Cyber attacks, security breaches, phishing, hacking…you name the buzzword…it seems as though we hear about these more routinely than we’d like. And, boy, can they be damaging to a company or organization.
I read recently that the U.S. Congressional Small Business Committee found 71 percent of cyber attacks happened at businesses with fewer than 100 employees. What I found even more concerning is the fact that the 2016 State of SMB Cyber Security Report by the Ponemon Institute and Keeper Security found that 50 percent of small- and medium-sized businesses (SMBs) have had a security breach in the past year. Let me repeat that…50 percent in THE LAST YEAR!!
Because I’ve labeled this blog as a “Fraternal” blog…I want to specifically focus on that; however, keep in mind, much of what I’m about to tell you, can really apply at any business, so I’ve generalized in many cases.
When it comes to fraternal organizations, many have specific cyber liability exposures arising out of the use of their websites, electronic communications, Facebook pages, collection of member personal identification information, and, in some cases, the collection and storage of member Social Security numbers and credit card numbers.
Because of these exposures, if you’re a fraternal organization, it’s critical you take steps intended to minimize the probability of a security breach occurring. To help, I’ve outlined some best practices below.
- Educate all employees: Train employees on your organization’s network security policies. Since policies evolve as cybercriminals become savvier, it’s important to have regular updates on new protocols put into place. To hold employees accountable, have each employee sign a document stating they’ve been informed of the policies and understand actions may be taken against them if they don’t follow the security policies.
- Use a firewall: One of the first lines of defense in a cyber attack is a firewall. The Federal Communications Commission (FCC) recommends small businesses, including fraternal organizations, set up a firewall to provide a barrier between your data and cybercriminals. In addition to standard external firewalls, many organizations now install internal firewalls to provide additional protection. It’s also important employees working from home install a firewall on their home network. We recommend our clients consider providing firewall software and support for home networks to ensure compliance.
- Install anti-virus, anti-malware, and anti-spyware software: This loss control technique is the easiest and most effective way to increase security at your organization. Make sure to install the software on each computer in your network — computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible. Don’t assume employees will never open phishing emails. The Verizon 2016 Data Breach Investigation Report found that 30 percent of employees open phishing emails. Since phishing attacks involve installing malware on the employee’s computer when the link is clicked, it’s essential to have anti-malware software installed on all devices and the network as well.
- Encrypt data: Firewalls aren’t perfect. If a hacker manages to get through your firewall, your data is vulnerable. Encryption will make data unreadable to the hacker. Consider using an encryption program to keep computer drives, files, and even email messages safe from hackers.
- Enforce safe password practices: While changing passwords may be viewed as inconvenient by employees, it’s an important practice to follow. The Verizon 2016 Data Breach Investigations Report found that 63 percent of data breaches occurred due to lost, stolen, or weak passwords. Given the fact employees typically purchase their own device, it’s essential anything accessing the organization’s network be password protected. We recommend employees use passwords with uppercase and lowercase letters, numbers, and symbols and that password changes be required every 60-90 days.
- Regularly back up all data: Regardless of all precautions you may make, the possibility of a breach exists. Therefore, backing up word processing documents, electronic spreadsheets, databases, financial files, account receivable files, and account payable files is critical. Be sure to back up all data stored on the cloud, too. Make sure backups are stored in a separate location due to the possibility of flood or fire damage occurring.
- Use multifactor identification: Even with proper preparation, the odds remain high an employee will likely make a mistake that can potentially compromise your data. As a result, using multifactor identification settings on most major network and email products is simple to do and adds an extra layer of protection. Review your network settings and require every employee to enter their cell phone number as a second factor. If this is done and a cybercriminal steals the employee’s password, they cannot use it unless they also steal the cell phone and know the PIN.
- Use a virtual private network (VPN): A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving fraternal organizations lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.
- Create a plan for mobile devices: With the increasing popularity of mobile devices with wireless capabilities, it’s important to extend the security policies of the organization to employees using these types of devices for business purposes, which include the following:
- Establish a mobile device policy: Before issuing smartphones, tablets, or other mobile devices, establish a device usage policy. Provide clear rules about what constitutes acceptable use as well as what actions will be taken if employees violate the policy.
- Establish a bring your own device (BYOD) policy: If you allow employees to use their personal devices for company business, make sure you have a formal BYOD policy in place. Your BYOD security plan should also include installing remote wiping software on any personal device used to store or access company data, educating and training employees on how to safeguard company data when they access it from their own devices, and informing employees about the exact protocol they must follow if their device is lost or stolen.
- Keep the devices updated with the most current software and anti-virus programs: Software updates to mobile devices often include patches for various security holes, so it’s best to install the updates as soon as they’re available. There are many options to choose from when it comes to anti-virus software for mobile devices…it really comes down to preference. Some are free to use, while others charge a monthly or annual fee (and often come with better support). In addition to anti-virus support, many of these programs will monitor SMS, MMS, and call logs for suspicious activity and use blacklists to prevent users from installing known malware to the device.
- Back up device content regularly: Just like your computer data should be backed up regularly, so should the data on your company’s mobile devices. If a device is lost or stolen, you’ll have peace of mind knowing your valuable data is safe.
- Choose passwords carefully: The average Internet user has about 25 accounts to maintain and an average of 6.5 different passwords to protect them, according to a recent Microsoft® study. Obviously, this lack of security awareness is what hackers count on to steal data. Much like I mentioned above, require employees to change the device’s login password every 60-90 days. Passwords should be at least eight characters long and include uppercase letters and special characters, such as asterisks, ampersands, and pound signs. Don’t use names of spouses, children, or pets in the password. A hacker can spend just a couple minutes on a social media site to figure out this information.
Please keep in mind…this isn’t an all-inclusive list, but provides a great framework to start. We’d love to talk with you more in-depth if you have any questions or need help getting started on (or reviewing) a policy. Just reach out to us!