Broadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data. Here are ten key cybersecurity tips to protect your small business:
1. Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
2. Protect information, computers, and networks from cyber attacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
3. Provide firewall security for your Internet connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
4. Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
5. Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
6. Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
8. Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
9. Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
10. Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account
#StaySecure
Alok Rodinhood Kejriwal
Nice
what about designing a BYOD policy?
Do you have a draft?
Peeyoosh Kumar
As employers and employees become more heavily dependent upon immediate communications through the use of smart phones, many companies still have not created or implemented Bring Your Own Device (BYOD) policies. As a result, employers are vulnerable in having their confidential business and trade secret information exposed, or worse, taken. Employers also risk having legal claims, such as harassment or defamation, asserted against them because of the communications employees make using their smart phones.
To minimize these risks, employers may want to consider implementing sound BYOD policies. Below are a few things to take into account when drafting a BYOD policy.
Deciding the Scope
In creating a BYOD policy, employers may first want to determine what smart phones and tablets employees are using. Then, in creating the policy, the company can decide whether the BYOD policy applies only to smart phones or does it include the tablets. Employers will want to clearly communicate which devices it will and will not support as well as the information that will be permitted to be accessed through those devices.
Requiring Passwords
Similar to requiring an employee to log on and use a password with his/her company-issued computer, the BYOD policy might include the same requirement. Because smart phones or tablets can more easily be lost or stolen, strong passwords should be required, not just a simple 4-digit pin. Instead, most experts recommend that the passwords entail an alphanumeric password.
Employees are often resistant to these types of passwords because it does not provide immediate access to information. A strong BYOD policy makes it clear that the need for a more complex password is required in order to protect and preserve the company’s confidential business information.
Who Owns What?
Although it seems fairly straightforward, employers may want to communicate in the BYOD policy that the company owns the information stored on its servers that the employees access through their devices. Additionally, the policy might go on to explain that the company can wipe (delete) the information stored on the device in the event it is lost or stolen because that information contains confidential business information owned by the organization. Finally, employers may want to communicate that there is no expectation of privacy in the employee’s use of the personal device similar to the use of the company-issued computer.
However, a word of caution: while the company may own the information stored on the server, employers may want to consider resisting the temptation to access and/or read emails from the employee’s personal email account which may have been on the personal device. A recent case in the Northern District of Ohio found that a company violated the Stored Communications Act after a supervisor, without authorization, read more than 40,000 emails sent to the employee’s personal email account through the company-issued smart phone. Not only could the violation of the Act carry significant fines and penalties, but also criminal consequences.
Acceptable Use
The BYOD policy will also likely include the employer’s acceptable use policy, which would mirror the policy for an employee’s use of its company-issued computers. For example, if Company A prohibits access to Facebook or certain objectionable websites via its computers, their BYOD policy would have similar language. Additionally, employers should consider adding language in the BYOD policy requiring employees that they must follow the company’s anti-harassment, respectful treatment in the workplace policy.
Parting Ways
When an employee separates from an organization with his/her personal device, the company could be vulnerable and risk losing its confidential business information. A thorough BYOD policy will likely address this by making it mandatory that the employer will wipe (delete) any company-stored information on the personal device at the time of the employee’s departure. Because many employees have personal information such as photographs or music or other purchased applications, employers should consider developing a protocol to protect the employee’s personal information while still removing the company data.
BYOD policy creation process
Here is a high-level overview of how to develop your first BYOD policy.
asha chaudhry
peeyoosh – kindly share the link as well…!