“It’s the most wonderful time of the year.” Those lyrics, sung by Andy Williams, for many capture the holiday spirit. This is especially true for business owners, who see welcome revenue increases during the fourth quarter.
However, it’s also a wonderful time of the year for some you’d never expect … cyber criminals.
Knowing that the holiday season is a time where companies are most vulnerable, usually due to lighter work schedules, hackers are out on the prowl, and in force.
What can businesses do to protect themselves? Here’s a list of some of our top tips that your business can implement to secure your networks and protect your profits this season.
Formal Information Security Program and Policies
The first thing you should do is formalize an information security program and related policies. Without having a plan as to how you will approach cyber security, your efforts will be disorganized and you won’t get as much out of them.
Also, if your industry falls under regulatory standards, there’s a good chance that your business is required to document its information security program.
With a formal program in place, it’s also easier to create buy-in at all levels of your organization, which also makes it an opportune time to implement security awareness training.
Security Awareness Training
With 80% of data breaches due to insider threats, most of them being employee negligence (i.e. clicking on a bad link, downloading an infected file attachment), it’s important to invest in regular cyber security awareness training. You may have enrolled your company in cyber security awareness training in the past, but the research shows that the knowledge retention rate for this is significantly higher when you regularly conduct security awareness training. This results in the likelihood of fewer breaches.
Aside from learning to spot malicious emails, or social engineering attacks, an important part of security awareness training that we feel should stand out on its own, is password security.
You’ve probably heard about the need for a good password policy before. It can’t be emphasized enough. However, for some reason, many businesses still use default passwords or don’t enforce quarterly password changes.
To remedy this, setup your user Group Policies in Active Directory so that employees are required to change passwords once a quarter.
Here’s a few quick security tips for creating passwords
- Use a variety of uppercase and lowercase letters, numbers, and special characters
- Use different passwords for different services
- Change passwords at least once every three months
- Make sure passwords are 16 characters in length or longer
While security awareness training and proper password security tips should make unauthorized access to your systems more difficult, there are still other weaknesses that you should address, such as software vulnerabilities.
Software Best Practices
Prior to any risks assessments, you’ll want to update your
- Antivirus software
- Operating system
- Business applications
- And all of your software with the latest security patches
Furthermore, only allow approved software to be used and remove unused, end-of-life (EOL), unsupported, or unapproved applications. Under no circumstances should anyone in your organization download, or install, pirated or cracked software.
Assuming you’ve updated all of your software and eliminated all unnecessary applications, you should consider getting a risk assessment next.
Have you had any of the following lately?
- Compromise assessment
- Enterprise risk assessment
- Vulnerability assessment
- Penetration test
- An audit or compliance scan
You want to get risk assessments performed regularly to get a gauge on your security posture relative to emerging threats and new vulnerabilities as they come out daily. To give you an idea of the magnitude of the number of new threats that come into existence, in 2014 an average of 200,000 new strains of malware were created per day. And that’s just malware.
That’s why it’s important to perform risk assessments on a regular basis. And while you’re scheduling your next set of risks assessments, there’s something simple you can do right now that you may not have even thought of … restricting which websites company personnel can visit.
Web filtering, while typically seen as an employee management tool, can also be used by information security staff to block access to malicious websites.
For those of you reading this who are not too familiar with web filtering, it restricts employees from viewing certain websites or categories of websites.
So, web filtering is necessary not only from a productivity improvement standpoint, but it’s also important from a security standpoint as some categories of websites are common targets for “malvertising,” which is a type of attack where online ads deploy malware either by clicking on the ad or by simply loading the page where the ad is displayed.
Now, assuming you’re filtering which websites employees can visit, let’s say someone still gains unauthorized access to your network. What’s one way you can prevent that?
Securing Wireless Access Points
It’s surprising how many businesses don’t do this yet, it’s so simple and easy to do. Avoid broadcasting your private internal WiFi network and make sure your routers use WPA2 802.11x security protocols, which makes it more difficult to crack, than WPA or WEP security protocols.
If you have people coming into your office, set up a separate public WiFi network for guests only and require a password to access it. Now assuming you’ve done this, while this protects you from unauthorized network access so a hacker outside your office can’t force their way onto your networks, what can you do if they’re already peering inside your environment? There’s a couple of things. Hopefully you’ve taken other measures to protect your data, which we’ll discuss below, and also formulated a plan on how to respond to active threats on your network.
Incident Response Plan
Let’s assume you’ve done everything right so far. The reality is a breach is inevitable. Accepting this fact, make sure you detail how your organization will perform endpoint monitoring, alerting, and incident response.
If you haven’t already, formulate an incident response plan. If one is already in place, be sure to review it and revise as necessary.
Now, in the event that a breach occurs where a hacker is out to steal your data, there is another simple safeguard that will give you an extra layer of security … encryption.
Here’s another one businesses can miss; They don’t encrypt their most important data. This is pretty important, especially if you’re storing or transacting customer data. You should also encrypt your high value data or your intellectual property data.
If you can help it, try to avoid storing sensitive data on your networks. If you have to, then use encryption. While data encryption won’t prevent a breach, it can provide an extra layer of security.
But let’s say you’ve done everything to prevent a breach, and encrypted your data. Your data can still be at risk to other threats such as natural disasters. What do you do in the event that your data availability is at risk?
Disaster Recovery Plan
Have you backed up your data recently? Better yet, do you have a disaster recovery plan or business continuity plan in place?
In the past, disaster recovery plans factored in worst case scenarios. With the proliferation of ransomware, and destructive cyberattacks, including destructive malware, there’s a higher likelihood of implementing disaster recovery procedures than before.
Remember, in today’s hyper-connected digital environment, a breach is a given. Not if, but when. In fact, there’s a good chance there’s a breach on your network somewhere right now, and with destructive cyber attacks increasing, you need a disaster recovery plan.
And while cyber security is everyone’s responsibility, it still falls on your company’s leadership to set the tone for security at the top. This includes not only things like a disaster recovery plan but also formulating a good IT security policy and communicating that policy within the organization; It’s much easier to get company-wide buy-in when security is championed by an organization’s leaders.
Don’t risk your business’s hard earned profits this year. A little bit of prevention goes a long way. Your stakeholders are counting on you to keep your environment secure, and your customers are counting on you to keep their data secure.
Implement the tips in this article and finish 2015 as a security success!
Check out our easy to use Check List to make sure your business is secure this holiday season!