The success of your business depends on good management and good security awareness. Business Email Compromises (BEC) and CEO fraud are on the rise. Cybercriminals use phishing emails to impersonate CEOs and managers to trick employees into transferring money to them. To combat this, Security Awareness must rise through the culture of a business to management, where senior-level employees use proper security habits to set the tone.
1. Provide Ongoing Security Awareness Training for all of your employees. Your employees are the weakest link in your cybersecurity defenses. The #1 vulnerability for business networks are the employees using them.
Train them to recognize and avoid phishing and spear-phishing emails. A phishing email is designed to look like a legitimate request. The hacker sends out tempting emails to try and get you to download an attachment or visit a malicious website. Once you take the bait, they infect your computer with a malware or ransomware virus. Their end game is to steal data, credit card information or login information from you.
Spear phishing is an email targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
The right Security Awareness Training is a formal process that increases your users’ security awareness, elicits secure behaviors, and develops a culture of security. In a secure business culture, employees don’t just try to avoid attacks, they consciously and actively work to prevent them. Make sure everyone in your organization is trained, including your C-level employees.
2. Require more than one person to authorize financial transactions. Adopt a system of checks and balances to ensure no one person has control over all parts of a financial transaction.
Segregation of duties is the foundation of a sound internal control system. Functions like releasing wire transfers, signing checks and having access to financial accounts should be separated so one individual can’t complete a transaction on their own.
3. Employ Role-Based Access Controls with secure logins. Limit your employees’ authorization with role-based access controls that prevent network intrusions and suspicious activities. Define user permissions based on the access required for their particular job.
For example, your receptionist might not need access to client data. Also, know who has access to your data, and enforce a “need-to-know” policy. Restrict access to data to only those who need it to do their jobs.
4. Limit the personal information you make public online to protect it from social media data mining. When you share information online about your management and staff, you could be providing what hackers need to track their identities. Make conscious choices about what you make public online.
Not only hackers but other companies mine the social web to build dossiers on your leadership and staff. Anything that you post online on your website, blogs, Facebook, Twitter and LinkedIn is fair game. Make sure your team is aware of what they’re posting and how it can be exploited.
5. Keep your IT systems current. Out-of-date hardware and software open the door to hackers and cybercriminals. Systems must be updated and patched to address security flaws that provide attack vectors.
Hackers are aware of outdated software that leaves your applications easy prey to them.
Also, stay on top of IT security news and share this with your staff. Your IT service company can provide this information to you in a timely manner.
6. Don’t use shared accounts. This limits your ability to keep track of who made what changes and when. It also makes credential updates and controls more difficult.
Require individual accounts for every staff member and don’t use services that don’t offer multiple accounts.
If you use shared accounts, you won’t have a viable audit trail. When the audit trail isn’t properly in place, accountability becomes an issue.
If a shared account is compromised, the impact is greater because many users have been exposed.
7. Manage user permissions. It’s essential that you have control over what people can and can’t do online and with your data. Make sure that your system allows for granular permissions to give you the power to control who can access folders and files, and what kind of access they have for each one.
Require admins with higher access to always login with limited privileges. This limits any potential security incidents and keeps them localized rather than throughout your organization.
Limit who can manage permissions. The more people who can make high-level, high-impact changes, the higher the risk. To protect your business, allow the least amount of privileged access.
8. Prevent Employees From Downloading Software. Ensure that your employees don’t download software into your system. Hackers trick unsuspecting staff members into downloading malicious software. It then embeds viruses into your system that can lock up or steal your data. You can prevent this with employee training.
You also need and a layered cyber defense (e.g., firewalls, routers, intrusion detection systems) that supports the web server. In most configurations, the network infrastructure will be the first line of defense between a public web server and the Internet. However, network design alone cannot protect a web server.
The frequency, sophistication and variety of web server attacks perpetrated today support the idea that web server security must be implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in-depth.”
9. Beef Up Your Wi-Fi Security. Hackers set up fake clones of public Wi-Fi access points to try and get you to connect to their systems. A fake wireless Internet hot spot looks like a legitimate service. When you connect to the wireless network, a hacker can launch a spying attack on your transactions on the Internet, or just ask for credit card information in the standard pay-for-access deal.
Before connecting, always check with an authorized representative of the facility to ensure you’re accessing their Wi-Fi. Never use your credit cards or work on confidential information when using public Wi-Fi.
You should also contact your IT support company to have them assess the Wi-Fi in your office for security. No wireless network is entirely safe from the talented hackers out there today. Without up-to-date and a properly configured wireless infrastructure, your business will be vulnerable.
Your IT provider will examine the wireless security measures that you have in place and determine if upgrades must be made to ensure their effectiveness. The older your wireless network hardware, the easier it can be hacked.
If your wireless isn’t updated continuously to combat the latest cyber threats, your data is at risk. Data losses affect your reputation and can result in litigation and penalties, which will cost you so much more than keeping your wireless up to date.
10. Enforce Access Policies on Mobile Devices & Restrict Access. With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets and laptops present significant security challenges. They can be exposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security.
Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies.
Ask your IT support company about Mobile Device Management that will wipe data from a device if it’s lost or stolen. And you must detail what an employee can or cannot do with your company-owned devices, to prevent actions like “jailbreaking” to circumvent security mechanisms that you put in place.
Don’t take chances with the security of your data. Stay up to date on these and other IT topics.
Alvarez Technology Group, Inc.
209 Pajaro Street, Suite A
Salinas, CA 93901
Toll Free: 1-866-78-iTeamLocal: (831) 753-7677
Fax: (831) 753-7671