Question: We have learned of a small company in our community that recently suffered a cyberattack. Apparently, their business was severely impacted by this situation. What are some measures that we can take in order to protect our business from cyberattacks?               

Answer: You have taken the most important step by simply identifying the need to develop a cybersecurity plan for your company. These attacks were once almost exclusively aimed at larger corporations, but today many smaller businesses are being targeted due to lack of resources and knowledge of how to protect against cybercriminals.

Cyberattacks can inflict damage in many areas:

·   Your company’s financial information including tax records and tax identification numbers

·   Company bank account numbers and access to company funds

·   Customer credit card data

·   Customer lists

·   Pricing data

·   Employee records with personal data such as Social Security numbers, home addresses, phone numbers, insurance and health data

·   Disruption of your daily operations and customer satisfaction 

·   Unexpected high costs to rid your company of the aftereffects of such an attack

Some businesses do not rebound from some cyberattacks.

DEVELOPING A CYBERSECURITY PLAN FOR YOUR BUSINESS:

Since technology can be quite complex and ever-changing, our suggestions cover the basics and we encourage PROs to interact with technology professionals for information that is specific to your company.

Our research suggests there are four major areas to address in developing a cybersecurity plan for your business:

Consistent data backup

·   Daily backup of all company data is the foundation for any cybersecurity plan. Ideally, each computer in the office is automatically backed up to the company server at the end of each day and that data is then stored off site or in the cloud.

·   Monitor this process and ensure it successfully occurs each day.    

Protective software, system access and passwords

·   Current software - Use the most current operating system available for all company computers. Install security software when recommended and constantly update to the most current versions. Use the most current web browsers that offer security options.

·   Security scans - After any new installation of software and after every update, set antivirus software to run a security scan. Some viruses or malware (malicious software) can be programmed to remain dormant for a certain time period — days or even weeks — before being launched. Security scans, even on new programs assumed to be “factory direct” are an effective strategy.  

·   Software installation schedule - Several times in our research, we saw the suggestion to implement new software installations or updates at the beginning of the workday in the event that if a problem occurred, no new data would be lost and the backup from the previous day would be available.        

·   Firewalls - A firewall is a network security system that monitors and controls network traffic between your company’s systems and the internet, or some other untrusted network. A firewall can be hardware, software, or a combination of both. Firewalls should also protect the home systems for employees who may work at home.

·   Virtual private networks – This is another excellent tool to consider. VPNs encrypt company internet activity as well as disguise your users’ online identity. These programs make it difficult for third parties to track company activities and to steal data. Employees should be encouraged to use a VPN in public places — such as a coffee shop — to avoid company data being compromised.

·   Data encryption – This tool should be considered for all computers, laptops, mobile phones and hard drives. These programs allow data to be used and stored such that the actual data is protected using these algorithmic formats. For example, if your sensitive company data is not encrypted, when a hacker steals your information, it can be easily read and used in its entirety. Sensitive emails can also be encrypted.

·   Passwords – Company policy should establish password standards that are monitored by company management. Consider minimum password lengths of 8-10 characters that incorporate upper and lower-case letters, numbers and special characters. Passwords should be changed on a timely basis, ideally monthly. A variety of password storage programs are available where the user merely remembers the password to the storage program and all of the other passwords are stored within the program. Consider two-factor authentication for access to certain systems. A text or an email message — usually a numerical code — is sent to the user after the initial password is entered. If an unauthorized person gained access to the password, they would also have to be in possession of the specific user’s email account, computer that uses that program, or mobile phone in which to enter this second piece of information.    

·   Access to programs - Another strong suggestion is to limit employee access to only those programs that are a part of their job responsibilities. Every employee having access to every program or application weakens company security.

 Equipment is protected and secured

·   Access - Limit access to computers as much as possible. Those with offices should have the doors locked when the occupant is not onsite. In the event that another person needs access while that person is away, keys are available from management as part of an established company plan. If employees work in a common area, try to ensure non-employee access is limited. In the event that laptops are used in common areas, consider locking these devices in desks overnight or when the employee is away from the office. Have employees log off of their computers when they step away for lunch or bathroom breaks.

A “lock option” is another powerful tool that should be used. After a certain period of time without activity, a computer or laptop will automatically “lock” and will have to be reactivated through the use of a valid password. 

·   Placement of equipment - Servers and Wi-Fi network routers should ideally be placed in “out of the way” areas such as locked file rooms or offices. Wireless Wi-Fi routers do not list the name on the work computers and the router should be encrypted as well. Routers should also be password protected.

·   Credit card processing equipment - If applicable, this equipment should be stored in a locked desk drawer in a locked office, if possible. Check with your bank or credit card company to see if data encryption and other security options are available. Extreme care and planning should be taken to establish this portion of your cybersecurity plan.

·   Offsite company equipment - “Avoid work and pleasure on the same device” is a phrase that the Federal Communications Commission refers to in some of their literature on this topic. Company mobile phones and company computers or laptops used at the employees’ homes should be used for company business only. As discussed, a VPN, firewall and data encryption should be on this company-owned equipment. 

Employee training and monitoring

·   Once a draft cybersecurity plan is established, present this information, and allow for discussion and input from employees. Then train each employee so they are familiar and comfortable with the entire plan. Encourage everyone to mention any activity at any time that is questionable as to the plan. For example, a non-company delivery person hovering over a computer where an employee is not currently at that desk.   

FINAL THOUGHTS

Cybersecurity should be taken seriously. As more business programs and applications become available via mobile phones and laptops, theft of company data becomes more viable. Now that working from home is more commonplace, protection of company data visible offsite is another major concern. Consider these suggestions, do your own research, talk with technology professionals and develop the best possible plan to win the battle against the cybersecurity criminals.    

This article was originally posted February 2023.