Cyber Security Essentials
Each October the Department of Homeland Security launches a campaign to raise awareness about the importance of cybersecurity. With news of data breaches increasing in both frequency and scale, we think it’s a great time to look at a few of the essentials that should be in place to keep your residents’ data safe and secure.
Rethink your relationship with data: By now everyone should know that it’s essential to keep data encrypted, both during transactions and within your system. But it’s also important to realize that, in this new environment of cyber threats, any unnecessary data in your system has become a liability rather than an asset. Take the time to map your data to business requirements, and if you encounter data that has no business use, delete it!
Plan and practice: Chances are someone on your IT team has had to create an incident response plan for handling data breaches. Do you know what it is? Having a plan is great, but remember: if it’s not practiced it’s not effective. Make sure you’re running frequent tests and that people know what to do in case of a security break.
Make security part of your employee culture: Remind yourself that the stereotype of the evil-genius hacker is a myth. The attack vector most often exploited by those seeking to steal your data is your people. In fact, 77 percent of computers are infected when someone clicks on an email link or attachment. So take the time to train and test your teams. Some companies even test their employees by simulating a malicious email to identify which employees will be fooled so they can provide additional training.
Review your supply chain: In a SaaS environment, the responsibility to protect customer’s data is shared between you and your vendors. Doing your due-diligence up front to make sure your partners are not exposing you to risk is one step, but it’s important to continue to monitor contracts, reporting requirements, liability, etc. over time. At a minimum, your SaaS vendors should be offering multi-factor authentication, encryption in transit and at rest, custom password policies, IP access control lists, payment tokenization, API public/private key encryption with timestamps, and proof of compliance with security reports (SOC, EI3PA, PCI) and OWASP standards.
Don’t forget devices: As the Internet of Things (IoT) grows, the number of devices that are potential points of access to your data does as well. Especially vulnerable are disposable devices which may still be connected after they are discarded. Make sure you’ve designated enough resources to meet the growing asset management challenges. You need to know what’s connected to your network.
Consider getting backup: A good backup protocol can inoculate you from many ransomware attacks, but you may want to take the concept a little bit further. Cyber insurance companies can help you evaluate your risks and keep you in business in the event of a worst-case scenario. Insurance is no replacement for a security plan, but when appropriate, it can be a valuable component to your risk-management strategy.
At the end of the day, security is everyone’s job. Each organization must evaluate what is at stake and what impacts a security breach could have on the business. Knowing what you have to protect and having an active plan in place can go a long way to avoiding costly security breaches.