Today, information is one of the most treasured assets of a business. Still, we have seen many large, well-known corporations failing to protect their business and customer data. We have witnessed astronomic data breaches at Apple, Bank of America and Zappos in 2012; Target and Facebook in 2013; eBay, Sony Pictures, Home Depot and J.P. Morgan Chase in 2014; and most recently Anthem and Ashley Madison in 2015. Smaller companies may think they have justification because they do not have deep pockets to implement strong security. However, as malicious hackers become more and more sophisticated, all organizations that value their data need to stay at least one step ahead of hackers. While there is no bullet-proof solution for system and data protection, here I am listing 21 cyber hygiene tactics to deter the bad guys. Even small firms can implement most of these recommendations, and some of them require little time and effort.
Apply security patches right away.
As soon as a security issue is detected in a system or application, you need to pursue or demand a fix, and then apply it as soon as it becomes available. Also, promptly apply updates to your antivirus software, operating systems, and tools. Decommission and dispose of systems that cannot be updated.
Manage the doors to the Internet.
Many breaches happen when hackers get access to machines that do not have to be online in the first place. Therefore, only the devices that need to be connected to the Internet should be online, and they should be appropriately protected. Also, it is imperative to implement strong hardware and software firewalls between the Internet and the company assets.
Protect your email system.
Educate users on an annual basis on the best practices for email security. Install antivirus, anti-malware, and anti-phishing software in your email system. Provide toolbar buttons to make it easier for users to report spammers and potentially malicious emails. Proofpoint provides SaaS and on-premises solutions that automatically detect most malicious links on inbound emails. The tool also recognizes sensitive data in the outbound emails, such as social security numbers and credit card numbers and automatically encrypts the outgoing email.
Use a secure connection for remote access.
Use a secure connection to remotely connect to the company’s network. You can use a service such as RSA SecurID.
Secure company websites.
Use secure connections, such as SSL on company websites that handle sensitive information.
Encrypt sensitive data.
Encrypt personally identifiable information, financial data, customer health data, and passwords using AES 256-bit technology or something better.
Secure your data centers.
Install physical locks to access your data centers. Depending on the value of your systems and data, a lock with a security card reader might suffice. For larger companies, you might need to add sophisticated locks that would require biometric identification.
Establish Strong Password Policies.
Not only you need to have a strong password policy, but you also need to enforce it. For instance, you can configure the system to require users to change their passwords at least every 90 days and to use specific guidelines. At a minimum, the password policy should include the following.
- Make passwords at least eight characters long.
- Exclude from the password your log-in name or any part of your full name.
- Include in the password characters from at least three of the following four classes:
- Upper Case Letters (e.g., A B C D)
- Lower Case Letters (e.g., a b c d)
- Numbers (e.g., 1 2 3 4)
- Special Characters (e.g., $ _ ^ / @ !)
- Avoid words that can be found in a dictionary.
- Avoid using people names, pet names, place names, birth dates, years, address number, zip code, social security number, phone number, numbers in sequence (5678), and repeated numbers (7777).
- Keep a history in the system for at least the last ten revisions of the password and prohibit their reuse.
- Change the password at least every 90 days.
- Use a different password for each site. If you use the same password for everything, if somebody knows how to access one of your accounts, then he or she will have access to all your accounts.
- Use a robust, trusted password manager such as LastPass for Business. This will ensure that users can easily follow all this rules.
Guard system passwords
There are many applications that require a system password to run certain jobs. Make sure the passwords are hidden and only known to a couple of trusted people in IT Operations.
Have a data security plan.
Business managers must write a plan that indicates the types of data in the organization, how it should be stored, backed up, and used. Some of the data types include financial, customer, contract, employee, operational, and administrative. The data sources include paper, documents, images, reports, emails, and others.
The plan should include the owner for each type of data, and who should have access to it. E.g., only the payroll department should have access to payroll information.
Implement a policy for record retention and deletion.
In addition to the data security plan, there needs to be a policy that states how long each data type should be retained. As mentioned above, the types of data include financial, customer, employee, operational, and administrative among others. For instance, the contracts should be kept for no longer than ten years.
Have a BYOD policy
It is important to establish a BYOD (Bring Your Own Device) policy, so employees are educated on and responsible for data security. Also, employees need to be aware that the company may monitor emails, documents, and online activity. In addition, company devices must have a special tool to delete remotely company data if the device is stolen.
Limit the number of people who has access to sensitive information.
In many companies, to speed up access to systems and applications for a new employee, the help desk might give this user almost full authority. However, the best practice is to follow the rule of least access. This means that you give the user the least access level required to perform his or her duties. This also implies that you should only grant access to users who have a business need for it.
Manage system access.
When an employee leaves the company, make sure you immediately revoke his or her access to the systems and data. Also, when an employee moves to another team or department, be sure to change his or her access to specific systems as necessary.
Store your data in a central place.
There have been many cases where employees lose their laptops with tons of sensitive information. Therefore, do not let employees store company data on their devices, such as laptops, USB drives, and memory cards. The company data should only be saved in a central place approved by the company.
By storing your data in a central place, you only have to be concerned to secure that one place. It also makes it easier for employees to search for specific data and be able to find it.
Although many large companies prefer to store their most sensitive data in-house (on-premises), if your company is not doing a good job in securing the data, your best option might be to trust a Cloud Storage vendor. Services like Box, Dropbox for business, Google Drive and Evernote for Business are gaining much corporate acceptance for document storage. Similarly, Amazon S3, IBM and Dell (which just acquired EMC) are attracting more and more firms to use the cloud to store databases and data in general.
Run rigorous background checks.
Most medium size and large companies already run background checks for new employees. However, for employees who will have access to sensitive systems and data, you need to perform stricter background checks. Furthermore, for this type of employees you need to perform background checks on a regular basis, usually every 6 to 12 months.
Keep your password secret.
Educate users not to share their passwords with anybody, not even your help desk. There may be occasions when a help desk person asks you for your password, so it is easier to fix your computer. You should not share your password, even if you intend to change your password after your computer is fixed. First of all, this person can impersonate you and do some damage. Second, he or she may figure out your pattern for choosing passwords.
Perform annual data security tests.
Instead of waiting for the next security breach to happen, it is recommended to run regular tests and audits to ensure your systems are protected. For instance, you can hire an expert to make a security assessment. You can hire white-hat hackers to attempt to access your system using different techniques, including social engineering. Also, you can have an auditor walk around and see if users have their passwords written on post-it notes on their desk or monitor. You can also send a test email to see if some users can be tricked to disclose their passwords.
Destroy data properly.
Destroy all documents and data before disposing of paper and devices that contain sensitive information. This process can be outsourced to a trusted vendor.
Manage you partners.
It is often necessary to grant your partners access to your systems. With partners, I mean vendors, B2B customers, consultants, and temps. Many data breaches have been successful when hackers get access through a partner’s system. Other times, breaches have been attributed to the exploitation of remote vendor channels. Often, vendors use the same password for all their clients. Therefore, ensure that your partners comply with strict security measures. Also, use specific ports and IP Addresses to connect to your partners’ systems via the Internet.
Regularly train employees
Train your employees every year on your security policies and best practices to prevent hackers and social engineers from getting access to the company’s systems and data.
You do not want your company to become a statistic. Hence, implement the above cyber hygiene recommendations as quickly as possible to keep your systems and data safe. Even small firms can implement these guidelines, and some of them require little time and effort. What other guidelines do you recommend? Please write a comment below.