News

Protect your business from cyberthreats

BY Roy Maurer

The year 2012 brought numerous headlines about data breaches from organizations nationwide. Common threats to business data include intruders hacking into a computer system or network, remotely installed malware, lost or stolen laptops or data storage devices, insider threats, accidents and natural disasters.

“Every desktop computer, laptop, or handheld digital device can be vulnerable to attack,” said the U.S. Chamber of Commerce in its 2012 guide Internet Security Essentials for Business 2.0. The consequences of such an attack can range from simple inconvenience to financial catastrophe. The chamber suggested a number of actions described in the guide to improve the cybersecurity of companies.

“The strength of our free enterprise system is directly tied to the prosperity and security of our interconnected world. By managing their companies’ cybersecurity, owners and managers not only help protect their crucial business and customer information, but also help protect the Internet,” the guide stated.

Set up a secure system

Designate a person or team to handle cybersecurity, the chamber recommended. This person or team would determine which information assets require protection, maintain an inventory of the computer equipment needed to fulfill critical business functions in case of a disaster, and develop a plan for responding to cybersecurity incidents.

This person or team should be aware of regulatory requirements regarding data security, such as the Federal Trade Commission’s guidance for protecting personal information, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, state data breach notification laws, and payment card industry data security standards.

One of the simplest ways to protect your network is to limit the sites that employees can visit and what they can download and install onto a system. To decrease the chance of an employee navigating to a malicious site or downloading a virus-laden program, the chamber recommended employers install a firewall with strong access controls. Once you’ve created a system or network administrator account you can assign strong passwords and access controls to users and devices on the network, audit your network’s connections regularly and keep your operating systems and software current by installing updates and patches.

Protect your data

“Cyber risks cannot be eliminated totally, but a business can substantially reduce the negative consequences of a successful cyberattack by minimizing its vulnerabilities and deterring adversaries through basic risk management,” the chamber stated.

One of the things an organization can do is organize its data and assess its risk. The chamber recommended businesses organize the information they keep, know where it is stored, and prioritize it by level of importance. This entails identifying the digital and physical locations of business data — personnel records, intellectual property, tax forms, customer orders, credit reports, and customer payment records — that require protection.

Data security can be managed by:

  • Establishing an acceptable-use policy for the use of information resources and IT systems. For example, you could prohibit employees from posting confidential or sensitive business information on social networking sites such as Facebook.
  • Implementing an employee departure checklist for those who are no longer employed by the organization to ensure that account termination is performed quickly and efficiently on laptops, mobile phones, and other digital devices.
  • Assessing the mobility of your workforce. Risks may rise as your workforce becomes more mobile or is increasingly accessing wireless hot spots.
  • Using a dedicated computer for the most sensitive transactions — such as Automated Clearing House (ACH) payments and payroll processes.
  • Encrypting sensitive data on all computers and storage devices to help prevent unauthorized access of your data if a computer is lost or stolen.
  • Backing up data regularly. This step will also protect your data from natural hazards, ranging from hurricanes to fires.
  • Disposing of data and media safely and securely. Assume that at some point sensitive information may have been stored and is still retrievable from all electronic storage media, such as computer and network hard drives, external hard drives, CDs, DVDs, floppy disks, tapes, flash drives, and mobile phones. Be sure to get rid of computer data in a way that follows best practices and is consistent with legal requirements. You may consider overwriting, or wiping, the hard drive so that data are no longer recoverable. If you have data that require more “lethal” methods, seek help from organizations that offer degaussing or physical destruction, the chamber recommended.

Train your work force

Technology alone will not secure your organization and its information assets. Employee education is essential to help protect company information, customer data and employees’ own personal information at work, the chamber said. You can raise Internet security awareness through training sessions, an employee newsletter, internal e-mail, or your company’s Intranet.

Training should stress vigilance for e-mail and Internet scams and methods on recognizing clues to malicious software (malware). Employees should be trained to lock devices, files and online accounts with strong passwords and given tips to keep them secret. Employees should know to treat all public Wi-Fi as a security risk. Do not expect privacy in Internet cafes, hotels, offices or public places when traveling, the chamber cautioned.

