Loving Your Data Security Systems
(Because IT falls under 7.1 of ISO 9001.)
Every week there’s another news story of a company getting hacked, or trapped by Ransomware. Even small and midsize manufacturing firms are targets of organized hacking businesses. Data can be stolen without us even knowing. Since attackers will only get smarter, use ALL of the CIA of security: Confidentiality (strong passwords); Integrity (backups, encryption); Awareness (staff training and alertness). Confidentiality of Data:
Passwords – Should each be totally unique, minimum 10, up to 20 characters (exponentially stronger). Don’t use any word found in ANY dictionary (including Klingon!). Mix upper and lower case, numbers, symbols, even ASCII if you can. Update passwords every three to six months. Use a password manager to help generate and track passwords.
2-Factor ID – Like using Chip+PIN on your debit card, this secures your entry with info only you have. Authenticator apps can help automate this.
Use a VPN or your phone hotspot – never public WIFI.
Integrity of Data:
BACKUPS! - It’s cheaper than paying off ransomware, which will either either lock up your computer or steal or encrypt your data. So use the double triad of Local, Cloud, and Offline, and Daily, Weekly, Monthly backups:
Local: Network-Attached Storage or your company server.
Cloud: a paid online backup service (one example is Carbonite) – Free versions don’t have all the security and recovery features we need.
Offline: A drive that is not connected to your network except during the backup. Include your cloud data – Email and all cloud services.
Encryption of all drives with sensitive information with BitLocker (Windows 10 Pro edition) or File Vault (Apple) – if the device is stolen/lost, it becomes a brick without the passcode.
Awareness via staff training and alertness:
Train and Retrain – Your biggest risk is people clicking links. Ransomware only needs access to ONE device, and it will spread to every other device in your network in seconds. Smart threats can look like an email from the boss asking an employee to complete a project ASAP by clicking a link… So train, test, retrain, and update training frequently.
Get a cyber assessment, or a Penetration Test from a well-regarded pro shop. That will help you prioritize fixes for the gaps they find.
Use AI monitoring software (or make sure your IT provider does) to monitor your system, including deletion logs that show data changes.
Final thought: Talk to your local SBDC – many have employee training and consultants to walk you through protecting your organizational knowledge.