It’s Cyber Security Awareness Month: Share these online security tips with your clients
These days, we’re connected everywhere we go. Your clients and their employees can access company emails from personal cell devices and PCs. And when employees work from home or coordinate with vendors, they share files back and forth. All expose your clients to a cyber breach. Since October is Cyber Security Awareness Month, we’ve prepared a list of online security tips to share with your commercial clients.
We’ve said it before, but it bears repeating: Cyber criminals don’t care how big or small your commercial client’s company is. Hackers only care if your client is vulnerable so that they can get in and steal personal, medical or financial data quickly; then they’re on to the next target. Being a small enterprise doesn’t keep your client off their cyber radar.
“While cyberattacks on big companies can generate vast quantities of valuable data for cybercriminals, these companies are typically well defended,” said a recent PropertyCasualty360 article, adding, “Although small- to medium-sized businesses are less valuable targets for these criminals, their IT systems are also easier to penetrate.”
Indeed, more than half of U.S. businesses experienced a cyberattack in a one-year period, according to a 2017 study by The Hartford, as reported in Business Insurance. The best way to protect your data? Have a sound cybersecurity policy and procedures in place.
The online security tips we’re passing along run the gamut of using strong encryption and separate WiFi for guests, to how to safely dispose of old cell phones. While we can’t guarantee these will successfully block all hacking attempts, these will definitely slow down hackers, hopefully leading them to decide to look elsewhere for easier pickings. Let’s get started.
1. Back up data regularly
This is one of the least expensive cybersecurity precautions that your clients can take. While this may seem like an obvious tip, you’d be surprised by how many people overlook it.
They should back up all documents – HR files, databases, spreadsheets, financial records and accounts payable and receivable files – along with data stored in the cloud as well. Remind your clients to store their backup data in a completely separate physical location.
Related: Insurance cyber attacks, data breaches and your agency, part 1
2. First line of defense: your software
Invest in a firewall with anti-virus tools. Your client’s first line of defense is a robust firewall. The FCC recommends all businesses start here, regardless of any other security measures. The firewall creates a barrier between their data and would-be hackers looking to steal their IPs.
Employees working from home or in the field on mobile devices need a firewall on each device as well. Encourage your insureds to implement firewall software that makes sure their home and business networks align with each other. Employee compliance – and that means everyone – is crucial; otherwise, they may open more holes than they close.
Anti-malware software. Antivirus software isn’t enough, so add another layer of anti-malware software. Just as there are many types of malware, such as phishing, ransomware or a virus, there are different types of anti-malware your client may need to consider. Each attacks differently; the solution that stops one may not stop another.
Phishing is especially important to stop because of the sheer volume of phishing emails that employees continue to click on, said TechDay in a best practices article. Quoting a Verizon study, they said 30 percent of employees still open emails that are phishing for your client’s proprietary information.
Multifactor IDs. Multifactor identification helps to close the holes that may open from genuine mistakes of employees. It’s typically recommended to connect one of the forms of ID to a cell phone (e.g., a numerical code is texted to your smartphone which you must enter on the screen to continue). Thieves are more likely to be thwarted, since they don’t have the PIN number and the password on a phone they don’t own, said TechDay.
Safe Passwords. Again quoting the Verizon study, TechDay’s article states that 63 percent of all data breaches occurred because of passwords that were weak, lost or stolen. Ironically, nearly the same number (65 percent) of companies don’t enforce a formal password policy. We doubt the similarity of these two numbers is a coincidence. One weak password can compromise your client’s entire network. Remind them to require that employees change their passwords at least quarterly.
Implementing password management software allows users to leverage different sets of login and password combinations for different applications. It also allows users to easily and regularly change passwords to comply with regulatory standards. Secure password storage tools such as LastPass or KeyPass will maintain the necessary level of password protection.
Patches. One of the most crucial of our online security tips is to remind clients to verify that all operating systems, software and programs, such as web browsers, are fully patched and up-to-date. Updated software and systems will install patches for vulnerabilities that developers have identified, instantly removing those vulnerabilities.
You can find a checklist of additional ways to secure your technology here, courtesy of StaySafeOnline.org.
3. Second line of defense: your employees
Unfortunately, not all cyber threats come from the outside. The root causes of data breaches are primarily by a negligent employee or contractor, said PropertyCasualty360. Even with the best employee training, a company can decrease the likelihood of a breach via a phishing attempt to about 20 percent, which most of us would consider still too high. That’s why we include employee training as another of our key online security tips.
Educate and train employees on newest threats. None of the strategies work unless employees know how to implement them correctly. Encourage your clients to train all employees on proper use of the network, particularly when a new security policy is added. It’s important that your clients stay a step ahead of would-be hackers. That means they’ll need to update employees as often as they install patches and updated software. Continually.
Encourage clients to provide regular employee training that’s specifically geared towards phishing attacks, ransomware and social engineering campaigns. PropertyCasualty360 recommends quarterly training at a minimum to remind employees of this constant threat.
Related: Mobile ransomware prevention: How to protect yourself
4. Close the back door
Careful cybersecurity begins with mindful physical security. Be careful and thoughtful as to whom you give access to sensitive digital assets. Vet all third-party IT vendors scrupulously. An employee or contractor who copies your proprietary information onto a portable drive and then walks out the door can cause as much damage as a cybercriminal who hacks your network from across the globe. Should an employee or contractor be fired or leave your company, quickly block future access to these assets.
5. Using Wi-Fi in the field
Typically, Wi-Fi hotspots just aren’t safe, because 95 percent of Wi-Fi traffic unencrypted. That nice lady sitting opposite your client’s employee on the train just might be a hacker, ready to penetrate their corporate server, rendering all digital assets vulnerable. Here are a few thoughts that can make Wi-Fi a little safer, but user beware.
- Before logging in, set all websites to “HTTP secure.”
- Access the company’s VPN before logging into a company network.
- Anytime a user name and password are required to gain access to a website, STOP.
- Don’t access bank, credit card or brokerage accounts or subscription services via a Wi-Fi hotspot.
6. Have a plan for being hacked
No matter how vigilant your client is, there’s still a chance they’ll eventually be hacked. It’s usually not a question of “if” but “when.” Remind clients of these three critical best practices: Don’t wait to acknowledge the issue. Immediately work to remediate the issue. Communicate the issue and how you’re working to solve it or have solved it. To best defend against such an event, we also recommend advance preparation:
- Help them prepare a plan to handle potential consequences if a cyber intruder hijacks their network. The ability to fulfill these tasks may be rendered useless: bill paying, accessing account information, collecting payments, withdrawing or adding funds, running payroll and performing many other bookkeeping and financial activities normally conducted online. Help them determine a Plan B to handle these tasks.
- If a cyber hack occurs, document all actions taken. This will be extremely useful if your client is sued following a cyber event.
Cyber Security Awareness Month is sponsored by StaySafeOnline, part of the National Cyber Security Alliance. One of their programs is CyberSecure My BusinessTM that helps small-to-medium-sized entities learn to be more secure online. For additional help, view their list of free online security checkups and tools.
Resources:
Cybersecurity Best Practices All Small Businesses Should Follow
Playing it safe: Cybersecurity for small- to medium-sized businesses