For most businesses, losing sensitive data to a hacker can have far more serious consequences than losing information in a fire or flood.
If electronic information is backed up, as it ought to be, data lost in a natural disaster can be replicated. However, if the information is lost or stolen, there is no telling when or how long it could be misused.
Protecting data involves a lot of common sense but is not free. It requires investments in good equipment and staff training. The upside is that the price of leaving information poorly guarded is much higher.
Experts suggest that businesses maintain a checklist to help keep information safe. Checklists can be especially useful for small and midsize businesses, which tend to have more limited IT staffs than larger enterprises.
To help with the process, I’ve drafted a checklist that could serve as a starting point for any business or organization that wants or needs one.
I started with general ideas from SDN Communications, the region’s premier provider of broadband connectivity and cybersecurity services for businesses. Then I reviewed suggested checklists and planning tips from several public sources, including the Federal Communications Commission, U.S. Small Business Administration and Utah state government.
I took the best suggestions, mixed them together and edited them down to a relatively concise Top 12.
Look the list over, and take what you want. Add some of your own ideas, including requirements that make your business or industry unique. Then review and update the list regularly, and check for compliance on each point.
The list probably will have to be updated often, given today’s constantly evolving threat environment. Outdated checklists are as useless as outdated equipment and inadequate training.
Keep in mind that careless behavior creates serious vulnerabilities to business. The vast majority of data breaches are the result of poor human oversight, not technical mastery. Cyber thieves do some of their best work on the telephone or email by coaxing useful information from employees.
Let’s get started. Here are a dozen suggested checkpoints to include on your list.
- Train employees about good security practices beginning on their first day of work. Update security training throughout their employment with reminders and fresh information. Stress the value of common sense.
- Clearly establish the company’s ownership of data and define employees’ responsibilities for helping keep information secure. Trails of accountability should be thorough.
- Limit access to areas of the network to the appropriate authorized personnel. Give access to information on a need-to-know basis and regularly review the roles of employees, including supervisors.
- Require secure passwords, that they are changed regularly and never allow employees to share them. Lock screens and turn off computers at the end of the day.
- Establish and enforce rules for surfing the Internet on company computers. Rules also should govern business information that can or cannot be disclosed on social media. Communicate clearly to employees why such rules are necessary.
- Provide policies and procedures to deal with computers that become infected with a virus, become lost or are stolen.
- Encrypt and back up information that is especially sensitive. Store sensitive and general information separately.
- Securely dispose of waste material – whether electronic or paper, even equipment such as old copy machines.
- Keep current all virus protection and software updates to reduce the chances of network weaknesses being exploited.
- Require IT to test all unauthorized devices, such as memory sticks, before they are plugged into an employee’s computer.
- Encourage customers to contact the company directly if they are suspicious of any attempt to solicit personal information.
- Assess risks regularly and mitigate them.
Dealing with risk will vary from business to business. In many cases, firewalls are a good starting point for protection. But in other cases protecting a network from an expanding range of cyberattacks might require a deeper, more layered approach. For example, special routers or protection from Distributed Denial of Service (DDoS) attacks might be in order.