“Protect your passwords.” Although you’ve heard it a hundred times, maintaining secure passwords is still the Golden Rule to protect against a data breach. As simple as this is to follow, this Golden Rule is often ignored, bent, or broken and hackers and scammers know it. Countless attacks that cost American small businesses millions of dollars are a result of lax password security. Often, victims are completely embarrassed when successful attacks are investigated.
Strong passwords, unique passwords, and multi-factor authentication are only part of the story. Take the next few minutes to read over the security measures in this article to test your knowledge. You may be in for a surprise or two.
Can A Weak Culture Cancel Out Security?
No matter how sophisticated your security systems are, hackers and scammers attack the weakest point. Sometimes, that’s your people. Companies who build a “security culture” make thorough, consistent, and engaging efforts to make their people aware of just how important they, themselves are to the security of the company and its data assets. They invest in support teams to educate, train and remind staff of what’s on the line and how it’s everyone’s job to keep the company safe from hackers and scammers.
By now, we’ve all heard multiple warnings about receiving a fraudulent email that requests your username and password. These warnings have been around quite a long time. Generally speaking, people are vigilant and know not to respond to suspicious-looking emails. This is Phishing and it’s still a common form of attack.
Vishing is less common and because of it, perhaps more dangerous. Vishing or voice phishing involves a fraudulent phone call from a completely innocent-sounding person who tricks you into giving up important personal and security information. It could be a phone call from someone who introduces himself or herself as a member of the security team hired to consult on the company’s hosting security protocols, or it might be someone who charmingly introduces themselves as an important client who just needs a little help.
Kevin Mitnick really exploited these sorts of techniques of vishing to effectively evade the FBI for years. These people are excellent at building rapport and making you think their intentions are harmless for the sole purpose of exploiting information they can use later. Mentioning manager’s names, posing as other departments, is the most common form of security breakdown in the workplace.
Ask yourself this question: How many people at your company would refuse to help someone who calls from the company that operates your offsite web server? How about someone posing as a senior manager from the cloud hosting team and who just wants to let your employee know they are doing something incorrectly when entering their password?
DATA ENCRYPTION – Sounds complicated but it’s pretty simple thanks to open source plug ins to make emails bullet proof. As for protecting files, those who use MS Windows are able to encrypt your files with software that will scramble your data in order to render it useless. Both Apple OS X and MS Windows have several built-in programs to help you stay secure.
MAKE IT SECURE WITH ANTI-MALWARE – Even though your employee is at the office, scammers and hackers are sneaky enough to disguise a fraudulent email as coming from a friend or a useful website. Next thing you know, malicious software has infiltrated and or damaged their computer without any consent.
UPDATE UPDATE UPDATE – This one is as simple as it gets and yet, like your kids forgetting to brush their teeth, updates fall behind. Staying on top of updates can be a pain but they’re a necessary evil. It’s a simple and cost-effective way to protect your computers
PRACTICE PRINCIPLE OF LEAST PRIVILEGE (PoLP) - Some devilish do-it-yourselfers, like to log into a computer using administrator rights (or as a Power User in Windows) This isn’t limited to single person IT departments in struggling small businesses. Extreme data breaches have occurred in larger companies for the same reason. Regardless, the dangers of doing so can be catastrophic. One only has to visit an unfamiliar website with these high security, high privilege accounts and the damage is inevitable.
CHECK CONFIGURATION APP PRIVACY SETTINGS ON MOBILE – Whichever mobile devices are preferred by your people, make sure the settings are set to choose the least amount of data-sharing possible. You do not want these apps collecting more information about your business and taking control of more of your devices than you’d like.
DEFINE AND PROTECT YOUR ID – When is the last time you or one of the people at your company has been asked to define your PII? Well, the times are a changing. More and more privacy experts are recommending each of us define our Personally Identifiable Information (PII), and then decide who gets what. Unscrupulous organizations can gather an astonishing amount of information from the tiny scraps of information we let leak out during our day-to-day activities. These “scraps of data” are used to profile and even somewhat predict our behavior.
DON’T IMMEDIATELY TRUST HELP AFTER A DATA BREACH – Data breaches are often made public when it comes to large organizations. Beware of offers to help “secure your data” from companies who might be looking to commit fraud with your information.
STORE “IN-HOUSE” – Your most sensitive data should be stored locally. Even if you regularly use cloud storage, your most sensitive information and the information you may need most during an emergency could be stored on a removable storage device you can keep in a high security, fireproof safe. There’s no way to predict all the circumstances under which you might need to retrieve this information. It’s good to know you won’t need to rely on anyone else.
EMAIL PROVIDERS NEED TO BE SAFE AND REPUTABLE – Not all email providers are equally safe and worthy of your trust. Take all necessary steps to make sure your email provider is using the most up to date technology when it comes to protecting your data.
CONSIDER DEDICATED HOSTING FOR WEB PROPERTIES – If your website is hosted on the same server as a website that becomes compromised, you may pay the price by not just performance, but losing your site completely from malicious intent.
WHEN A BREACH HAPPENS, FIND OUT EXACTLY WHY – Every breach or hack has a ripple effect and one of the worst is to ignore or misinterpret what exactly caused and contributed to the event. Don’t stop looking once you find the first problem.
Start With Security As a Top Priority
If you have the opportunity when building your organization, begin with security near the very top of your list. It will cost you a lot less in the long run. Ask yourself, “Which option is most secure?”, whether you’re deciding between site builders, hosting options, content management approaches, or even website design. It’s always better to start your foundation with solid security than it is trying to scramble after a data breach.
About the author:
Paul (JP) Chastain has worked with many Fortune 500 companies including Apple, HP, Wells Fargo, and Google in the technology sector focusing on online psychology & marketing - forming campaigns for digital & traditional use over every possible medium.