Be Afraid. Be Very Afraid – Oct 20, 2015
How to protect you and your business from cyber threats
The issue of cyber threats and data breaches are constantly in the news. While most frequent reports are of data breaches at large corporations, small businesses are at risk, too. Even if you’re not a business owner, you can apply some data breach prevention tips to your own personal computing habits to keep your devices and your information safe.
Threats and privacy risks can result from lost/stolen documents, backup media, mobile devices; USB sticks; employee dishonesty; hackers; spyware; viruses; emails; third-party vendors and websites. Delia Chaves, IT Manager at D. Francis Murphy Insurance Agency, and John Haddad, owner of Bisinet Technologies, provided a variety risk management tips at a recent Medway Business Council event held at Charles River Bank.
In Massachusetts, the Standards for the Protection of Personal Information (MA 201 CMR 17.00), Security Breach (Ch. 93H) and Disposition & Destruction of Records (Ch. 93I) laws delineate steps that businesses must take to protect data and respond to a breach. In addition, there are other state and federal laws that apply to privacy and data security depending on your business such as credit card processing, HIPPA, etc. Businesses need to be familiar with these laws and ensure compliance. Having proper protocols in place is essential to help avoid fines and defend in case of a lawsuit. Civil penalties can be $5,000 per violation for a data breach and $50,000 for each instance of improper data disposal. Prevention is also avoids the additional time, resources and cost to properly handle a breach as well as damage to a business’ reputation.
According to Delia Chaves, businesses need to take a three prong approach to protect private customer information. First, implementation of physical safeguards should be developed such as procedures for securing paper information, transportation of personal information, data disposal, computer/server access, and vendor access policies. If customers come to your desk, you need to ensure that other people’s private information is cleared away to avoid being seen by wandering eyes. Also, be sure to lock all information away at night. While some of these may seem common sense, it’s important to document them in your business’ plan for compliance. Second, establish technical safeguards including procedures for equipment disposal, employee termination, acceptable use of the internet and company computers, mobile device/laptop/USB security, data retention, third-party service agreements, email security and filtering. Third, create administrative safeguards such as assigning who within the organization is responsible for the company’s data security including reviewing, monitoring and updating policies, and ensuring all employees are trained on your procedures and property security techniques.
When it comes to day-to-day security for systems, John Haddad offered additional tips to mitigate risk including following best practices regarding system and program passwords. Change passwords every 90 days at a minimum. Use strong passwords minimum of 8 characters with a mix of upper- and lower-case characters, numbers and symbols. Don’t use words that could easily be guessed. Consider using 2-factor Authentication, which requires not only the password but code generated by a token device or sent to a smartphone that you then have to enter into the system.
Further precautions include getting employees into the habit of locking their PC/laptop when walking away from their work station and set-up computers to automatically log-off after 10-15 minutes of non-use. In addition, the use of unauthorized USB sticks should be strictly prohibited since they can easily harbor and transmit viruses and malware. Consider purchasing encrypted USB sticks if you must use a USB. Haddad also recommends removing “Admin” logins on all devices as they can provide a back door for access.
Be sure to limit who has administrative access to servers and network devices, and if you have a wireless network, set up a guest profile that limits access. For websites, require use of strong passwords by customers and employees and limit login attempts to avoid brute force attacks that can clog or disable your system. Be sure that you have a firewall on your web server to block unwanted traffic. Finally, be sure to back-up your systems with both a local back-up and an offsite back-up (cloud). The small cost of having offsite back is money well spent if a disaster occurs and your systems fail or are compromised.
According to Wayne Texeira, Marketing Director at D. Francis Murphy Insurance Agency, businesses can purchase cyber liability insurance to provide protection in the event that a privacy breach occurs despite their prevention efforts. Cyber liability protection covers situations including spreading a virus into a customer’s computer system, theft of customer’s credit card or banking account numbers, derogatory comments made online about a competitor by an employee, denial of service attack hacking, electronic data extortion or destruction and webmaster uses another site’s content in site development.
The website www.mass.gov has resources to help businesses understand and comply with the laws. There are also a variety of resources online to help businesses develop data security and disaster plans. If the task seems too daunting consider hiring a consultant, who can help you evaluate your system security and provide support.
To learn more about Medway Business Council and other upcoming events, visit medwaybusinesscouncil.org.