by Meagan Bulloch
In light of recent data breaches at major retailers in the US, the public have been reminded just how vulnerable both their personal and organization’s data is to cyber-attacks. This has left many companies scrambling to make sure the data they are entrusted with does not become the target of another round of headlines and lawsuits.
While you are never 100% protected from hackers, here are five ways you can reduce your risk of falling victim to a cyber-attack:
- Strong Complex Passwords – It seems this advice has been given year after year and almost seems trite, however, for many; passwords are the first level of defense against a cyber-attack. As such, it is ever more critical that passwords be lengthy, complex and changed often. According to the SANS Institute’s sample password policy available at https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy a strong password is at least 15 characters in length. For many, the deterrent to having a complex password or changing it often is the issue of remembering the complex password. If this is a concern for you or your organization, you should consider implementing a password management tool such as RoboForm, Password Depot, and LastPass to assist in creating, storing and recalling passwords.
- Alternative Authentication Measures – If you have already tackled your passwords what else can you do? As an additional layer of protection many are considering the use of alternative authentication measures such as fingerprint readers and key fobs. Basic fingerprint readers can be purchased for only $35 in today’s market. Using such devices can eliminate the need for a password to log in to a computer. If the objective is to protect extremely sensitive data then the use of a multifactor authentication may be the best option. This would involve an employee using both a password and something held in their possession – such as a code generated by a key fob- to log into a computer, application or website. By requiring two forms of authentication you can greatly reduce the access a hacker could have to your system.
- Develop a formal policy for “BYOD.” Often referred to today as “bring your own device” has created a new level of vulnerability for organizations. In today’s environment it can be very beneficial for employees to be connected to an organization’s email and other network data through a mobile device. The issue comes when this access is obtained informally by employees and not managed by the organization. Often the organization has no way of knowing which devices are attached to their network and therefore, cannot take the necessary security measures to protect sensitive organizational data. To protect your organization it is imperative to develop a formal BYOD policy that address security issues before an employee can connect their personal device to your network. If devices have already been connected, you should implement a BYOD policy retroactively. Regardless, each employee should agree to the policy and indicate so through a signature before they can access the organization’s network. The BYOD policy should at a minimum include the following: the fact that the organization owns the data the employees will access, the procedure for erasing the organization’s data from the device in the event the employees leaves the organization, which type of websites and applications can be accessed, security measures the end user must implement as a condition of accessing the organization’s network, and the process for notifying appropriate organizational personnel in the vent a device is lost or stolen. See sample policy template at http://www.itmanagerdaily.com/byod-policy-template/.
While each of these tools is important independently, a layered approach is truly the best defense against a cyber-attack for you or your organization.
Meagan Bulloch ([email protected]) is an audit manager at Langdon & Company LLP focused primarily on non-profit clients.