, no matter their size. Whether it’s a startup or a very expansive company, there are some simple steps every company can take to improve their cyber-security, ranging from more comprehensive employee training and data breach contingency plans to implementing multifactor authentication and an increase in network security.
Bio: Nathan Sykes is a writer and journalist from Pittsburgh. He covers tech and business. Follow him on Twitter @nathansykestech.