Know when you’ve been compromised

“Security professionals and law enforcement officials commonly say that there are only two kinds of businesses: those that have been hacked and know it, and those that have been hacked and don’t know it yet,” the chamber said.

Organizations may believe that they are diligent about changing passwords and patching software to help prevent cybersecurity incidents, but they cannot be sure if they don’t review their computer security logs.

A log is a record of an event occurring due to a human-to-machine or machine-to-machine interaction with an organization’s IT systems and networks, the guide explained.

Facility access systems, HVAC systems, firewalls, servers, and applications create log data. The data are the definitive and searchable record of user transactions, customer behavior, machine behavior, security threats and fraudulent activity.

Cybersecurity experts are recommending that businesses leverage their log data to detect possible cyberattacks, basically being more aware of “normal” vs. “abnormal” network traffic and system activity to support after-the-fact investigations of security incidents, the chamber said.

“Log management is needed to help protect businesses from cyberattacks and insider threats and to meet specific regulatory requirements. Log data can also be used to understand customer behavior to support marketing efforts and to monitor supply chains. Applying behavioral analysis to log data is another element in the growing fight against cyberthreats,” the chamber advised.

What do you do if you find that your system has been compromised?

At some point, your organization may experience an information security incident, and the incident may jeopardize your cybersecurity. Fast and efficient responses can lead to quick recovery, minimize damage, and help prevent future incidents.

The Center for Internet Security, a not-for-profit organization focused on enhancing the cybersecurity readiness and response of public- and private-sector entities, has published resources on incident response that help organizations recover from an incident in a timely and secure manner and minimizes consequences to that organization. 

These recommendations include:

  • Taking compromised equipment out of service as soon as practical to prevent further harm.
  • Informing management and other users, as appropriate, based on your organization’s cybersecurity policy. Consider notifying your partners with whom you connect. Contact local law enforcement authorities if you suspect a crime has been committed.
  • Reassessing your security policy and practices to determine what lessons can be learned from the cybersecurity incident to help you strengthen your cybersecurity practices.

Roy Maurer is an online editor/manager for SHRM. Follow him on Twitter @SHRMRoy.

© 2012 SHRM. All rights reserved.

Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, at ToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).

keyboard_arrow_downCOMMENTS

Leave a Reply

J.Sundar says:
Jan-23-2013 10:41 am

Good advice on Information
Good advice on Information security.Read a whitepaper on workplace fraud "How manufacturers can spot and mitigate fraudulent activity" it offers good information readers will find it useful @ bit.ly/UavIbD

TRENDING STORIES

POLLS

Would you like to see the re-emergence of an association like the AHMA?
News

Formica Group acquires decorative laminate manufacturer

BY Brae Canlen

Formica Group, part of New Zealand-based Fletcher Group, has acquired the decorative laminate manufacturing division of Well Pack Papers & Containers. The acquisition provides Formica Group with its own manufacturing capacity in India, enabling it to expand its footprint in that country.

Paul Zuckerman, CEO of Fletcher Group’s laminates and panels division, commented: “India represents the world’s largest laminate market, and by establishing an HPL (high pressure laminate) manufacturing base in the region and leveraging our global capabilities, we have the opportunity to bring a new level of product technology and customer service to the Indian market.”

Richard Pollington, president, Formica Group – Europe, added: “Not only are we excited to expand our footprint in India, we are eager to expand our capacity to deliver innovative, sustainable and stylish surfacing options to this emerging market."

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

TRENDING STORIES

POLLS

Would you like to see the re-emergence of an association like the AHMA?
News

Stairway manufacturers see climbing membership

BY Ken Clark

The Fall River, Mass.-based Stairway Manufacturers’ Association (SMA) says it expects a record high turnout for its Annual Conference and Business Meeting in New Orleans, April 10-14.

The event will be held at the Hyatt French Quarter Hotel and will mark the SMA’s 25th anniversary. The SMA has seen its membership increase 30% over the past 15 months. 

For more industry events, visit the HCN events page.

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

TRENDING STORIES

POLLS

Would you like to see the re-emergence of an association like the AHMA?