8 Steps You Need to Take Now to Protect Your Data
As a business owner in IT Management with a focus on security, I get asked a lot of questions about, well, security. Everyone wants to know, “is my data safe?” Unfortunately, the answer is: nope! At best, probably not.
But there are several things you can do to reduce your chances of becoming the hapless victim of a cyber attack. Understand that we’re all in this together, take a good look at your vulnerabilities, and follow the steps below to secure your data. That way, we’ll all sleep a little better at night.
We are all tech companies now.
The reality these days is that we are all tech companies. Retailers are dependent on point- of-sale systems, wireless devices, and inventory-tracking databases, as well as supplier portals that integrate with banking and ACH systems for just-in-time new order fulfillment. Developers rely on plans, maps, drawings, orders, and funding all done on computers and the underlying networks. And don’t get me started on healthcare. A little-known attack last year compromised the U.S. State Department via their HR System tie-in. And where did the attack originate? Their HMO provider’s systems. As I said, we are all tech companies now.
Everyone is vulnerable.
I don’t know about you, but at times the potential for fraud can be overwhelming to me. If the U.S. State Department can be hacked, what on earth can I do? We all want someone to certify that everything is going to be ok, that no one is going to hack us, implant spyware or ransomware on our most precious systems, or intercept wiring instructions. It can all be a little disheartening. But, the first step in a well-known 12-step program, as I understand it, is to admit you have a problem.
No, your data is not secure.
I could regale you with countless anecdotes involving brand new devices, plugged in for seconds on the internet, that received brute force attacks. I could tell you horror stories of business owners who failed to pay a bitcoin ransom and ended up losing not only their data, but also their businesses because they had no way to get their receivables and payables figured out before the bank stepped in.
Instead, I’d rather just give you my simple 8-step process to sleeping better at night.
Follow these 8 steps to secure your data.
1. Change your password one more time, and then never again.
Conventional wisdom used to say that to be more secure, passwords should be changed every 90 days into really difficult hexadecimal randomized characters. That just caused us all to write them down, or store them on our desktop or mobile phones in files cleverly labeled “passwords.” #FAIL. Here’s my rule of thumb: make something memorable, always use 3 words or more, and have fun with the numbers or characters. Because I have to put them in mobile phones often, I also like to make it easier to type on the smaller keyboards.
Here’s an example. Assume that I have an account at Citibank (I don’t, so don’t bother).
When I think of Citibank, I think of a city, like New York City. I grew up in the 90’s and there was a popular gangster movie called New Jack City with Ice-T as a character. This is what my password would be for Citibank: Newjackcity1ce-T. That checks all the boxes required for a strong password: capital letter, number, special character, and length. For more fun with passwords, check out Alex Gonzales’s tips for creating a secure password.
2. Two factor authentication is a modern necessity.
Just get over it. You don’t live in a world anymore where you can use a seven-digit phone number like you did growing up. Also, gone is the day when you can have a username and password combo like jsmith and password1 to access important data. Nor should you. Your life, health, information, and financial well-being are locked behind passwords. Ensuring you are really you is the best way to secure your information. I know that it takes an extra 5-20 seconds of verification, but it’s worth it.
3. Security begins at home.
I recently participated in a war room scenario at the IBM Lab in Boston with a group of CISO’s (Chief Information Security Officers) from some of our largest customers in finance, transportation, and gaming/ hospitality. The IBM personnel had MIT and Harvard graduates and grad students open our eyes (and embarrass us) with their hacking acumen on who we felt were the most protected people we knew: ourselves!
You see, we thought we were immunized from attack because our laptops were running all our corporate anti-intrusion tools, but what we didn’t realize was how vulnerable our businesses were through our homes and families. Many in our group were a bit naive to how easy it was to get to our most important data through the simplest of methods on our phones and wireless devices. Once their keystrokes could be monitored, passwords could be discovered and our entire company’s information could be compromised.
Start today to educate your employees about the need for security in their personal digital lives and they will inherently bring that same sense of security to work each day.
4. For heaven’s sake, BACK UP!
This is the part helps you sleep at night. As I said, you are not likely to ever be 100% secure. If the NSA, CIA, and Marriott can be compromised, so can you. Of course you put plenty of deterrents in place: locks on the doors, security lights, safes for the important stuff, a security alarm, cameras, and the sign out front telling the world you take security seriously.
But the truth is, it’s not if, but when you get attacked. Your very best defense is a secure backup, running consistently and being tested periodically. That way, when the attack comes, it is a blip or an inconvenience, not life-alteringly devastating. Ransomware is largely defeated and nullified by this strategy. You don’t want to suddenly be forced into becoming a bitcoin expert like a local orthodontist friend of mine when his system experienced an attack.
5. Talk to the experts (not the sales reps).
The current strategy for many companies seems to be to identify what kind of security product they don’t have and then get budget approved to acquire that. For example, “We have a firewall but we don’t have an intrusion protection system (IPS) so we need one of those.” Or “we have an IPS, but we don’t have a web application firewall (WAF), so we’re shopping for that right now.” To me, this pattern of bolt-on security products creates a Frankenstein of a network that, yes, technically is still a network but is not sustainable, usable, or functional.
It’s important to ask the right questions to get the right security products. Why do you need an IPS? What application are you securing with your WAF? A security consultant or security broker can help you make the right decisions for your needs, which may even mean not purchasing anything new. Need a recommendation? Contact us here at Hyper Networks, or get in touch with one of our competitors: Optiv, IBM Security Services, or Trace 3. The more secure we all become, the better it is for everyone.
6. Measure it, test it, prove it.
Let’s see if Frankenstein can run. Can your network really secure your data? Can you really not be breached? Do the products and solutions you have purchased actually protect your organization? How do you know? What are your metrics? Is your security posture improving or declining? Did the most recent patch create an issue with data leakage?
This is the single best thing you can do in your organization to determine what your next steps should be. Not measuring your progress in security is like spinning around blindfolded throwing darts–and you don’t even need a dart board for the game you’re playing.
7. Insure it.
Remember when I was talking about the need for backups? Second only to backups for your peace of mind is insurance. Review your policy with your chief risk officer (that may be you if you’re the president of your company) because bad things happen to good people. Bad things happen to all people, in fact, despite their best efforts. There are entire country governments who are in the business of stealing your business and money. In extreme cases, your only fallback may be to start over. And you’ll likely need the cash from all those premiums, and then some, to do it.
8. Have a plan and practice it.
The day you discover your information is gone, you’ve accidentally exposed thousands of credit card numbers to the web, or patient data is being posted on Hostbin is not the time to say, “what do we do now?” The reality is IT risk is business risk. That means the business stake holders should calmly discuss how much risk they are willing to accept. It is also requisite that they talk about who is going to do what in the case of a breach. Make a plan, write it down, and train everyone for it. If we learned anything from Ghostbusters, it’s that you should always know “who ya gonna call.”