Six Practices that Put Your Business at Risk

Have you put your business at risk by failing to protect it from cyber security threats?

Getting the right procedures in place to deliver a product or service is the logical focus of a new business. But as your business grows, how have you ensured that your policies and procedures are keeping up?

Here are six practices that could be putting your company’s information and reputation at risk – and steps you can take to reduce that risk.

risk of using unsecured mobile devices

Sloppy password management 

If you allow access to networks, software applications or technical hardware using a single password – You Are Guilty! Vulnerability arises from the inability to track who last accessed the resource and what actions they performed. In the event of an incident, everyone is guilty.

A password management policy lays out the company password management practices, requires new hire- and on-going training, and comes with consequences for violations. Visit The National Institute of Standards and Technology’s (NIST) Computer Resource Center for free guidance on implementing this and the other policies outlined below.

 

Using the company network for personal use

In the “old days” employees got into trouble for using the company phone for personal calls. Today it’s how much time your staff spends on social media, Amazon and personal email – all accessed via your company’s network.  These practices put your company’s reputation and information security at risk for computer viruses and ransomware.

 

Spell out how – or if – personal email can be accessed on company computers during work hours in your Acceptable Use Policy. Who can represent company views on social media? What is the acceptable use of the company fax machine?  Your policy should guide employees on the acceptable use of your company’s network, website, email and other company assets.

 

Headlines:

“Laptop Containing Sensitive Info Stolen From Secret Service Agent – Agency In A Frenzy.” (source: Sydney Robinson, The Ring of Fire Broadcasting, March 17, 2017). If it can happen to the Secret Service…

 

Mobile computing, whether on a laptop, smartphone or other portable computing device, should come with the same protection as any other device that can access your company network and customer data.

 

Companies who opt for BYOD – Bring Your Own Device – should require employees to protect any company assets accessed through that device. The same applies to mobile devices issued to remote workers. Encryption, security access codes and passwords are some of the tools you can install to secure mobile devices. Your Mobile Computing/BYOD Policy defines what company information your employees can and cannot access from mobile devices and the required security measures to do so.

 

Exposure of confidential data

Who conducts business without collecting confidential data? No one, that’s who. Most US states (38 to be specific) have requirements that if a consumer’s confidential data is breached, you have an obligation to report it at the state, and possibly the federal level.

 

Meet that obligation with your Incident Response and Breach Notification Plan. The Plan lays out what to do if you suspect unauthorized exposure of confidential data. You define, step-by-step, how to:

  • Investigate the incident,
  • Evaluate what data was involved,
  • Assess the potential for malicious impact,
  • Identify who needs to be informed, how and by when, and
  • Take steps to prevent further or recurring incidents of data breaches.

 

To learn more about your state’s data breach notification statues, visit Davis, Write, Tremaine, LLP’s website, for a summary of data breach notification statutes.

 

“But I didn’t know that was against company policy!”

If humans are the weakest link in data protection, education can strengthen that link.

 

Educate, educate, educate! Build a security-savvy workforce through routine training on policies and procedures and periodic security reminders.

 

Consequences

When all else fails – there have to be consequences for repeated risky business behavior.

 

Most companies include a Corrective Action Plan in their Employee Handbook. But when was the last time you reviewed it with an eye to new technology in your company? After taking the steps I’ve outlined here, it’s time to update your Employee Handbook with the changes and communicate them to your staff.

 

In closing…

Protect your company’s reputation and raise your level of cyber security protections by adopting these six policies and procedures.

 

What recent changes has your company made to increase cyber security protection? Share with us in the Comments section and let’s all raise our level of security.

«

 

"Leigh and her team of talented writers has assisted me over the years with projects needing a professional writers touch. CBC’s ability to take words on a piece of paper and turn them into a masterpiece has won our business a reputation for providing exceptional products."
Lee Adams, Practical HIPAA Solutions