Welcome to installment three of our Cybersecurity x Sustainability series. This month, we will focus on protection strategies that can be utilized for hardware and software controls, as well as rapid identification and reporting of threats and incidents.
Protection
For large companies with dedicated IT departments or for companies that specialize in cybersecurity and IT, knowing how to plan, prepare, and respond to cyber attacks may come easily. But what about smaller companies without the inherent knowledge or skills to understand and prevent data breaches?
Numerous online cybersecurity planning templates are available as a starting point to understand everything from what classes of data you have, how to properly store and protect it, why employees need training and reminders on IT policies, and where to begin if a breach occurs.
The Federal Communications Commission [FCC] has a comprehensive Cyber Security Planning Guide, aimed at helping small businesses, available for free to download and utilize for plan development.
Protective measures that can safeguard IT systems and data include:
- Limiting physical access
- Controlling access to data
- Installing and updating software
- Identifying suspicious activity
- Rapidly reporting suspected issues
Limiting Physical Access
Limiting physical access can range on a grand scale from securing physical access to facilities to small-scale physical visibility of data based on the way screens are angled in public. (Yeah, there are people who will peek over your shoulder or even use their phone to snap a photo of your screen.)
Some corporate workplaces require key cards and IDs for building entry. Others are easily accessible by the public or anyone who walks in off the street. And some secure facilities like military bases have barriers and armed personnel screening each person who attempts entry.
Understanding who potentially has facility access is a starting point to identifying the additional protective measures that may need to be implemented to reduce the chance of access by an unauthorized person.
While it goes against what most consider “good manners,” holding the door for others is a big no-no when it comes to secured facilities. This practice, often referred to as “piggybacking,” seems innocuous when you’re holding the door for your work bestie who’s carrying in a heavy slow-cooker of food for a potluck. However, the tendency to hold a door open, especially for an unknown person simply because you’re being polite, can have major ramifications. Instead, offer to get someone from administration or security to meet that person outside to determine their need for entry.
In facilities with access by persons not authorized to view data, ensure that computer screens face away from areas that can be easily viewed. Educate employees, who may access protected data in public places, to have password-protected devices and shield their screens from view by others.
Controlling Access to Data
In addition to implementing physical controls to access, companies should determine the different levels of data sensitivity they manage. Only personnel with a demonstrated need to access sensitive data should have the ability. Using software to control access privileges is vital to limiting potential data breaches. In addition, 2-factor authentication can also be used to further limit potential breaches if someone gets through the first access point.
Installing and Updating Software
Software installation and timely updates refers to both virus scanning software and applications utilized in the business. Be very cautious about virus scanning downloads as many are malware disguised as helpful virus protection. Do not click on pop-ups or other links that state your computer has been infected. Instead, go to your installed virus protection on your device or take it to a reputable company who can help to determine if your system has been compromised.
Other software application updates should be done as soon as available. Many times, these updates provide fixes to known cybersecurity risks. If you don’t have an IT team that manages updates, ensure staff are trained and reminded to perform updates as needed.
Identifying Suspicious Activity
From an unknown person walking through an office space to an email with a blurry logo, being able to identify situations and information that appears suspicious is vital to cybersecurity. Periodic employee training and clear communication about known issues can shift company culture to one that leans toward increased observation and surveillance.
While no one wants to be cast as the paranoid Chicken Little who is constantly screaming “the sky is falling,” there are ways to draw attention to things that seem “off” without too much fanfare. Having a user-friendly reporting system in place for personnel to submit concerns or questions is an easy way for employees to raise a flag and possibly prevent a catastrophic breach.
Rapidly Reporting Suspected Issues
Key to preventing cybersecurity breaches is the old adage:
If you see something, SAY SOMETHING.
Rapid reporting allows for a quick response to potential attacks, and the ability to stop certain hacking attempts before they gain access. Be sure that your employees are well-versed in your cybersecurity policies, that they know where and how to report suspected issues quickly, and that they understand the company culture to err on the side of raising the flag so potential issues can be investigated and managed.
Somewhere in the Cloud
Not the data cloud, the electron cloud…
Just outside the nucleus (except it’s INSIDE The Nucleus, in our case) lies the potential to locate things that can be shared. For atoms, it’s valence electrons. For us, it’s the latest on Orbital Project Management and links to edutational blog posts on all things safety and sustainability.
Sign up here to get in on the action: