Cybersecurity threats are real for businesses across the country, but one state is making an effort to make its citizens more knowledgeable about these dangers. Georgia Attorney General Chris Carr announced the release of Cybersecurity in Georgia to inform business owners and other individuals about potential cyber threats and how they can reduce the likelihood of these attacks.
While the 24-page guide was aimed at business in Georgia, its message is relevant for businesses all across the country. Here’s a breakdown of what you can do to protect your business from cyber threats.
The Dangers of Cyber Attacks
Just how common are cyber attacks? According to Cybersecurity in Georgia, “67 percent of small and medium-sized businesses in the United States were the victims of a cyber attack in 2018.” These attacks come in a variety of forms, as any of the following intrusions can result in the loss of valuable data and sensitive information.
- Data breaches
- System hacking
- Email phishing
- Distributed denial-of-service (DDoS) attacks
- Tech support scams
In addition to the attacks above, cyber intrusions can be made possible by internal issues as well. Whether your software is out of date or a user error led to a misconfigured server, there are several ways that intruders can compromise your cybersecurity if you don’t take action against these threats.
What You Can Do to Improve Your Business’ Cybersecurity
A potential breach can come in many forms, but there are steps you can take to limit or prevent their effects. Here are some measures you can take to improve your business’ cybersecurity.
Take inventory of sensitive information
Over time, your business collects a lot of sensitive information. This data can come in several forms – credit card information, Social Security numbers, home addresses, tax documents, etc. – and all of it is at risk of being lost or stolen during an attack.
Before you can protect this information, you’ll need to recognize where it is. The first step toward securing your data involves identifying where any sensitive details are stored. Cybersecurity in Georgia suggests taking stock of the following sources of information.
- Computer systems
- Backup and storage systems
- Employees’ home PCs (if used for work purposes)
- Cell phones and tablets
- Flash drives
- Paper files
- Information shared with third-party vendors
Once you’ve determined all the places you store sensitive information, you’ll want to evaluate how it’s being used and streamline the number of places this information is stored. It’s also good practice to clean out any old software, apps, file folders, and other sources of information if you can. If you find that you have sensitive data on file and don’t need it, it’s best to destroy that data in a secure manner instead of holding onto it.
Improve your safeguards to control access to data
It’s absolutely critical to make sure your passwords are secure. The new cybersecurity guide suggests using passwords with “at least 12 characters that combine upper and lowercase letters, numbers, and symbols.” It’s also good to change these passwords at regular intervals. If you want to add another layer of security, certain logins will allow you to set up multi-factor authentication. This will send you a text, an email, or some other message with another password or code to help ensure that the person logging in is really with your company.
There are also occasions where certain information is accessed via physical devices such as a workplace laptop, flash drives, or paper backup files. In this case, it’s important to lock up any of these items so that they can only be accessed by an approved member of your team both during and after business hours.
Protect your network beyond passwords
In addition to passwords, there are many other ways to protect your overall network. To start, every network should have a firewall, anti-virus software, anti-malware software, and a pop-up blocker. Any other software, systems, or other devices you use should stay up to date with any required updates and patches – old versions can lead to ways into your system for cyber attacks. You should also consider the following:
- Encrypt any devices that contain sensitive information
- Protect your wireless network by ensuring that your router offers WPA2 or WPA3 encryption to prevent outsiders from reading your information
- Create means for remote access to your company’s network through a corporate VPN access or some other secure connection
- Invest in email authentication technology to prevent scammers from using your domain name
- Use an online payment provider that complies with Payments Card Industry Data Security Standards if you have an ecommerce site
- Vet any vendors for security concerns if you share any sensitive data with them
Review employee access
Another important consideration you’ll want to make is who has access to your data. In general, some employees shouldn’t be privy to sensitive information. Restrict that access only to people who have a specific business need for it to help limit the number of people who may – knowingly or not – create a security threat.
There may also be occasions where someone may not need complete access. For example, someone may need access to customer emails, but not financial documents. Restrict access where appropriate so that your employees only deal with the data they need. Regardless of access level, you should also provide some degree of cybersecurity training. Cybersecurity in Georgia suggests regular education about the following issues.
- Password safety procedures and tips
- Suspicious emails
- Software downloading procedures
- Proper use of mobile devices and other items
- Handling sensitive data (both electronically and physically)
- Social media policies
- Visitor guidelines
- Reporting suspicious activity
It’s also important to have a plan in place for when you hire new employees and terminate old ones. If a potential new employee will have any access to sensitive data, it’s important to conduct background checks and call references to identify if there are any past concerns or other issues that may make them unsuitable for that responsibility. As for departing personnel, make sure to remove login privileges and change any necessary passwords to prevent them from accessing data in the future.
Plan ahead for potential breaches
As Attorney General Carr said during the release of Cybersecurity in Georgia, “In today’s world, it is not if, but when, an attempt will occur.” At some point, there will likely be some form of cyber attack against your business. The advice listed above can help you limit the chances of a successful attack, but you should still have a plan ready just in case.
A good response plan will give you a guide to help you following a breach. Swift action can help you limit any losses or damages and can help the investigation process. The U.S. Department of Justice’s Cybersecurity Unit provides a cyber incident preparation, response, and reporting guide that offers some best practices following an attack.
- Appoint decision makers for different elements of your organization’s cyber incident response (public communications, law enforcement engagement, etc.)
- List a means of contact for critical personnel for all times of day (and provide next steps if a decision maker is unavailable)
- Create a prioritized list of data, networks, or other information and assets that demand special attention during an incident
- Maintain a list of other parties – commercial data centers, etc. – who host affected data and how to contact them
- Keep a timeline of when and how to restore back-up data
- Determine the criteria that will determine if customers, vendors, and other entities need to be notified about an intrusion
- Have a guide on when and how to notify any necessary law enforcement or other government agencies
Consider cyber insurance
A data breach can have a significant financial impact on a company. From the time spent dealing with an incident to the potential for a lawsuit from an affected customer, an intrusion can deal severe damage to the wellbeing of your business.
While general liability insurance policies may cover tangible property, that may not include electronic data and other important digital information. Cyber insurance can help you protect your organization from some of the financial ramifications of a breach. If interested, Cybersecurity in Georgia suggests investing in a cyber insurance policy that covers the following acts.
- Data breaches (such as incidents involving theft of personal information)
- Cyber attacks (such as breaches of your network)
- Cyber attacks on your data held by vendors and other third parties
- Cyber attacks that occur anywhere in the world (not only in the United States)
- Terrorist acts
Protect Your Business from Potential Threats
There are countless hazards associated with running a business, including cyber attacks. The time it takes to protect your business can be substantial, which means less available time in your schedule to try and grow your company. Fortunately, you don’t have to carry the burden of protecting your business alone.
As a Professional Employer Organization, GMS has the experts and means available to help simplify your various administrative needs, including risk management. We can help you identify ways to protect your company while also offering services like payroll administration and other time-consuming tasks.
Ready to prepare your business for the future? Contact GMS today to talk to us about how we can help you protect your business through professional HR management.