[BreachExchange] 5 Best Practices to be Prepared for Cyber Attacks
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Aug 4 14:28:49 EDT 2017
http://peopledevelopmentmagazine.com/2017/08/04/5-best-practices-
prepared-cyber-attacks/
The latest hacking of HBO was much worse than what happened to Sony because
hackers are getting more sophisticated, according to a report on CBS
today. It is confirmed that over 1.5 terabytes of data was lifted in this
attack, and through multiple “doors”. Included in this online heist was an
upcoming script of Game of Thrones, unaired episodes from other popular
shows, and most concerning of all, thousands of internal documents; the
hackers have since shared personal information about a senior HBO
executive. While sophisticated hackers look at the big companies with big
prizes such as HBO and Sony where their expert hacking will be recognized
by their dark web peers, this should ring alarm bells for all companies.
Some simple tips might mitigate the damage.
Sensitive conversations should happen in person:
Too often we avoid difficult conversations and shoot off emails instead.
Whether about how someone handled a client, or an approval or a promotion
or raise, or to put someone on a performance program. Make an effort to
have these conversations in person. When you speak to someone live and take
the time to share feedback, it resonates in the manner in which it was
intended, and emails often are taken the wrong way.
Memorializing financial approvals can be done in HRIS systems or in your
financial reporting system. Reviews and notes can even be housed in HRIS.
The burden of security is in on the software provider and you can ask
pointed questions about how they handle security and backup their data to
ensure you are protected. Generally speaking, going with a large cloud
provider is your best bet. Use a consultant to help select the right
system, and to ultimately implement the system. Always ask for references
before implementing any system as well. But keep sensitive information off
email, which is the easiest to hack. You will also feel better about having
had the conversation live.
Change passwords often:
Work with your IT department to prompt passwords to email and access to
company drives changes every thirty days. I know it’s hard to keep changing
password, I am the first to admit it, but the reality is this is the first
line of defence. Your IT department wants to work with you, always include
them in the process. Don’t use versions of your name or date of birth, and
include special characters if you can. And never leave sticky notes on your
desk with the password on it!
Create an Emergency Action Plan, and keep it updated:
We usually only think of an Emergency Action Plan in terms of a
weather-related event, or a geo-political event, but if you get hacked,
that is an emergency too. Update the protocols and make sure you have a
plan in case your company is hacked to close all the entries into your
systems and get notifications out to all your employees to change their
passwords. You will need a communication plan to your clients as well in
case their data was breached. You need to anticipate and protect as much as
you can, working with IT and a cloud provider to ensure your servers and
data is protected, and in the event of a breach, how to handle. There are
consultants who specialize in this area. Creating a plan now will save you
time, money and give you, your employees and your clients peace of mind
later.
Have an IT Policy, and keep it updated:
Hackers have simple and sophisticated ways of invading your network.
Sometimes it’s with a virus, for example, the Ray Ban virus on Facebook, or
the DropBox phishing scam which came from an email from someone you may
have known. When in doubt, always check with your IT department before
opening anything you are concerned about. Your first line of defence is
having a proper IT policy, and having each employee acknowledge it. Adding
mandatory training can close some of the holes the hackers use most often.
Store only what you need:
Store only what you need, and password protect it. Your customers and
employee’s security depends on it. Sensitive health information should be
stored in HRIS whenever possible, 1-9’s need to be maintained for three
years after hire, one year after termination, payroll records three years
from termination date, benefit information should be kept for one year
after termination date. This can all be stored in HRIS. Contract and
billing information can be stored in your financial reporting system, and
if not, can be stored, password protected, in your drives. Sensitive client
information should not remain on email and should be scrubbed from your
inbox.
With awareness and preparedness, your company can be prepared to avoid
being hacked. You can share with your customers and employees the measures
you have taken to make them feel secure. The right consultant can help you
design policies, create training and choose systems that are right for your
company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170804/76fbd785/attachment.html>
More information about the BreachExchange
mailing list