Small Business Information Security Tips
Small businesses and organizations may be daunted by the perceived resources needed to secure their systems. However, not making cyber security a priority could be a costly decision. The following tips from the National Cyber Security Alliance represent key security principles intended to provide a starting point for a more comprehensive information security plan.
1. Ensure that all employees use effective passwords, and when possible, stronger authentication technology. Encourage passwords that are comprised of different upper and lower case letters characters and change them every 60 to 70 days (not to exceed 90 days). For example, use C@tandD0g instead of catanddog. Consider setting up network command requirements that change passwords every 60 to 70 days, not to exceed a 90-day change cycle. In many cases, passwords may not provide you with enough protection and security. For a more secure and reliable way to authenticate users and prevent hackers from stealing passwords, you may consider implementing some sort of multi-factor or strong authentication.
2. Protect your systems. Install and use anti-virus programs, anti-spyware programs and firewalls on all computers in your business. Ensure computers are protected by a firewall-firewalls can be separate appliances, built into wireless systems or a software firewall that comes with many commercial security suites.
3. Keep all software up to date. Ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software). Most security and operating systems contain automatic updates, make sure that function is turned on and sign up for security notifications from the software company. Without updates, your systems will not be well protected against new cyber threats.
4. Create backups. Make regular (weekly) back-up copies of all of your important data/information. Store a secured copy away from your office location and use encryption to protect any sensitive information about your company and customers. Regularly creating back-ups better ensures that your critical data is not lost in the event of a cyber attack or physical incident, like a fire or flood.
5. Be prepared for emergencies. Create a contingency plan for your business so you can recover if you experience an emergency. Include plans to continue business operations at an alternate location when necessary. Test your plan annually. Make sure to erase all data on the hard drive before recycling or throwing away a computer. For more information on how to develop a business plan to prepare for an emergency, go to http://www.ready.gov/business/plan/planning.html.
6. Encrypt your customers’ data. Protect your customers’ data from hackers and thieves by encrypting it. Encryption programs encode data or make it unreadable, until you enter a password or encryption key that unlocks it. Some encryption programs are built into popular financial and database software and some broadband providers now include encryption for wireless networks as a part of their service. Simply check your software’s owner’s manual to find out if this feature is available and how to turn it on. In some cases you may need an additional program to properly encrypt your sensitive data.
7. Report Internet Crime. Locate and join an organization of your peers for information sharing purposes. If you suspect fraud or criminal intent, report it to the local law enforcement agencies, the local Federal Bureau of Investigation, Secret Service or state attorney general’s offices. Moreover, some states require you to notify your customers if hackers or thieves steal or could have stolen your customers’ unencrypted personal information, including data residing on a computer stolen in the offline world. Check your state laws to see if this rule applies to your incident. To find out more information on how to report a cyber security incident, go to https://forms.us-cert.gov/report/ or http://www.ic3.gov/complaint/