eReader Security Template

eReader Security Template released with version 12

eReader Security Template
eReader Security Template now address SIEM with both best practices and KPI metrics in addition to identity protection

eReader Security Template has just been released by Janco with its latest update of the security manual.  This is a major update as it the template now also includes KPI metrics and best practices for Security Information and Event Management (SEIM) as well as a chapter in Identity Protection.

This security template was first release in 1999 and has been updates between 3 to 4 times each year.  Currently the template is over 250 pages and includes chapters on the following topics.

  • Security policies – scope and objectives
  • Minimum and Mandated Security Standard Requirements
  • Vulnerability Analysis and Threat Assessment
  • Risk Analysis – IT Applications and Functions
  • Physical Security
  • Facility Design, Construction and Operational Considerations
  • Media and Documentation
  • Physical and Virtual File Server Security Policy
  • Network Security
  • Sensitive Information Policy
  • Internet and Information Technology Contingency Planning
  • Insurance Requirements
  • Security Information and Event Management (SIEM)
  • Identity Protection
  • Ransomware – HIPAA Guidance
  • Outsourced Services
  • Waiver Procedures
  • Incident Reporting Procedure
  • Access Control Guidelines
  • Electronic Communication
  • Mobile Access and Use Policy

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

Top 10 tips improve social networking security

Top 10 tips and best practices to improve social networking security

Top 10 tips improve social networking security – These best practices will improve social networking security and protect the enterprise’s social networking reputation.

  1. Educate employees – Educating employees of best practices can help improve the overall security of the business. Awareness through seminars, workshops, and other programs help educate how attackers use social media to target a brand via individual employees.
  2. Have employees use different passwords for different system – Encourage users to have multiple unique passwords. This can be support by implementing a cloud based password management system.
  3. Mandate strong passwords – Make it a requirement to have unique strong passwords.
  4. Have employees change passwords regularly – One every three or four months communicate with employees to tell them it is time to change their passwords.
  5. Do not share accounts – For social accounts that represent the enterprise only have one user per each and the linking e-mail account should be one that is in the enterprise domain and will remain with the enterprise in case the employee leaves or is terminated
  6. Implement two factor authentication – Many of the larger social networks provide two-factor authentication, commonly in the form of a code sent to their smartphone or email each time a new device or browser attempts to login to the account.
  7. Educate employees to NOT open email attachments or go to links where the originator is not known – Stress the practices of carefully reviewing URL links before clicking to make sure the company and site name are spelled correctly. Cybercriminals will often blast out links that are very similar to a real address adding, subtracting or rewording parts to differentiate them.
  8. Utilize antivirus and security software – . No matter how careful a user is, there’s always the risk of accidentally engaging with a malicious link – and just one unfortunate click can lead to months of recovery time.
  9. Don’t friend people you do not know – Companies should encourage employees to thoroughly vet a friend request before hitting “accept”. They should check to see if other colleagues are also connected to the account. If the account seems suspicious or you don’t know the individual, ignore or report the user, and refrain from clicking on any links they may have sent.
  10. Validate and verify – just because it is on the Internet does not make it true.

Order Policy Download Selected Pages

Walmart denies hack occurred

14,600 emails addresses and passwords posted – Walmart denies hack occurred

Walmart denies hack occurred
Incident Communication Plan

Walmart denies hack occurred after email address and passwords were posted.   – Over 14,600 email addresses and plain-text passwords associated with Sam’s Club’s online store were dumped on Pastebin, a text sharing site. Walmart denied a hack occurred.

The title of the password dump said that the accounts listed belonged to the retail giant. The company which has over 650 locations across the US and tens of millions of members.

Walmart said “.. looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies’ systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately, this is an industry-wide issue,” said a Walmart spokesperson.

Order PolicySample Policy

That is no way to inspire confidence in the security of an enterprise’s website.

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

New York Security Compliance

New York Security Compliance Mandates added

New York Security Compliance – The State of New York announced a series of new rules strengthening cybersecurity requirements for financial firms. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.

New York Security ComplianceThe Governor of New York said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.

The current draft calls for the “encryption of all nonpublic information held or transmitted”, but because they tie it tightly to access control, acceptable usage policy, and data retention. Simple encryption won’t be enough to comply with the New York mandates.

To comply with New York Security Compliance mandates CFOs, CIOs, and CSOs, and firms should:

  • Implement more dynamic ways to protect data. Enterprises will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring are scale able. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
  • Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and un-managed services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
  • Prioritize solutions to balance simplicity and security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
  • Make audit a primary concern. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
  • Take a more dynamic approach to data protection. Adhere to mandates and be ready to tell any auditor about your enterprises ability to protect the confidentiality, integrity, and availability of your enterprise’s information.

