~7 minute read
Tricia Dunlap, Esq. CIPP/US
We expect cybercrime incidents to increase in the wake of the coronavirus. Thieves usually take advantage of social disruption and fear – cyberthieves will no doubt see COVID-19 as a ripe opportunity. Here are nine best practices in cybersecurity that you can quickly adopt for your small business:
1. Remote Work Employees Must Log-in Through a VPN
VPN or Virtual Private Network is a service that encrypts the connection between the employee’s device and your network or your cloud-based software service (SaaS) such as GSuite, Salesforce, Slack, or Trello. If your company maintains a server, then any remote connections into the server must be through a VPN. Even if you do not maintain your own server and rely on SaaS providers, it is a good idea to require employees to first log-in to a VPN and then log-into your SaaS service through the encrypted VPN connection. This article explains why. Many SaaS providers allow you to restrict access by IP address so that employees cannot log in unless they have first logged into the VPN – this will prevent employees from doing an end-run around your VPN.
2. Require use of Multi-Factor Authentication
Multi-factor authentication adds a step to the log-in process.
After inputting username and password, you need to then input a randomly generated authentication code that you just received via alternative email address, text to your cell phone, or from an authenticator app. If you don’t correctly input the authentication code, then your log-in fails. MFA is a powerful tool to prevent cyberthieves from gaining access to your VPN or SaaS products. Businesses should enable MFA on all VPN log-ins, SaaS log-ins or, if you maintain your own server, then when an employee logs in to your server.
3. Require Random, Elaborate Passwords and Use of a Password Manager
Require your employees to use a password manager such as LastPass, Dashlane, or Keeper. These tools generate unique, random, long passwords so that employees no longer need to re-use a password or a portion of a password. They then store all of the various log-in sites employees use and auto-fill the password. To keep the data in a password manager safe, be sure to (i) enable MFA when logging in or using the password manager; (ii) require a long, elaborate password phrase; and (iii) require frequent changes to the password phrase.
4. Review Cybersecurity Insurance
If your company does not have cybersecurity insurance, now is a good time to plug that gap. However, do not simply ask your agent for a cybersecurity policy, pay the bill, and assume you are covered. These policies are complex with caveats or carve outs that may result in a false sense of security. Your agent should ask about your operations, for example: Do you own and maintain a server? Do you rely on SaaS products? What is the geographic location of the servers used by your SaaS providers (hint: almost certainly, you do not know)? Do your employees work remotely? And more. If your policy is not aligned with how you actually operate then you are probably paying for coverage without actually being covered.
It is a good idea to get help from a lawyer to ensure your coverage and your operations align. A review of policy documents is not as expensive as you might expect and will help you ensure your policy coverage is appropriate.
Once covered, make sure you know what the policy requires. For example, if there is a deadline for reporting a security incident, make sure you know what it is and comply. If you have an incident response plan (and, you should) then document policy notification deadlines in your plan so that when an incident happens, you have an easy reminder of when and how to notify your carrier.
5. Limit Employee Access
Allow employees access to only the data they need to do their jobs.
No employee should have access to all data. Invest the time to audit what data your company holds and understand who has access to what data. Then limit access accordingly. There are access and identity management applications available should your organization need assistance in this space. Security breaches most commonly arise from employee error or malice. Protect your company from your people.
6. Mandate Verbal Authorizations for All Funds Transfers
Adopt a company policy mandating real-time verbal authorizations by phone before initiating any transfer of funds.
Create a company culture that encourages “confirming before clicking.” If your employees and clients feel comfortable reaching out and confirming that, yes, you did send that email with the link, then they are more likely to do so and less likely to fall for a phishing attack.
7. Train and Remind Employees
Continually train and remind employees of the critical importance of good “cyber hygiene.” That’s an awful term but it gets the point across. Employees are your biggest Achilles heel and your first line of defense. Embed cybersecurity caution into the vision for your company’s growth and success. As your company’s leader, treat cybersecurity as if it is of equal importance to meeting sales goals. Stay abreast of cybersecurity developments and innovations so you can talk about it constantly – at team meetings, one-on-one, or in planning for your company’s future.
8. Review or Create an Incident Response Plan
Your company’s incident response plan should be part of an overall business disruption plan. It should identify key people, both internal and external, and set forth action steps to take after an incident. Be sure to include a cybersecurity attorney and an information security professional because these two professionals are essential to ensuring that the actions you take after the incident don’t create additional problems and liabilities.
9. Routinely Backup Data
This can be as simple as using an external hard drive with a hard connection to your computer or a SaaS product you subscribe to. Make sure you build backups into your routine or create an automatic schedule for them.
Good resources abound and you should use them regularly. See our list of cybersecurity resources, follow Dunlap Law PLC on Facebook and LinkedIn. Also, make sure to sign up for our e-mail list to see new blog posts as they come out.
See more posts about Coronavirus
See more posts about Cybersecurity and Data Privacy