Sony, Home Depot, Target. All are big companies with huge market value, large customer databases, strong brand names and plenty of budget to spend on data security. The same cannot be said for organizations in the small business community. But are there lessons from these breaches that can provide learning to the owner or manager of a small business? Yes, there certainly are.
The key reason there is a lesson is that in each case, the data breach was caused for the most part by people very close to each organization:
- Sony – It is clearer with each passing day that this was not an attack by a faraway enemy like North Korea. Rather the evidence is pointing to the culprit as a laid off employee from the Sony staff.
- Home Depot – The Home Depot data breach was initially the result of crooks who used credentials stolen from a third party vendor. Secondarily, the breach was caused by those crooks leveraging a vulnerability in a Microsoft Windows Operating System. That vulnerability was identified many years prior and a patch was distributed. But Home Depot never implemented that patch into their Point of Sale systems.
- Target – The Target breach was due largely to someone inside the organization clicking on a link in an email from a vendor. That vendor had been hacked, which then caused the email to be sent, and the rest is history.
So, for the small business owner and manager. What are the lessons?
The key is to understand that the most likely way you might be hacked, causing data to be lost, is through an employee (past or present) or client or vendor (past or present.)
Therefore, it makes absolute imperative for every business to do a few simple things consistently and perhaps enlist the help of a firm like IT Radix to assist in these endeavors:
Have a secure back up program in place both onsite and offsite – ensuring that at least one part of the backup program is not directly attached to your network.
Have a password policy in place and follow it. It should include:
- A password strength protocol
- A password change policy
- A plan to change passwords
Consider putting an employee monitoring program in place that will help:
- To monitor and filter website and web traffic
- To guard against company secrets being shared via email
- Delete files or lock a computer if a laptop is stole
FILE ACCESS and REMOTE ACCESS
Whether a user is accessing company files in the office or remotely, ensure that your file access permissions are correct and that at least double security identification measures are in place.
EMAIL MANAGEMENT SECURITY
Put a strong email program in place where:
- Email is backed up
- Email is encrypted as it goes through the Internet.
VIRUS and MALWARE PROTECTION
Ensure that anti-virus and malware protection is in place and up to date.
PATCHING AND UPDATING
Server and computer operating systems, software, anti-virus software, firewalls, applications of all sorts should patched and updated regularly – some daily.
Consider putting a hardware firewall appliance in your network and if outsiders need access to some company data, place that data outside / securely apart from the internal company network.
Separate your secure Wi-Fi network from any that guests use to access the Internet.
The smart business owner or manager may or may not have heard of such recommendations in the past, but they are the core of a strong security policy necessary for any organization, regardless of its size. If you would like to discuss any of this with the professionals at IT Radix, we would be happy to do so at any time! Here’s hoping you have a safe and secure New Year!