Order Security ManualDownload Selected Pages

10 step security

10 step security for third party access to enterprise systems

10 Setps for security in cloud Security plan10 step security for 3rd party access to enterprise systems are a must with the increased use of internet processing and use by day to day business operations.

Security and compliance are key to maintaining control of sensitive and confidential information. All of the product offerings of Janco are geared towards proving tools to help C-Level executives and top IT professionals maintain the privacy of its users and enterprise data.

Order Security ManualDownload Selected Pages

  1. Create an asset inventory and tracking to reduce the risk of network-connected assets being out of compliance with policy.
  2. Understand the cloud-based environment where all users are considered remote, and apply controls similar to how they have historically provided access to third parties.
  3. Make changes in how the organization manages and controls these various user-types by incorporating concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce the overall risk and isolate any potential impact caused by third parties or remote user actions.
  4. Define a plan which meets the requirements for external contractors, employees, and B2B entities.
  5. Coordinate third party access plan in conjunction with their business units and develop a solid communications plan.
  6. Create rules for access using the appropriate level of controls commensurate with their given risk profiles, to include: isolation/segmentation, encryption, and federation integrations.
  7. Establish access points and rules for data availability to third parties
  8. Invest in ways to authenticate third-party users beyond simple username and password.
  9. Define metrics which address compliance variances and risks, and build an end-to-end security and risk view for the entire enterprise.
  10. Create a reporting system which track access, access violations, downloads and total usage. This should be real-time and have assigned individuals monitor and report and deviations.

Order Cloud Outsourcing TemplateDownload Selected Pages

Top 10 Security Predictions

Top 10 Security Predictions

Top 10 Security Predictions – Many organizations fail to realize the benefits of security information management due to the often exhaustive financial and human resource costs of implementing and maintaining the software. However, Janco’s’ Security Manual Template – the industry standard – provides the infrastructure tools to manage security, make smarter security decisions and respond faster to security incidents and compliance requests within days of implementation.

Top 10 Security Predictions from Janco Associates are:

  1. Over the next several years almost all of vulnerabilities exploited by hackers will continue to be ones known by security and IT professionals for at least one year.

    Top 10 Security Predictions
    Top 10 Security Predictions
  2. Robotics will take over many security operations. China will lead the way with 30-40K students training in universities with this technology. US will lag for several years.
  3. Shadow IT will be responsible for over one third of attacks experienced by enterprises.
  4. The need to prevent data breaches from public clouds will drive many organizations to develop data security governance programs.
  5. Over the long term enterprises engaged in application development will secure applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
  6. Future cloud-based providers will include network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms in their offerings.
  7. Identity as a service (IDaaS) implementations the focus of several new companies.
  8. Use of passwords and tokens in will drop 55%, due to the introduction of bio-metrics.
  9. A majority of IoT device manufacturers will not be able to address threats from weak authentication practices.
  10. More than 25% of identified enterprise attacks will involve IoT.

Order Security ManualDownload Selected Pages

Top 10 Technology Travel Tips – International

Top 10 Technology Travel Tips – International

Travel, Electronic, and Off-Site Meeting Policy
Top 10 Travel Tips

Top 10 Technology Travel Tips – When people traveling, especially internationally, not only is technology at risk but also sensitive personal and work information.  Below are 10 tips taken from Janco’s Travel, Electronic, and Off-Site Meeting Policy.

  1. If it’s not necessary, don’t travel with a computer or tablet.
  2. Whenever possible, arrange to use loaner laptops and handheld devices while traveling.
  3. If you are bringing a laptop with you, make sure you have the proper plug adapter.
  4. Install a host-based firewall, and configure it to deny all inbound connections.
  5. Disable file, printer sharing, and Bluetooth. Apply full disk encryption, picking a long, complex password
  6. Update all software immediately before travel.
  7. Always clear out browser cache before you leave.
  8. Backup your computer
  9. If you are bringing private data, not on a computer, copy the data onto an encrypted USB memory device
  10. Change the password for your accounts email, Gmail, Facebook, etc.
    1. Utilize complex passwords – Assume the workstation or medium will be lost or stolen.
    2. Memorize the password, or keep it in a secure location on your person.
    3. Password protect the login, and require the password after screen-saver.
    4. NEVER set browser to remember passwords.

Order Policy Download Selected Pages

10 Security Assessment Questions

10 Security Assessment Questions

Security Assessment and Compliance Management
Security Assessment and Compliance Management

Security Assessment Questions

  1. To stop a breach tomorrow, what does the enterprise need to differently today?
  2. Does the enterprise know if the company has been breached? How does it know?
  3. What assets are being protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
  4. What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
  6. Are formal written policies, technical controls or both in place? Are they being followed?
  7. What is the enterprise’s security strategy for IoT?
  8. What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
  9. Does the enterprise have an incident response plan in place?
  10. What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?

