Operations & Technology
UPDATED CYBER HYGIENE REVIEW
With the changing of the seasons, spring cleaning comes to mind and all the things to do around the home and the office. In March of 2020, many of us sent our employees home to work remotely. You may or may not have had policies and procedures in place for that to happen, but now is the time to start the cleanup process and review your organization’s cyber hygiene.
POLICIES FOR YOUR EMPLOYEES
One of the biggest vulnerabilities in an organization is its employees. Things such as phishing attempts, phone calls from fictitious support providers, and fake Wi-Fi networks make it easy for an employee to fall for a scam. These things happen often and innocently because the employee did not know he or she was doing anything wrong. Even the best of companies have fallen victim to social engineering attempts in which an attacker exploits an employee by sending an email that appears to come from a trustworthy source or contains information relevant to that person’s role in the organization. Examples include an email from the CEO to an administrative assistant asking for gift cards to be purchased or to the accounting department to pay an invoice for a vendor the company uses, but with a different bank account.
It is important to educate your employees and continue to educate them. Make them aware of possible phishing attempts by giving them examples of what to look for and what not to click on. Discourage use of public Wi-Fi connections. Many employees may think they are joining a safe network by the name of it, but it could easily be the person sitting next to them in a public place, waiting for them to join the network and gain access to their information. With employees working from anywhere, it is important for you to share this information and make sure they lock their devices when not in use.
Have all of your employees update their passwords. Strong passwords include a combination of letters, numbers, and special characters. I would also encourage all employees to use a different password for each account. With passwords in place, the next thing to do is to turn on multi-factor authentication for all accounts that offer it. This authentication adds another layer of protection for gaining access to your online accounts. Even if someone obtains the password to log in, the authentication code is still needed to gain access to the account.
Make sure software is up-to-date. When software companies find vulnerabilities, they release patches. If these patches are not installed, you are not protected. This includes computers, smart phones, tablets, Wi-Fi routers, smart televisions, and other devices that connect to the Internet. Have your employees check for updates on all devices and, when possible, have updates deployed automatically. This includes removing saved information and browsing histories in web browsers—encourage employees to not have their browsers remember passwords. Having the most current software, web browsers, and operating systems is one of the easiest ways to protect yourself from threats.
Over time, things pile up and you stop using devices. You might have allowed information to be put on temporary storage devices and taken off site during the rush to be up and running remotely. Review your inventory of devices for each employee and visit with them about what they have at their offices or remotely. This is the best time to review your file backup procedures and visit with employees about where they are saving and accessing information. The Better Business Bureau has a 3-2-1 rule for backups that we like to follow. The rule is three backup copies, two different media types,and one offline and in a separate location. Have your employees bring devices that are no longer being used to you so you can securely dispose of them.
DATA BREACH RESPONSE
Do you have an emergency response plan in the event of a data breach? This type of plan helps your team understand how to respond and what steps to take if a breach occurs. If you do have a plan, document any changes you have to your cyber security protocols and share these with employees. Ask employees questions and schedule trainings at least once or twice a year.
WEBSITE & NETWORK REVIEW
Another recommendation is to review your website and remove anything that is no longer needed. Verify that links are still up to date and contact information is accurate. To cut down on the number of phishing attempts, consider removing individual employee names, job titles, and email addresses. It is a good idea to remove any plug-ins and software that are no longer needed and make sure the ones that remain are updated.
As an administrator, you should review your applications and the access available, including the users set up with access. Did you recently have any employment changes that resulted in changes to access? If you do not already have a process in place for when changes happen, I would encourage you to do so. It is also a good idea to limit those who have administrative privileges. Review your email spam filters to attempt to block the initial phishing emails and network connections known to have malicious content. I would recommend that you know what your employees are connected to and what is running on your network. Implement key security settings to protect your systems and set up a monitoring service to alert you when possible threats arise.
Make reviewing your cyber hygiene a routine practice and continue to communicate with your employees. Offering training with real examples is an easy and cost-effective approach to train employees about cyber threats. Just as maintenance is necessary for computers and software to run at peak performance, so is educating your employees to do the same.
Chief Information Officer
Syndeo Outsourcing, LLC