A best practice guide for your small business.
LOCK BEFORE YOU LEAVE. Always lock your computer before leaving your desk. Our computers house sensitive information, and when a workstation is left unlocked, an attacker may have unrestricted access.
THINK BEFORE YOU CLICK. Once a link has been clicked it is possible that malicious software can install itself on the user’s computer. Don’t click on any link unless you know you can trust the source it is being sent from and are certain of where the link will take you. If you are unsure about a link, the best thing to do is call the individual prior to clicking on the link. You can hover the mouse over the link and check at the bottom of the browser to see if the actual URL link matches the link in the message.
Always be on alert Social engineering is the attempt to gain unauthorized information or access through manipulation. The social engineer will research the organization to find information that could aid them. They typically call or email the victim with a made-up story designed to steal or access information. To help combat this, you must be trained on how to identify a potential social engineering attack.
USE STRONG PASSWORDS. It’s important to create strong, complex passwords for your systems.
- Create passphrases instead of passwords. Even with slight variations, individual words are easy to guess, but a series of words in a passphrase makes them more secure.
- For a non-privileged account, your complex password should be at least 12 characters long and updated every 90 days. The password should be at least 14 characters for privileged accounts and should be updated every 45 days.
- Do not use the same password for multiple systems, websites, or accounts. Do not use passwords that include personal information that could be easily accessed or guessed.
- Do not store your list of passwords in a plain text file on your computer or written on sticky notes or notepads. Instead, several third-party password management programs can help you stay secure.
PROTECT YOUR MACHINE It is imperative to properly install and continually update software firewalls on every machine that contains digital information. A firewall helps to prevent unauthorized access to or from a network. Patching your operating systems and applications is a vital security practice as well. When these patches are released, it is important to install them immediately. As time passes, new threats will be found so that system patching will be a constant security measure.
3-2-1 DATA BACKUP RULE
3: Always have three copies of your data, one production copy, and two backup copies.
2: Utilize two different media types when performing backups (cloud, disk, tape, etc.).
1: Always keep one copy of your data offsite and ensure that offsite backup is air-gapped.
MFA Implement multi-factor authentication on all web applications that allow the feature on your enterprise password manager, email, Active Directory, etc. Yes, this extra layer of security adds a bit of inconvenience and another speed bump in the login process, but the risk it mitigates is well worth the additional step.
BE A CAUTIOUS SURFER Surfing the web can be risky if you aren’t careful, so use caution. It only takes one click to pick up malicious code that can infect a computer with viruses and other unwanted malware. If you pick up malware using a computer with administrator privileges, you have successfully just given the malware the same administrator rights you have on your user account.
REMOTE NETWORK Remote work is here to stay.
- Make sure a strong password secures your home Wi-Fi network. If possible, consider setting up a separate Wi-Fi network for work and one for personal devices.
- Use only business-dedicated devices for remote work and separate personal devices for everything else.
- Password-protect all accounts with unique individual passwords. Don’t reuse passwords for personal and work accounts.
- Remember what is considered sensitive information that should be protected, including financial information, proprietary business documents, industry secrets, downloadable products, and employee information.
DLP. Data Loss Prevention software should be used to keep private information safe. There are several DLP software functions a user can choose from, ranging from cloud prevention services to email services. DLP software aims to monitor and protect each user’s sensitive data. A user with DLP software installed on their system will undoubtedly be safer since there is a “double-check safeguard” for information being processed on their workstation. For example: if an employee sends an email and accidentally includes sensitive customer information, the email will not send until the info or data is erased from the message.
MIND YOUR MOBILE MANNERS Today’s mobile devices have made it far more convenient for people to surf the web, check emails, or update social media statuses from anywhere. However, when connected to the company network, there is the potential to cause a lot of damage if one clicks on a bad link or visits the wrong page. If employees and customers are allowed to use the company network, proper security measures should be taken such as phone encryption, strong passwords, or even using the guest Wi-Fi network instead.
EDUCATE, EDUCATE, EDUCATE People are considered the weakest link in security, and the bad guys know it. If all employees have a basic understanding of security or learn how to identify a potential incident, your business is less likely to fall victim to an attack. Security awareness training should cover basic information security principles and response steps to social engineering and phishing – the two most common causes of data loss and breaches. Having all employees, from the top down and including your board of directors (if applicable), well-trained in the basics of network, system, and information security is a huge step in today’s cyber world and is one of the best investments that can be made.
For additional questions or concerns, please reach out to:
Kalee Carmel, Cash Management Portfolio Manager
Direct Line: (413) 749-1178