Protecting your business from cybercrime is much easier than it sounds. Most businesses are woefully unprepared and many would be out of business within 6 months if their infrastructure were compromised. Here’s how to protect yourself from crooks and keep your data, and reputation, safe.
Defense in Depth
Start with multiple layers of defense in your infrastructure. Design a written plan with your IT team that will protect you and diversify away from the single point-of-failure model. Many businesses, for example, utilize a single company for their hosting, domain, DNS, and email service.
Because they want to save money by bundling services, they sacrifice safety and security.
Don’t do this. Keep everything separate, and search for secure high speed internet providers that have enhanced or upgraded business-class service. These providers usually prioritize business traffic over residential and open up the bandwidth to accommodate a business’s needs.
Choose fully managed hosting unless you have a crack team of IT specialists who really “get” infrastructure security. Even then, you take an enormous amount of risk by keeping your operation completely in-house.
Choose managed hosts to deploy your content and keep you safe and spend a lot of time training employees on security protocols.
Of all of the potential leaks in your operation, employees are probably the biggest risk. It’s even more risky if your company follows the popular BYOD trend. Malicious, or intensely curious, applications could end up siphoning data away from your servers and into “the wild.”
By employing strict data controls, you can control what leaves your office and what stays safely behind the firewall.
Employees can be confined to specific user-defined “blocks” of data on your server. Not only does this protect your company, it limits your liability and gives your company a way to control data flow.
Do a Penetration Study
Penetration studies are basically an attempt to hack your own security systems. If you can break into your network, odds are the bad guys can too. By doing a penetration test or study, you are being proactive. This could be considered part of your “defense in depth” strategy too.
The best way to go about doing this is to bring in an outside team of professionals who are experts at network security.
These teams usually consist of “white hat” hackers – professionals who know what the bad guys know, but they use their power for good, not evil.
These companies are trained to break through company defenses using any means necessary, including “soft” tactics like gaining intelligence from the front desk person, tricking staff into revealing passwords, or compromising non-technical safety and security measures to gain access to your network.
Sometimes, companies have excellent technical security, but lack non-technical security protocols, making it easy to compromise the network.
If your company doesn’t have both, you want to know where your security holes are, and fast.
Have a Privacy Policy
A privacy policy protects you and your customers. It provides the legal basis for collecting and sharing information about your clients. It also limits your liability when it comes to data sharing, since you’ve fully disclosed what you do with your customers’ data.
The FCC provides some best practices to keep you safe when dealing with the general public.
Use a Managed Hosting Service
One of the best ways to protect your company is to outsource the hosting to a third-party who will manage everything for you. If you keep your operation in-house, one of the biggest risks is that your company may not be technologically equipped to handle an onslaught like a DDOS attack.
For example, if your business uses WordPress, some of the most secure platforms out there are WP Engine and Synthesis. These managed hosting options do all (or most) of the heavy lifting for you. They also encourage you to separate your host from your email and DNS host.
This creates multiple points of failure, which is good, since a downed website usually cripples a business and prevents them from communicating with the outside world.
When everything is kept separate, problems with your website don’t affect your email.
GoDaddy and Amazon Web Services provide the best, by far, in terms of DNS hosting and management.
As for email, many businesses opt for Google Apps. It’s fast, secure (Google now signs SLAs for businesses that need them, as well as compliance documentation if you’re in the healthcare industry).
Another hosting option you should consider is Firehost. This company offers hosting that is specifically built for HIPAA compliance, without sacrificing speed or reliability.
What to Do If You’re Breached
If you suspect that your company’s network or server has been compromised, it’s time to pull the plug. Take your critical data offline immediately. This includes all customer data and files that may contain personally identifiable information. If necessary, you may have to pull your entire operation offline.
This is why security breaches are so devastating. Many businesses do not separate their customer data or “mission critical” data from non-critical or disposable data.
When a breach occurs, you need to be able to act quickly to contain the damage:
● Scan your server and network for viruses or malicious code.
● Create a backup of non-infected data.
● Prepare to re-install your OS and restore old data from a backup.
● Implement new security protocols to prevent a future breach.
While you can’t always prevent a security threat, you can minimize it.
Internet Safety Strategies: A Cybercrime Primer for Businesses of All Sizes
Aucun commentaire:
Enregistrer un commentaire