The year 2012 brought numerous headlines about data breaches from organizations nationwide. Common threats to business data include intruders hacking into a computer system or network, remotely installed malware, lost or stolen laptops or data storage devices, insider threats, accidents and natural disasters.
“Every desktop computer, laptop, or handheld digital device can be vulnerable to attack,” said the U.S. Chamber of Commerce in its 2012 guide Internet Security Essentials for Business 2.0. The consequences of such an attack can range from simple inconvenience to financial catastrophe. The chamber suggested a number of actions described in the guide to improve the cybersecurity of companies.
“The strength of our free enterprise system is directly tied to the prosperity and security of our interconnected world. By managing their companies’ cybersecurity, owners and managers not only help protect their crucial business and customer information, but also help protect the Internet,” the guide stated.
Set up a secure system
Designate a person or team to handle cybersecurity, the chamber recommended. This person or team would determine which information assets require protection, maintain an inventory of the computer equipment needed to fulfill critical business functions in case of a disaster, and develop a plan for responding to cybersecurity incidents.
This person or team should be aware of regulatory requirements regarding data security, such as the Federal Trade Commission’s guidance for protecting personal information, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, state data breach notification laws, and payment card industry data security standards.
One of the simplest ways to protect your network is to limit the sites that employees can visit and what they can download and install onto a system. To decrease the chance of an employee navigating to a malicious site or downloading a virus-laden program, the chamber recommended employers install a firewall with strong access controls. Once you’ve created a system or network administrator account you can assign strong passwords and access controls to users and devices on the network, audit your network’s connections regularly and keep your operating systems and software current by installing updates and patches.
Protect your data
“Cyber risks cannot be eliminated totally, but a business can substantially reduce the negative consequences of a successful cyberattack by minimizing its vulnerabilities and deterring adversaries through basic risk management,” the chamber stated.
One of the things an organization can do is organize its data and assess its risk. The chamber recommended businesses organize the information they keep, know where it is stored, and prioritize it by level of importance. This entails identifying the digital and physical locations of business data -- personnel records, intellectual property, tax forms, customer orders, credit reports, and customer payment records -- that require protection.
Data security can be managed by:
- Establishing an acceptable-use policy for the use of information resources and IT systems. For example, you could prohibit employees from posting confidential or sensitive business information on social networking sites such as Facebook.
- Implementing an employee departure checklist for those who are no longer employed by the organization to ensure that account termination is performed quickly and efficiently on laptops, mobile phones, and other digital devices.
- Assessing the mobility of your workforce. Risks may rise as your workforce becomes more mobile or is increasingly accessing wireless hot spots.
- Using a dedicated computer for the most sensitive transactions -- such as Automated Clearing House (ACH) payments and payroll processes.
- Encrypting sensitive data on all computers and storage devices to help prevent unauthorized access of your data if a computer is lost or stolen.
- Backing up data regularly. This step will also protect your data from natural hazards, ranging from hurricanes to fires.
- Disposing of data and media safely and securely. Assume that at some point sensitive information may have been stored and is still retrievable from all electronic storage media, such as computer and network hard drives, external hard drives, CDs, DVDs, floppy disks, tapes, flash drives, and mobile phones. Be sure to get rid of computer data in a way that follows best practices and is consistent with legal requirements. You may consider overwriting, or wiping, the hard drive so that data are no longer recoverable. If you have data that require more “lethal” methods, seek help from organizations that offer degaussing or physical destruction, the chamber recommended.
Train your work force
Technology alone will not secure your organization and its information assets. Employee education is essential to help protect company information, customer data and employees’ own personal information at work, the chamber said. You can raise Internet security awareness through training sessions, an employee newsletter, internal e-mail, or your company’s Intranet.
Training should stress vigilance for e-mail and Internet scams and methods on recognizing clues to malicious software (malware). Employees should be trained to lock devices, files and online accounts with strong passwords and given tips to keep them secret. Employees should know to treat all public Wi-Fi as a security risk. Do not expect privacy in Internet cafes, hotels, offices or public places when traveling, the chamber cautioned.
Know when you’ve been compromised
“Security professionals and law enforcement officials commonly say that there are only two kinds of businesses: those that have been hacked and know it, and those that have been hacked and don’t know it yet,” the chamber said.
Organizations may believe that they are diligent about changing passwords and patching software to help prevent cybersecurity incidents, but they cannot be sure if they don’t review their computer security logs.
A log is a record of an event occurring due to a human-to-machine or machine-to-machine interaction with an organization’s IT systems and networks, the guide explained.
Facility access systems, HVAC systems, firewalls, servers, and applications create log data. The data are the definitive and searchable record of user transactions, customer behavior, machine behavior, security threats and fraudulent activity.
Cybersecurity experts are recommending that businesses leverage their log data to detect possible cyberattacks, basically being more aware of “normal” vs. “abnormal” network traffic and system activity to support after-the-fact investigations of security incidents, the chamber said.
“Log management is needed to help protect businesses from cyberattacks and insider threats and to meet specific regulatory requirements. Log data can also be used to understand customer behavior to support marketing efforts and to monitor supply chains. Applying behavioral analysis to log data is another element in the growing fight against cyberthreats,” the chamber advised.
What do you do if you find that your system has been compromised?
At some point, your organization may experience an information security incident, and the incident may jeopardize your cybersecurity. Fast and efficient responses can lead to quick recovery, minimize damage, and help prevent future incidents.
The Center for Internet Security, a not-for-profit organization focused on enhancing the cybersecurity readiness and response of public- and private-sector entities, has published resources on incident response that help organizations recover from an incident in a timely and secure manner and minimizes consequences to that organization.
These recommendations include:
- Taking compromised equipment out of service as soon as practical to prevent further harm.
- Informing management and other users, as appropriate, based on your organization’s cybersecurity policy. Consider notifying your partners with whom you connect. Contact local law enforcement authorities if you suspect a crime has been committed.
- Reassessing your security policy and practices to determine what lessons can be learned from the cybersecurity incident to help you strengthen your cybersecurity practices.
Roy Maurer is an online editor/manager for SHRM. Follow him on Twitter @SHRMRoy.
© 2012 SHRM. All rights reserved.
Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, at ToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).