Your information isn’t as safe as you think it is.
In part three of this series, Kelly Cory advises businesses how they can protect sensitive company and client information.
Don’t wait for an issue to arise before you start thinking about information security! The worst time to implement a security plan is after a security breach, once the damage has already been done. It’s a lot more expensive to repair the damage than to implement proper safeguards in the first place.
Below, you’ll find a list of best-practice steps for small businesses to secure their information.
(This list is provided solely for information purposes and should not be construed as legal or professional advice. Should you have any specific questions regarding your information system or how to implement security, please contact a trained IT professional.)
1. Identify your risks.
2. Determine the cost of: lawsuits, rebuilding data, loss of work/time.
3. Assess how much risk you and your business can live with. (Note: You can never eliminate risk entirely.)
4. Protect: computers, networks, software, operations, business processes:
- Install a firewall (multiple where needed), use a strong antivirus program and malware detection software, set web content filtering, run trusted anti-spyware, anti-spam, and anti-phishing programs on your computer.
- Do not download files, click links or open attachments from unknown sources. (Note: To date, you cannot get a computer virus simply by reading an email; but those days are coming.)
- Ensure important data and records are backed up regularly and stored off site. The goal is to be able to restore your system and data to what existed before a malicious attack, virus, code problem, theft, destruction, data integrity issue or equipment failure.
TEST YOUR BACKUPS –Know how to restore your data!
- When using off-site data storage, be sure the information is stored encrypted and the minimum standard encryption is used: fit 140 FIPS-2 compliance.
- Automate data and system backups.
- Have a security policy in place which implements “Best Practices.” Enforce safe internet, email, desktop and personal practices, teach all users safe computing and Internet skills.
- Use strong passwords and change them often.
- Don’t use the same passwords on all accounts. (If one gets hacked, the bad guys know to try other likely accounts you may have with the same password.)
- Be cautious where you store your passwords. (A flash drive locked in a file cabinet is a good idea - stored with an online password memory program seems like a great target for hackers.)
- Don’t allow online sites to save your passwords or credit card information. What happens if that company’s site gets hacked?
- Use screen locking on your computer, log off at the end of the day, and power down your system at the end of the day.
- Confirm identities of people or organizations requesting your information.
- Use locks (buildings, file cabinets, computers), alarms, anonymity, guards.
- Accompany all vendors or repair persons who enter your business or home.
- Control employee termination/departures.
- Give only enough information to answer questions.
- Conduct a background check on yourself. Make sure there isn’t anything on your record that wasn’t put there by you (ex: criminal records, judgments, liens, etc.) and run your free credit report yearly.
- Be cognizant of proper handling of data in remote environments.
- Beware of public wireless networks. Places which offer free wireless connections can be hot spots for hackers because it is so easy to track someone’s cookies and recreate what someone is looking at on their computer screen. (Note: It’s not a good idea for investigators to access sensitive case-related information on public wireless connections. This includes logging in to investigator databases, running DMV information, conducting online banking, etc.)
- Keep operating system updated, and make sure all patches for applications are current.
- Control access to important company data.
- When systems are replaced, be sure to destroy all information on the old system’s hard drives, and remove SIM cards and memory components. Deleting or erasing is not enough.
- Change your email settings to display “plain text” to avoid any hidden codes which could be malicious.
- Read all details of any smartphone application carefully before you download it to understand what access it will have to your information.
"Build a moat around your castle.” –Justin Tsui of Team Logic IT
For home/office wireless Internet networks:
- Change the default identifiers (SSIDs), and don’t broadcast them.
- WPA2 (WiFi Protected Access 2) is the minimum encryption to use for wireless according to NIST.
- Change the name of the wireless router box (too easy for someone to use a search engine to find out how to hack the router box by name).
- Change default encryption keys often.
- Change the wireless access point administrator password.
- Keep the “automatically connect to a wireless network” feature turned off on your smartphone so that just walking around, you can’t have your logins and passwords scanned right off of your phone.
Be sure to get professional help when you need it. Check reviews, get references (and call them) and find out how long the company has been in business.
Where to report scams/frauds – FBI Internet Crime Complaint Center
What to do if you become a victim of identity theft:
File a police report. Notify the top three credit bureaus to put your name on fraud watch so extra measures must be taken for accounts to be opened in your name and suspect transactions are flagged for closer attention. Change all of your passwords and request new credit cards.
About the author:
Kelly Cory is president of Keystone Investigative Services, Inc.
The author is independent of any specific company, program, or software that would benefit from the promotion of this information. This article is meant solely as an informational piece to help educate others on how to protect themselves and their companies. Any recommendations and tips should not be construed as legal or professional advice. Should you have any specific questions or concerns regarding your information security, contact a trained IT professional.
This article is a compilation of information gathered across various sources, from industry professionals and workshops and includes information from NIST and Team Logic IT as well Keystone Investigative Services, Inc.