Regardless of industry - healthcare, finance, retail, food service, etc. - data security should be an important component of your business. Nearly half of all businesses will suffer a data breach. To put it in perspective, what if your business burned to the ground and you did nothing to stop the fire such as having fire alarms or sprinklers? You would probably be done for. Ignoring the need for proper security is kind of the same. If you don’t have the right security measures and habits in place and your business suffers a data breach, it could be permanently damaging. It could wipe your business off the map.
Hopefully, you already have a firewall and antivirus. Those are security basics that can be installed by your IT company or IT department. In this blog, we are going to talk about long-term security habits that you should be maintaining.
Create security policies and procedures
Every aspect of security needs policies and procedures in place so employees can clearly know what they should be doing. For example, there should be a policy regarding who has access to certain data. While the human resources department will need access to digital employee files, the sales team will not. There should also be policies that outline procedures for internet usage, physical security, incident response, changing passwords (which should be done often), email rules, and more.
We call this document a Written Information Security Policy (WISP). A WISP can not only help you during the day to day operation of your business, but it can also legally protect you in the event of a data breach. It shows that you were doing everything in your power to prevent the attack. At catmandu, we can write an extensive and thorough WISP for your company so that your security policies are clearly defined.
Make sure your network is monitored 24/7
This is about taking a proactive approach to security. To do this, you need to be on a Managed Service Agreement (MSA) with an IT company. 24/7/365 monitoring of your network can allow you to breathe easy knowing that if anything infiltrates your network, it will be seen by someone. Your IT company can then stop the bad stuff from doing any more harm. Most issues can be resolved before they create excessive downtime. 24/7 monitoring is important for a secure network and it can also detect other issues within the network such as faulty hardware or software issues.
If something does go wrong, attend to it right away
Ignoring a possible data breach will not make it go away. In fact, the problem will only get worse and the possible legal ramifications will greatly increase. If there is something fishy going on within your system or if you know for sure that you’ve been breached, you need to get professional help right away. The only problem is that if you wait until something breaks to fix it, it can take a lot longer to get help. This highlights the importance of being on an MSA with an IT company. At catmandu, we offer our MSA clients a maximum 3 hour response time. You will be at the top of our priority list if you need our help. We also offer support remotely so that we don’t even have to come to your business to fix some problems.
If you suffer from any type of security threat - ransomware, viruses, or a full on data breach - time is of the essence. The longer you wait, the more time the bad guys have to move around the network, log keystrokes, and steal more data. It’s also important to inform any customers that may have been effected in a timely manner. For example, if you were storing their credit card data and it was stolen, they need to cancel their card right away. Again, there are a lot of legal problems that can result from not responding to incidents quickly. The policies should be outlined in your WISP.
Train employees on the possible threats
Most data breaches occur because of employee error. And most of the time it’s because they simply don’t know any better. Employee negligence causes 30% of data breaches.
You can have world-class security policies in place but they mean nothing if your employees don’t know how to follow them. Train your employees on how to properly store and dispose of data, how to update software, how to properly access data remotely (not on insecure public wi-fi), how to maintain security while bringing their own devices, and how to enable two-factor authentication when logging in. They also need to learn the best practices for strong passwords.
One of the most important things that you can teach employees is how to recognize a malicious email. You should train them on this quarterly because hackers are constantly finding new ways to trick their victims. Tell employees that they should never download an attachment from an unknown email, they should never give out private information over email (even if the email is supposedly coming from a trusted source), and they should alert authorities if they see something suspicious.
Don’t slack off a couple of months down the road
It is important that you continually update software and hardware. Old versions of software can have bugs that criminal hackers take advantage of. Scanning for and patching vulnerabilities can make all the difference. When it comes to your hardware, workstations and servers won’t last forever so it is vital that you update to modern versions when the hardware is no longer supported. Be sure to keep updating passwords and to keep training employees quarterly. The world of cyber security is constantly changing you must keep up with it in order to keep your business alive.