October is National Cyber Security Awareness Month, and from ChoicePoint to Bank of America to The Gap and TJ Maxx, it seems that we constantly hear about companies that lost sensitive data or had their websites hacked.More than 100 million personal data records were compromised in the past two years, resulting in an estimated cost of $16 billion in lost productivity, legal services, public relations, and lost customers. A full 86% of affected customers reported being concerned with the data breaches, with almost 20% eventually terminating their service.The numbers are staggering. Can you afford to lose 20% of your customers?Studies show that people are generally less safe than they believe, either overestimating their amount of protection or failing to maintain the systems put in place to protect them.But while we hear a lot in the news about hackers breaking into a website or network, the vast majority of security breaches — more than 90% — come from inside the company, whether it’s disgruntled employees, outsourcer mistakes, misplaced papers, or lost laptops.With that in mind there are several steps that you can take to protect your company from some of the internal threats.
- Educate. Most users are not out to hurt the company, but through installation of unapproved software, surfing of questionable sites, and other seemingly innocuous behavior, these good-natured people compromise the security of the network. Explain to all employees about the hazards of unauthorized software, unrequested email attachments and any kind of peer-to-peer software (like Kazaa, BearShare, LimeWire, and similar applications). Be sure to point out that it may not be apparent when they are doing harm.
- Develop and enforce an Acceptable Use Policy. It is best to determine what activities should be allowed on the company network before dealing with specific instances. For example, employees who are trading stocks or gambling online, managing personal e-commerce sites, or conducting other unacceptable activities from corporate computers should know the consequences of their actions. You want to formulate your response to these practices before you are forced to develop policies.
- Implement screensavers that require a password. Insider attacks are often spurred by opportunity. Leaving a workstation logged in to your network and unattended does not help honest people stay honest. Enforce a 5- or 10-minute timeout on idle computers that requires the user to log in again. This keeps prying eyes at bay with one simple setting.
- Have a smart password policy. You probably already employ user IDs and passwords. A common problem is that passwords are left blank, never changed, or may be written on a sticky note under the keyboard. A simple way to resolve this issue is to require users to change their passwords at least once per year and make sure that the passwords are not written down.
Security is a continuous process, with companies always trying to stay one step ahead of the bad guys. Nothing is 100% secure, but with careful planning and maintenance we can reduce the risk of a compromise occurring, and minimalize the amount of damage if a breach occurs.For more information on how to protect your business, go to StaySafeOnline.org.
Subscribe via RSS