Security can be overwhelming. And many times that feeling can lead us to inaction. There are different views, and different layers of security that while you know you have to do something, you don’t know where to start, and more importantly you don’t have the resources to do it all. So instead of taking action, you talk yourself into inaction.
The important part of security as we have outlined so far is the understanding of yourself and your critical information (hint, hint, hint, foot stomp, foot stomp). This is a critical first step. And by knowing that you can start building a security plan to protect against this. Ultimately the plan needs to be all-encompassing and address physical and personal security as much as information security. But let’s not overwhelm ourselves and start with some of the basics. The focus in industry today is largely information security because it can happen so quickly and right under our noses, but for small businesses the physical and personal security threats can pose just as significant of a risk. And a lot of information security is physical and personal security. It’s understanding who we are and what our vulnerabilities are.
So without overwhelming you, we want to outline five straightforward fixes you can implement now for little to no cost to your business.
Employ Strong Password Management and Discipline. Whether for business or personal accounts, you must employ strong password management processess and be disciplined about it.
Strong passwords should be at least 12 characters using one number, one special character and one upper case letter. Use a phrase instead of a simple word. (mayD4ceBw1thu!) Brute force attacks have more difficulty with phrases employing different characters.
Develop different passwords for different accounts – this is not a one size fits all approach. The password doesn’t have to be radically different and can still employ the same type of sequencing, but add a kick in the middle of it that changes every 30-45 days. Which goes to the next point….
Change your passwords regularly. With so many accounts this can be hard, but security isn’t convenient. Password management is not easy or fun. Most places now will allow you to login with your Facebook, Twitter, Google, or other type of social media account. This makes it even more important to have good password discipline. If you employ a strong password on those sites, then you are in better shape.
Use a Password Manager (if necessary). Do not save your passwords to a file on your desktop, or leave them out in the open on a sticky note for everyone to see. A password manager could be a good additional duty for an employee. And if you employ a password manager app, please know they are vulnerable to hacks too.
Change Your Default Settings. How many attacks have been done simply by using the default password on your router? Too many. And it’s careless. The default passwords are there for simple installation and are well known to individuals who have hardware or software installation backgrounds. Change it. Also change the settings on your networks. You should enable encryption and select WPA with Advanced Encryption Standard (AES) or WPA2. These are recognized as the best encryption standards to date. This is generally just a flip of the switch and doesn’t cost anything.
Enable Encryption. Don’t just stop with your routers and servers. Your laptop should be protected with whole disk encryption. Stolen or lost laptops (physical security) is one of the leading causes of data breaches. Add in weak passwords and it’s simple for an attacker to gain access to your laptop and take your data and sensitive information. By enabling encryption and bit locker you add that extra layer of protection and guard against physical security threats.
Consider adding biometrics to your laptop or mobile device. Not every device comes standard with biometric type devices and it could be costly. This is where you consider the threat to your information, the cost it would take to recover that information and repair your reputation, and the cost of the biometric addition. And some of it simply is adding a fingerprint swipe to your laptop.
Protect your Backup media. We tend to back up and forget, but backup media devices are a big source of data leaks. Encrypt it. If you use an online backup service / the cloud, make sure the data is encrypted in transit and while being stored. And if you do use a service, understand who has the decrypt keys.
Thumb drives. They are cheap and easy to lose. They need to be encrypted. If you have the resources, you may want to monitor/log activity on USB ports, because it is common for employees to lift data via a thumb drive. Without logging, you cannot prove exactly what was copied. An easier solution yet is to disable the USB ports. And then you have to watch for BYOD (another topic for another day).
Identify Critical Information. Can we say it enough? You can check out previous blogs or themes on our twitter feed for more information. Critical information is defined as specific facts about your or your threat/adversary’s intentions, capabilities, or activities vitally needed to guarantee mission success. Identify information that is critical to your mission success and your company viability. This will be different for each company, and not everything is critical. Personally Identifiable Information (PII) of you and your clients are a good first. Details of contracts or sales strategies might be the next level. Establish a priority and what really is critical.
Safeguard your information. Make sure all critical patches are applied and security updates are downloaded. This is as simple as enabling security updates on through your upgrade manager. If your software is no longer being supported, its security may be in jeopardy and you should look to upgrade to a supported version to ensure that it is secure.
Control access. Who has access to your information and who needs to have access. How are they trained with regards to security. Implement security education and awareness training.
Dispose of anything that holds data, including a digital copier, securely. For computers, you can use a free product like DBAN to securely wipe the data. d. Use wireless hot spots with great care. Do not enter any credit card information or login credentials prior to seeing the https: in the URL. And finally, for remote access, use a VPN or other encrypted connection.
Five things – really just the tip of the iceberg but maybe it’s the five things that will get you going. There is so much more and while these five things are no guarantee that everything will work out perfectly, it will put you in a better posture and hopefully on the path to security mindfulness and awareness.