Cybersecurity is a big deal in business. Between vital company information and private client data, someone with malicious intent can do a lot of damage if a breach occurs.
Protecting your sensitive information means taking a close look at your security guidelines. Here are some common dos and don’ts from industry experts that know how to keep important data safe!
Do: Promote Strong Passwords
Perhaps the most basic security advice is to use strong passwords and change them often. Even though it feels like common sense, people still use birthdays, pet names, and even social security numbers to make their passwords easier to remember.
According to Stephanie Venn-Watson, CEO of Fatty15, “Employees think changing one number or alternating capital letters is enough to make it secure. They don’t understand how easy it is to crack those kinds of passwords.”
Instead of relying on your workers to come up with strong passwords, many businesses have started to provide applications for their employees to manage passwords automatically. This takes the pressure off of your staff and leaves the cybersecurity to your IT professionals.
Don’t: Let Your Policies Go Out-of-Date
Unlike other forms of protection, cybersecurity will never be a set-it-and-forget-it kind of technology. Software updates, new hardware, and additional employees all create new risks to the network. To be effective, IT departments need to try and stay one step ahead of hackers.
“To some extent, cybersecurity is a game of catch-up,” states Erin Banta, Co-Founder and CEO of Pepper Home. “Malicious groups are constantly trying to find and exploit loopholes, while security teams work to discover and close them first.”
Managers need to provide their IT security with the time and resources it takes to do their jobs efficiently. Make sure your policies and procedures are always current by planning reviews throughout the year.
Do: Use 2-Factor Authentication
As remote work has become commonplace, the threat to internal networks from off-site employees has increased exponentially. Two-factor authentication is a way to strengthen security by requiring multiple paths to unlock a device, file, or even a physical door.
“Using 2-factor authentication is really useful to make sure you know who’s gaining access to your system,” John Berry, CEO and Managing Partner at Berry Law explains. “If a device requires both a passcode and a fingerprint, for example, there’s little doubt that the right person is getting in.”
There are numerous ways to employ this kind of security through a combination of three types of authentication:
- Something known, such as a password
- Something on your person, such as a text or email code on a phone or other device
- Something you are in the form of biometrics, as in fingerprints or retina
Incorporating these kinds of security measures will add an extra level that lets the right people in and keeps hackers out.
Don’t: Forget About Cybersecurity Tests
Because the cybersecurity landscape is always changing, companies need continuous assessments to determine if their policies are effective. Unfortunately, most smaller businesses neglect to perform security tests, especially if they don’t have many employees.
“You can’t expect an untested system to perform flawlessly,” says Sasha Ramani, Associate Director of Corporate Strategy at MPOWER Financing. “Vulnerability scans ensure your policies are effective and that employees are paying attention to their training.”
An effective way to assess your security is to hire an outside company that specializes in “white hat” services. These businesses attempt to break into your network, searching for common and less-used exploits that your team might have missed. Biannual testing should be enough to keep your system current.
Do: Encrypt Important Data
© Pexels
Testing and policies aren’t flawless, and there is a chance that someone with bad intentions will gain access to your network eventually. However, that doesn’t have to be the end of the story. When you use strong encryption methods, thieves will have a difficult time using the information they’ve stolen. It may even leave them with a wealth of garbage zeroes and ones.
Gina Iovenitti, Growth Operations at Carda Health breaks down the basics: “There are two kinds of encryption. The first is symmetric, which uses a common key to encrypt and decrypt information. It’s not as strong as asymmetric, which uses two keys, but it is faster.”
Depending on the type of data you’re storing, policymakers will have to decide which is more effective at serving the company’s needs. While faster decryption may be beneficial, housing sensitive customer and financial information may warrant the extra security of stronger encryption.
Don’t: Let Employees Bring Their Own Devices (BYOD)
A chain is only as strong as its weakest link. In cybersecurity, that link is often an employee’s personal device. While it is a lot simpler to allow workers to use personal laptops and cellular phones for work purposes, each unmonitored device exposes your network to additional risk.
“It may be expensive, but the benefits outweigh the drawbacks,” states Saad Alam, CEO and Co-Founder of Hone Health. “Supplying employees with laptops gives them the freedom to work anywhere and lets IT guys have a lot more control over the network.”
On personal devices, workers can have unclear expectations about security. They may also see the extra software on their devices as a nuisance and actively look for ways around the security measures your IT department has put into place. By giving them devices owned by the company, they’ll be less likely (and potentially unable to) fiddle with software and programming and compromise integrity.
Do: Develop a Device End-of-Life Plan
Whether it’s a damaged phone you’ve assigned to an employee or a PC that’s become outmoded and underpowered, getting rid of devices incorrectly leaves your company at serious risk. Data housed on these machines can be accessed by experienced hackers, even if you have wiped the hard drives.
“A data breach from discarded devices is definitely a concern,” Derek Flanzraich, Founder and CEO of Ness says. “Sometimes the only way to ensure that data is safe is to destroy the device entirely.”
Making phones and computers inoperable may sound like a fun time smashing components in the parking lot, but if the information and materials aren’t scrapped correctly, anyone can gain access. Many companies rely on outside contractors to dismantle their devices, though security concerns may guide your IT team to find in-house data disposal methods.
Don’t: Leave Personal Data Unattended
It may seem silly to think people are looking into cubicles and onto office desks to search for secure information, but in reality, that is one of the most common ways breaches occur. A folder left on a desk or paperwork that is improperly shredded can leave data susceptible to direct theft.
“Cybersecurity doesn’t end at devices,” Susan Kim Shaffer, President and Co-Founder of Pneuma Nitric Oxide advises. “All it takes is one password written on a notepad or a folder with social security numbers sitting open on a desk for crucial and private information to disappear.”
Employees need to take precautions both inside and outside of the office. As more people are working from home, it’s increasingly likely that sensitive data may fall into the hands of a bad actor. Managers aren’t privy to who has access to paperwork and computers in an employee’s house, meaning extra safeguards for remote workers should be implemented.
Do: Employ a Zero-Trust Model of Cybersecurity
Keeping backup data secure is crucial if a data breach were to occur. If information is deleted instead of stolen, it can seriously impact your company’s business. To make sure those backups are safe, a zero-trust model is an excellent option that promotes a “never trust, always verify” approach.
“You have to assume that no request for access is trustworthy,” notes Chris Thompson, CEO of Sober Sidekick. “It’s not just looking up data, either. It involves requiring access to even move, copy, or delete a file before any action can be taken.”
Some systems set up notifications when certain files are targeted This lets IT departments know someone is trying to access specific information, and they can take action accordingly. By limiting employees’ network access to the functions necessary to do their jobs, it’s much easier to keep people out of digital areas where they aren’t supposed to be.
Don’t: Use Customer Data for Anything but Its Intended Use
Customers need to know that you are using their information appropriately. If a business collects private data, it’s important to list how you’re planning to use it explicitly. They should also know how long you plan on keeping the data to help them feel secure in case of an eventual breach.
“Make sure to check on the laws in your area,” explains Josh Keller, Founder of OTTO Quotes. “Some places make companies provide a way to opt out of data collection entirely. There may even be regulations about storage, so it’s good to stay updated.”
A business that does collect private data should make sure it is disposed of properly. If not permanently deleted, it can be exposed to a data breach, leaving your business at fault for improper security protocols.
A Means to an End
The most important thing to remember about cybersecurity is education. If employees understand the rules and why they are in place, workers are more likely to follow those policies. Remember that cybersecurity isn’t the purview of one department. It takes the entire organization to keep sensitive data on your network where it belongs.
