May was a busy month for hackers: Lowe’s was targeted, eBay’s huge breach was all over the news, and even a “US public utility” was hacked, according to the Department of Homeland Security (though they don’t wish to tell us which one). It doesn’t seem as though June is going to offer much respite: American Express has already announced a major security breach.
Of course, none of that is very encouraging, but let’s not forget that there are steps you can take to improve your online security. One of the most important things you can do is to continuously educate your employees about the risks and the best ways to act.
Some things they should regularly be reminded of:
- Email is clear text: it is not encrypted and can easily be intercepted. Do not communicate sensitive information via email.
- Weak passwords are a real threat. Only long and complex passwords (which use lower and upper cases, letters, numbers and special symbols) should even be considered.
- Going onto “sketchy” sites at work is not only a violation of standard employment agreements, it may also compromise the device used or even the company’s network.
- Links are not always what they appear to be. They should always be hovered over so that the destination URL may be checked before they are clicked on.
- Once information is on the Internet, the uploader has no control over it. There is no taking it back, no matter what “delete” options supposedly exist. It can always be available to someone somewhere, so be very careful what you put online.
- Different credentials should be used for different applications. In this way, if one application is compromised, the others need not be.
- In the event that a device or network is compromised, barriers should still be in place to slow a hacker’s progression. Do not store unencrypted personal or critical information on any device.
- There is no such thing as being too careful!
And after you’ve reminded your staff of these basic security rules, what else can you do? Consider all the measures you can put in place to make them comply: requiring strict standards for passwords, blocking links in emails until they’ve been checked, limiting Internet usage, etc. It would also be advisable to have your employees run regular device scans. Certain software can set this up periodically, or you can use free options, such as US ProTech’s US ProScan which will automatically check for system vulnerabilities and give you the option of performing HIPAA or PCI specific scans.
Just keep in mind that repetition is often the key to memorization, so make sure that security rules are emphasized frequently.