Basic Cyber Security Needs
- Have Automatic Screen Locking
- Have you screen automatically lock after being idle for 5 to 10 minutes
- This will reduce likely hood of someone walking by the computer from accessing your data
- Consider installing Security Screens on monitors so others cannot see what is on your screen
- Enforce Password Policy
- 8-character passwords are no longer considered adequate – upgrade to 10 to 16 characters
- Have upper- and lower-case letters, numbers, and special characters – much harder to break your password
- Do not reuse passwords — For example August1# gets changed to August2# — easy to hack
- Consider Passphrase – much easier to remember
- Do not put your password/passphrase on a sticky on your desk
- Use Multi Factor Authentication (MFA)
- Most all of us must use MFA to log onto our bank accounts or credit cards – people should not be giving you fits over this
- Secure The Physical Access
- If you have in house servers – have them in a locked room
- Don’t allow EVERYONE access to the server room
- Have the room unmarked – Don’t advertise SERVER ROOM on the door
- IF you have confidential data on your workstation/laptop – make sure it is encrypted
- Better yet – keep this type of info on your server and not local workstation
- Have locks on your office
- Have someone escort visitors to the person they are meeting with OR have the employee come to the front to escort the visitor
- Use a security system in which each person has their own code
- Proper Data Asset Labeling/Tagging for Purchase and Disposal
- Have inventory tags to track equipment
- Have proper disposal policy on how to “get rid” of a device
- Have proper disposal policy for “shredding” confidential paper files
- Data Mapping Access (what on earth is this?)
- Have system in place so you know where your client’s information is
- You cannot make sure it is secure and safe if you don’t know where it is
- Data Map shows what is stored on the internal servers; workstations, mobile devices BUT also where the backups are; where the file cabinets (storage devices) are; cloud providers that you store information in
- Access is on a NEED to have
- Not everyone needs access to everything
- Have system in place so you know where your client’s information is
- Protect your Remote Access (WHAT????)
- Only allow trusted approved users and their equipment on your server/WI fi
- Remember anything connected to the internet can be access for malware and hackers
- Use Virtual Private Network (VPN) and Mobile Device management applications that require the devices to be registered with your IT manager (if you don’t have an IT manager – registered with who oversees IT)
- Keep updates up to date
- Don’t use “guest’ wi-fi
- Updated Operating Systems – (No you should not still be running Windows 7)
- Set digital devices to automatically install updates to the operating system and workstation applications
- Turn off all the devices at night –
- this will allow the updates to go into effect
- remove system clutter
- Minimize Admin Rights
- Not everyone needs access to everything – this even applies to Upper Management
- WHY does Upper Management not need access to everything?
- Because they can put the company at greater risk to be hacked since their name and email is often on the company website
- They often will take short cuts on the “Cyber security” protocol, which puts the company at a higher risk for hacking/ransomware, etc.
- WHY does Upper Management not need access to everything?
- Not everyone needs access to everything – this even applies to Upper Management
- Stay Current with Network Operating Systems
- All equipment – file servers; firewalls, routers, internet of Things peripherals NEED to be reviewed regularly to make sure they are running the most current system updates
- It is crucial to change the default passwords to this equipment
- It is crucial to update the firmware
- Don’t forget your wireless printers, security cameras – these are easy hacks
- Antivirus/Malware (remember when they were free – free is not good)
- Pay for a good Antivirus and Malware package
- Make sure it is set to automatically be updated
- Make sure it is scanning for malware on daily or set schedule
- Look for one that will search for intrusion detection and help prevent it
- Consider disallowing flash drives to be used –
- Educate your clients to use a secure digital portal or secure email
- Back ups (thought I forgot about backups?)
- Backup often
- Keep off site
- Restore backups – to make sure they are good
- Make sure backups are encrypted
- Sending Client’s Information Securely (train your people on this)
- If emailing client’s sensitive information – make sure it is encrypted
- OR use a secure portal
- Secure Connections
- Train your people on how to verify a website is secure/authentic
- Train your people on how to spot phishing emails
- Use VPNs when working remotely
- Make sure they need to verify the SSID/password to client provided WIFI
- Screen Your Employees, New Hires and Contractors
- Current employees may have passed the initial background check – life happens
- Re screen them; especially if they are in sensitive positions with the company
- Each person needs their own username and log in – no sharing
- If everyone uses the same username and log in, you cannot verify who did what
- Monitor when they are accessing the system – should they be logging in at 2 in the morning?
- Current employees may have passed the initial background check – life happens
- Greek Visitors/Delivery People
- Train your people to ask unrecognized visitors who they can assist them?
- Better yet – have someone at the door that checks them in
- Escorts them to where they need to be
- Stays with them if they are maint/repair person
- If they don’t seem to have a reason to be there, ask them to leave
- Hire Cybersecurity Expert – (Internal IT folks need some support/backup)
- Partnering with an outside firm to assist your Internal people is money well invested in the safety of your company
- Response Plan (in case of a Breach)
- It is not if it is when
- Company upper management and IT need to establish/develop the process in writing of how to respond when a breach happens
- Practice it – so everyone knows what to do
- Have written plan on how to handle the media
- Social Media can crucify you in a heartbeat
- Get ahead of it; manage it
- Update your IT Policies (make sure you have them)
- Review them at least annually, if not more frequently
- Covid showed us we must be able to respond quickly and securely
- Educate your people
- Be proactive in training your staff and contractors
- this is an investment not an expense
- Don’t forget to train them on Phishing tactics
- applies to voice mail
- email spoofing as well as phishing
- Cybersecurity Insurance
- You need to have Cybersecurity insurance
- Talk to your agent about coverage –
- what it does and doesn’t cover; as well as,
- the dollar amount of the coverage per incident
- Don’t get fooled thinking you have coverage and you have WRONG coverage
- Have Automatic Screen Locking