If you are not part of a chain of department stores or an online entity, you may think that cyber thieves aren’t terribly interested in you. After all, relative to Target, Home Depot, and Yahoo!, your inventory of personally identifiable information (PII) represents slim pickings. Yet a recent study by Ponemon Institute of companies with headcounts from less than 100 up to 1,000 gives cause for alarm. In particular:
- 50 percent of respondents reported security breaches during the past year.
- Negligent employees, contractors, and third parties caused most breaches.
- Increased use of cloud-based applications and mobile devices threatens data security.
- Participants admitted that their personnel, budgets, and technologies are not sufficient to create a strong security posture.
Many moderately-sized businesses store and process a tremendous amount of PII, which is very valuable on the black market. According to the 11th Annual Cost of Data Breach Study by Ponemon Institute, the average cost incurred for each lost or stolen record containing sensitive and confidential information is $158. This figure may not capture fully the impact on the company’s reputation, losses due to business disruption, government-imposed penalties, and/or civil action.
So what should you do?
At a bare minimum, your resident IT expert should make sure that you have a robust and properly configured firewall to protect your servers and internal network as well as continuously updated anti-virus software on all servers and workstations in your environment. Scan all email to remove executable files from the contents. Use data encryption judiciously as an extra measure of safety for sensitive information – e.g., names and addresses of patrons, payment information, protected health information, other personal information, and trade secrets.
Unfortunately, robust cyber security technology is not sufficient to protect your digital assets. Cyber thieves are experts at attacking the weakest links in any data fortress: human beings. The tactics they employ leverage “social engineering” techniques, including:
- Hacking into the system using login IDs with simplistic passwords (e.g., “12345”).
- Watching users enter their personal information (or simply grabbing it off sticky notes attached to screens, phones or desktops).
- Luring unsuspecting users to look-alike websites for popular applications and getting them to enter their personal information.
- Embedding keystroke capture software on public access computers to retrieve login and other personal information.
- “Sweet-talking” users into providing their login information by phone, or scaring them into disclosure via a perceived threat.
Given these threats, all persons authorized to access your digital assets need to be extremely vigilant with respect to a few crucial security protocols. Password management is a critical line of defense. The following best practices should be incorporated into your administrative policies, reinforced with training, and monitored for compliance.
- Passwords should not include a dictionary word, a proper name, a place, or other recognizable references.
- Passwords should be at least seven characters long and include elements from each of the following categories: upper case letter, lower case letter, number and special character.
- User accounts will be locked after five unsuccessful attempts at access. This provision prevents the use of robots that can pummel a system with thousands of guesses.
- Passwords should not be shared, printed or stored insecurely.
- Passwords should be changed every 90 days or immediately if they are compromised.
- Users should log off before leaving their computers unattended. Workstations should be configured to lock after 15 minutes of inactivity; mobile devices should have even shorter screen lock settings.
While these guidelines may seem daunting, there are a few tricks that can help users bridge the need for complexity with ease of use. An easy way to create complex passwords that are easy to remember is to use “passphrases” where you combine a few short words and swap out some standard characters with numbers or symbols, such as, “I10veMyP@ssw0rd!” or “MyD0g1sGre@t!” (don’t use these exact examples). For example, one might use the first letter of each word in a movie (all lower case) following by a special character and last two digits of the year released, followed by the lead actor’s initials in caps.
A few other policies and practices merit inclusion in your data security plan especially given how naïve most folks are with respect to cyber threats. In particular:
- Do not send sensitive information in the body of an email or in an attachment. Email is a lot like sending a postcard by mail; there are many “eyes” between sender and recipient who can read the contents.
- Do not share sensitive information using cloud-based services unless approved by your data security experts. They may not be secure.
- Delete email from senders that you do not recognize. Avoid clicking on links embedded in emails unless you know where they go. Take note of the URL on your screen as you hover over the link before you click to ensure that it’s legitimate.
- Do not provide any personal information to unknown callers, email senders, or websites.
- Do not introduce an unscreened thumb drive into your company’s data ecosystem. It could contain malware that might damage data integrity and/or availability.
- Regularly assess the security posture of your computer systems and networks. If you need help with this, contract with a trusted third party to perform the service.
In sum, information security is vitally important for your organization and all of the people who rely on your security safeguards. While technology plays a role in this fight, it’s the “boots on the ground” humans like us that may have the biggest impact on who wins the battle.