By Keith Becker
Legal issues arising from a data breach are
in the news almost daily. For all companies, a
data breach has become a means of exploitation
for cyber criminals to extract confidential and
private information from computers, websites
and networks.
We all now have the wonderful opportunity
to use technology to make our businesses more
efficient and more widely known. In most cases,
the common users are unaware of all the possible
dangers that lie out there while using these tools.
This is very unfortunate as many of these dangers
can cause the company to become liable for a
breach in documentation and resources.
No one is removed from these attacks and it has become more evident that any company can become a target as the attackers become craftier and more knowledgeable. They are able to use the information against the businesses or their clients as blackmail or even to sell the information to the highest bidder. We personally deal with these kinds of issues on a daily basis, and can never be certain where and when they will strike.
In the past year, the number of companies that have had their data compromised has grown to become a serious problem. The legal ramifications of such a breach of data can span from very little to very serious consequences financial and legal.
It is very important to have a method in place both with a good technology services company and a good legal advisor. Below are some security tips that you should follow which are essential to keeping you and your business less prone to attack.
• Have a strong password of at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Use a pass phrase so you can remember the password.
• You may want to log activity on USB ports, because it is common for employees to lift data via a thumb drive. Without logging, you cannot prove exactly what was copied.
• Change the defaults. It doesn’t matter if you are configuring a wireless router or installing a server operating system. In all cases, make sure you change any default values. The default user ID and passwords are well known for any software or hardware installation.
• Your laptop should be protected with whole disk encryption–no exceptions. Stolen and lost laptops are one of the leading causes of data breaches. Many of the newer laptops have builtin whole disk encryption. To state the obvious, make sure you enable the encryption so your data is protected.
• Backup media, a huge source of data leaks, should be encrypted. If you use an online backup service, which means you’re storing your data in the cloud, make sure the data is encrypted in transit and while being stored.
• Keep your server in a secure location and in a locked closet or room. Physical security is essential.
• Most smartphones write some amount of data to the phone. Opening a client document may write it to the smartphone even if you do not you save it. The iPhone is particularly data rich. Make sure you have a PIN for your phone. This is a fundamental protection. Don’t use “swiping” to protect your phone as thieves can discern the swipe the vast majority of the time due to the oils from your fingers. Also make sure that you can wipe the data remotely if you lose your phone.
• Wireless networks should be set up with the proper security. First and foremost, encryption should be enabled on the wireless device. Whether using Wired Equivalent Privacy (WEP) 128-bit or Wi-Fi Protected Access (WPA) encryption, make sure that all communications are secure.
• Make sure all critical software updates are applied. This may be the job of your IT provider, but too often this is not done.
• Control access. Does your janitor really need access to QuickBooks? Probably not. This is just another invitation to a breach.
• If you terminate an employee, and immediately cut all possible access (including remote) to your network.
• Using cloud providers for software applications is fine, provided that you made reasonable inquiry into their security. Read the terms of service carefully and check your state for current ethics opinions on this subject.
• Be wary of social media applications, as they are now frequently invaded by cyber criminals. Giving another application access to your credentials for Facebook, as an example, could result in your account being compromised.
• Have a social media and an incident response policy.
• Let your employees know how to use social media as safely as possible, and if an incident happens, it is helpful to have a plan of action in place.
• Dispose of anything that holds data, including a digital copier, securely.
• Make sure all computers require screen saver passwords, and that the screen saver gets invoked within a reasonable period of inactivity.
• Use wireless hot spots with great care. Do not enter any credit card information or login credentials prior to seeing the https: in the URL.
• For remote access, use a virtual private network (VPN) or other encrypted connection.
• Do not give your user ID and password to anybody.
None of these safeguards are hard to implement.
Unfortunately, even if you implement them all, new dangers will arise tomorrow. The name of the game in information and network security is constant vigilance.
Keith Becker is a systems engineer for Tech II Business Systems, Inc.