WRVBLaw Podcast

[Technology Law] Tips On Practicing Basic Cyber Hygiene by Jonathan Gallo

Episode Summary

In this episode, attorney Jonathan V. Gallo discusses some steps businesses can take to improve their cyber hygiene.

Episode Notes

Over the past few years, some of the largest and well-known companies have been affected by data breaches resulting in millions of dollars in losses.  Smaller businesses are not immune from data breaches, and even a small data breach impacting only a few thousand records can expose a business to significant losses and reputational damage that may have a devastating impact on its ability to function.  Various attack methods can be used against businesses to obtain sensitive data or access funds through fraud.  Some common attack methods are compromised credentials, social engineering attacks such as phishing, vishing, and smishing, business email compromise scams, ransomware, and vulnerabilities in third-party software.  While no business can expect to be 100% safe, here are some basic practices businesses can implement to improve their cyber hygiene.

1. Keep Software Updated

• Keep all software, including applications, web browsers, firmware, and operating systems up to date by installing updates regularly or consider implementing automatic updates
• Discontinue and remove any software that is no longer supported

2. Use Strong Passwords/Passphrases

• Longer is more secure: consider the longest password allowable or consider using a group of words to create a passphrase that is long and memorable
• Consider using a password manager
• Use separate passwords/phrases for separate accounts
• Never reuse passwords and require password changes on a regular basis
• Limit the number of allowable unsuccessful login attempts

3. Use Multi-factor Authentication

• Using strong passwords or passphrases alone are not enough and using multi-factor authentication provides a more secure method of authorizing access such as through a temporary code provided on a smartphone or a token

4. Encrypt Devices

• This includes laptops, tablets, smartphones, removable media that contain sensitive personal information, and data backups

5. Backup Files

• Utilize data backups. Multiple backups that are separate from your internal network such as through the cloud and/or on external drives or other media are more secure if your network is compromised by ransomware

6. Secure Wireless Networks

• Change router default name and password and turn off remote management
• Use at least WPA3 encryption
• Limit remote access to the network using a virtual private network (VPN)
• Do not use open wireless networks
• Utilize up to date firewalls and anti-virus software

7. Be Suspicious of Unexpected Emails, Phone Calls, and Text Messages

• Social engineering attacks can come from a variety of sources
• When in doubt, do not click on suspicious links, attachments, or give out personal information over the phone

8. Limit Who Has Access to Sensitive Data By Implementing Least Privilege Access

• Determine who requires access to sensitive information and limit access to the lowest level necessary and only to those who require access to perform job functions
• Implement physical security protocols to protect sensitive data. These may include monitoring access to facilities, ensuring visitors are escorted and ensuring that employees who are no longer employed by the business no longer have access to facilities and systems.

9. Data Destruction

• As part of a data retention policy, require sensitive data that is no longer needed or required by policy or applicable law to be destroyed in a secure manner

10. Develop an Information Security/Breach Response and Notification Plan

• The worst time to develop an information security/breach response/notification plan is after a breach has already occurred and the plan should include not only the steps to take immediately after a breach is discovered but a process for any required notifications
• Include other policies such as a social media/bring your own device (BYOD) policy to define when and how employees may access these devices, social media, and personal email

11. Business Continuity/Disaster Recovery Plan

• Any information security plan should include continuity of operations and a disaster recovery plan.
• If a breach or other event impacting the availability of information systems occurs, your business must have the ability to be able to have access to the information you need to continue operating.

12. Continuous Review

• Once developed, policies should be reviewed and updated at least annually, or more frequently, to ensure they are up to date and accurately reflect your business’s operating model and technical environment.

13. Training

• Have a regular training program to educate your employees on cyber risk
• Awareness of cyber risks is part of an overall risk mitigation strategy and creates a culture of good cyber hygiene

Be sure to return to our website throughout October for additional information and resources to raise your business’s cybersecurity awareness and to help prepare for and respond to cyber-attacks.

Episode Transcription

Over the past few years, some of the largest and well-known companies have been affected by data breaches resulting in millions of dollars in losses.  Smaller businesses are not immune from data breaches, and even a small data breach impacting only a few thousand records can expose a business to significant losses and reputational damage that may have a devastating impact on its ability to function.  Various attack methods can be used against businesses to obtain sensitive data or access funds through fraud.  Some common attack methods are compromised credentials, social engineering attacks such as phishing, vishing, and smishing, business email compromise scams, ransomware, and vulnerabilities in third-party software.  While no business can expect to be 100% safe, here are some basic practices businesses can implement to improve their cyber hygiene.

1. Keep Software Updated

• Keep all software, including applications, web browsers, firmware, and operating systems up to date by installing updates regularly or consider implementing automatic updates
• Discontinue and remove any software that is no longer supported

2. Use Strong Passwords/Passphrases

• Longer is more secure: consider the longest password allowable or consider using a group of words to create a passphrase that is long and memorable
• Consider using a password manager
• Use separate passwords/phrases for separate accounts
• Never reuse passwords and require password changes on a regular basis
• Limit the number of allowable unsuccessful login attempts

3. Use Multi-factor Authentication

• Using strong passwords or passphrases alone are not enough and using multi-factor authentication provides a more secure method of authorizing access such as through a temporary code provided on a smartphone or a token

4. Encrypt Devices

• This includes laptops, tablets, smartphones, removable media that contain sensitive personal information, and data backups

5. Backup Files

• Utilize data backups. Multiple backups that are separate from your internal network such as through the cloud and/or on external drives or other media are more secure if your network is compromised by ransomware

6. Secure Wireless Networks

• Change router default name and password and turn off remote management
• Use at least WPA3 encryption
• Limit remote access to the network using a virtual private network (VPN)
• Do not use open wireless networks
• Utilize up to date firewalls and anti-virus software

7. Be Suspicious of Unexpected Emails, Phone Calls, and Text Messages

• Social engineering attacks can come from a variety of sources
• When in doubt, do not click on suspicious links, attachments, or give out personal information over the phone

8. Limit Who Has Access to Sensitive Data By Implementing Least Privilege Access

• Determine who requires access to sensitive information and limit access to the lowest level necessary and only to those who require access to perform job functions
• Implement physical security protocols to protect sensitive data. These may include monitoring access to facilities, ensuring visitors are escorted and ensuring that employees who are no longer employed by the business no longer have access to facilities and systems.

9. Data Destruction

• As part of a data retention policy, require sensitive data that is no longer needed or required by policy or applicable law to be destroyed in a secure manner

10. Develop an Information Security/Breach Response and Notification Plan

• The worst time to develop an information security/breach response/notification plan is after a breach has already occurred and the plan should include not only the steps to take immediately after a breach is discovered but a process for any required notifications
• Include other policies such as a social media/bring your own device (BYOD) policy to define when and how employees may access these devices, social media, and personal email

11. Business Continuity/Disaster Recovery Plan

• Any information security plan should include continuity of operations and a disaster recovery plan.
• If a breach or other event impacting the availability of information systems occurs, your business must have the ability to be able to have access to the information you need to continue operating.

12. Continuous Review

• Once developed, policies should be reviewed and updated at least annually, or more frequently, to ensure they are up to date and accurately reflect your business’s operating model and technical environment.

13. Training

• Have a regular training program to educate your employees on cyber risk
• Awareness of cyber risks is part of an overall risk mitigation strategy and creates a culture of good cyber hygiene

Be sure to return to our website throughout October for additional information and resources to raise your business’s cybersecurity awareness and to help prepare for and respond to cyber-attacks. Contact Jonathan for more information.