True story – visiting a client one time, our CEO Chris Drake came across a sales guy who had his computer access credentials taped to the palm rest of his laptop. It turns out the company’s entire customer information database was synced to the sales person’s laptop. If he lost it (or if it was stolen) you can only imagine the consequences.
This vision has haunted us ever since. The responsibility of keeping your company’s data safe is one that’s shared by the whole team, and should make them feel empowered. Hacker prevention for companies that store data and/or transact business online isn’t as simple as hiring a secure web host, it’s a 24/7 job that requires good physical and virtual housekeeping from everyone. Luckily, it’s not as tedious, time consuming, or boring as cleaning your actual home, and it doesn’t require you to pat down your employees each time they walk out the door.
Here are five best practices that every one on your team should put into action to keep the company safe from cyber criminals.
#1 Mobile Security
Whether you’re a swanky, MacBook Pro toting executive or a lowly intern who has company email syncing to your phone, you’re responsible for data security when working remotely. Password protecting your mobile devices, and your software, is a ridiculously easy and yet commonly overlooked step that can prevent a world of loss. Password protect everything that your employees work on and access remotely. And we mean everything – mobile phones and laptops, email accounts, VPN connections, and SaaS programs used for business. In addition, don’t store or “remember” passwords for critical services. Require that every employee manually type his or her credentials every time. It’s really not as daunting as it sounds. It takes just a moment to enter a password.
In addition, it’s never a good idea to use a shared wireless connection (coffee shop, airport, etc. As an alternative, bring your OWN Internet (a mobile wireless card) or use a secure VPN service when connecting to proprietary information through an un-trusted network.
Bonus tip: There are numerous Lojack-type software packages that can help locate, recover, or delete misplaced and stolen laptops and mobile phones, and here’s a short article on how to wipe your iPhone’s email account using Exchange.
#2 Destroy More Than You Retain
You have so many documents sitting on your hard drive, in your email, and in your trash bin that it’s almost as daunting to clean up as your actual desk. “I save everything! I need a paper trail!” Not really. In fact, you probably only need a fraction of the data that’s cluttering up your system. Make it a point to routinely determine what should be kept, and what should be deleted. This can mean email, e-files, and customer information. Here’s the plan:
- Retain only what you need, and keep it for the shortest period of time that makes sense.
- Don’t store documents on your local machine, save them to the designated place within your company network.
- Don’t save old emails containing any confidential information, and don’t reply to or forward emails that contain confidential information without removing or encrypting the offensive data. This includes credit card numbers, social security numbers, and sometimes names and addresses, depending on the nature of the correspondence.
- Empty your trash! Shred any sensitive or confidential physical waste, but don’t forget to regularly empty your virtual trash bin (or recycle bin) too.
#3 Patch, Upgrade, and Heed the Warnings
Most software patches and browser updates are free, so there is no excuse to let one slip by. We’ve all been guilty of uttering “ugh, I’ll do it later”, and then never get around to it. Stop doing that. You should have to wear a big dunce cap for putting your company’s integrity at risk by not performing an update that is free and takes a few minutes to install. Performing upgrades within a week of release should be the standard. Here are some of the commonly overlooked upgrades that can, seriously, save your company from a cyber attack:
- Firewall updates
- Browser updates
- Web application updates (WordPress, Drupal, Joomla, et al)
- Operating System updates
- Virus signatures
Life lessons prove that the squeaky wheel gets the oil, so don’t dismiss software update notifications. Keep those nagging, little reminders in plain site so you make sure to do it.
#4 Report Potential Security Breaches
Give your employees permission to be a tattletale. Reporting, (or let’s give it a positive spin — “having an open discussion with a supervisor”) about insecure work conditions or habits should not carry a negative undertone. Let your employees know this, and remind them frequently. Being proactive and responsive about potential security threats is part of a company culture and it should be fostered from the top down. If you think your employees will brush this off, remind them that as an employer, you have quite a lot of THEIR personal information – social security numbers, bank information for direct deposit, healthcare information… the list goes on. Understanding that their information is just as secure (or not) as your customers and every other piece of company data is crucial to getting their buy in.
#5 Passwords
It sounds so simple, and it’s even been brushed off as ineffective (gasp). Setting, storing, and a commitment to changing passwords should be number one on this list. We’ve listed this critical step last on the list because “everybody knows about passwords” and you would have probably stopped reading this if it were the first point in this article. Here are some of the top suggestions for devising a hacker-resistant password scheme:
- Revise any credentials that were supplied as default settings from your vendor
- Use a different password for each service you access online
- Personal passwords should not be related to naming conventions you use for work
- Make your passwords complex. Use a multitude of characters, and if you need help devising a creative password, try something like PC Tools Secure PW Generator < http://www.pctools.com/guides/password/ > for ideas
- Change passwords frequently. Every quarter at minimum
- Don’t share passwords or any part of your login credentials with anyone – friends, coworkers, or even your boss
Instilling these best practices with every member of your team should be part of the company culture from the get go. But it’s also never too late to start being more preventative and proactive in securing your business. Print this list and give it to every employee. Implementing these tips and having reminder discussions on a regular basis will help keep your business safe, from just about every cyber angle.
A version of this article appeared in VentureBeat on May 25, 2010.
This entry was posted on Tuesday, May 25th, 2010 at 8:00 am and is filed under Compliance, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