Security Compliance – Comprehensive, Detailed and Customizable for Your Business

The Security Compliance Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

  • Risk analysis – Threat and Vulnerability Assessment via Electronic Forms
  • Staff member roles
  • Physical security
  • Electronic Communication (email / SmartPhones)
  • Blogs and Personal Web Sites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Insurance
  • Outsourced services
  • Waiver procedures
  • Incident reporting procedures
  • Access control guidelines
  • PCI DSS Audit Program as a separate document

Order Download Selected Pages

10 Tips to protect your personal information

10 Tips to protect your personal information

10 tip to protect personal information
Protecting Personal Information

10 Tips to protect your personal information – According to the Identity Theft Resource Center, it takes 600 hours to restore your identity after a theft has taken place. The FTC’s new online resource aims to streamline the process of reporting identity theft to the FTC, IRS, credit bureaus, and to state and local officials.

ID theft happens when criminals use your personal information to file for a tax refund with the IRS or process a credit application to purchase an item or withdraw funds from the victims account(s). Victims usually learn of the crime after having their tax returns rejected because their impostors beat them to it, check bounce, or the victim receives dunning notices. N

  1. Monitor credit reports – By law, you are entitled to a free copy of your credit report from the major bureaus: Equifax, Experian, Trans Union, and Innovis.
  2. Never provide personal information over public Wi-Fi or a network that’s not password protected.
  3. Password protections – the longer the better. Try disguising familiar phrases using a cipher.
  4. Don’t use the same password on all accounts and change them up frequently. The more variation, the better.
  5. Never store passwords on your computer. If you need to do it digitally, use an external hard drive or USB and disconnect it from the computer when you are finished.
  6. Watch out for phishing emails – Throw up an immediate red flag if you receive any email asking to confirm passwords, bank account numbers, or Social Security Numbers. This includes any type of electronic communication, such as text messages and social media channels.
  7. If you do receive a suspicious-sounding email, contact your service provider directly to verify its authenticity. If your bank is requesting updated information, log onto your online banking account and update it there (instead of clicking on the link in the email). If your account does not show need for an update, you’ll know the email was a scam.
  8. Take physical precautions – Do not carry your Social Security card with you or write it down on checks. Only give out your SSN if it is an absolute necessity. When filling in forms for organizations, hospitals, clinics, and other companies, leave the area asking for your SSN blank.
  9. Shred bills, credit offers, and expired credit cards to prevent dumpster divers from getting your personal info.
  10. Layer your cyber-security – Layer defenses with a firewall, antivirus, and anti-malware that includes anti-spyware.

Order Security Manual Download Selected Pages

Disaster Recovery Business Continuity with Security

Disaster Recovery Business Continuity with Security

Every company, regardless of size, needs a concise approach  disaster recovery business continuity with security in case of an emergency.

Order DRP BCP Security Download Selected Pages

Disaster Recovery Business Continuity with Security
Disaster Recovery Business Continuity with Security

Data is the lifeblood of every company, and often, it is a competitive advantage and the only thing that differentiates one enterprise from another. Who has the most loyal customers, the best service, and the most innovative strategies all boils down to information residing on the enterprise’s Information Technology and application systems. For this reason disaster recovery and business continuity are a definite need.  In addition, there are  security requirements that need to be met.  With mandated requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, executive management is depending on you to have the right security policies and procedures in place.

Disaster Recovery Business Continuity with Security

Google has addressed this and describes it in a video that is has placed on youtube.

10 step security implementation process :

  • Make security an executive directive
  • Implement clear security guidelines
  • Provide specifics for security compliance
  • Enforce that everyone follows the rules
  • Provide formal training program
  • Communicate Security
  • Monitor security compliance
  • Establish security compliance metrics
  • Provide security compliance feedback
  • Audit security with a third party 

Cyber attack stages

Cyber attack stages

 

Cyber attack stages - Security Manau
Cyber attack stages

Stages of a cyber attack’s life cycle need to be understood so that CIO’s can create an effective defense strategy. Malicious cyber attacks continue to threaten sensitive data — whether it is personal data or company sensitive data — one fact remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The life cycle of attacks is as follows.Order Security ManualDownload Selected Pages

Identify and define potential attack vectors

The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilize. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks.

Initial attack

Using several identified attack vectors, hackers attempt to gain access to an organization’s network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days malware is installed on the victim’s computer.

Command and control

With the malware in place, the attackers can now begin an in-depth recon against the internal network. The attackers will attempt to escalate privileges on the victim’s account, and create new user accounts with administrative and privileged access.

Discover and spread

With access to the network, the hackers begin to spread it across the organization’s entire network. With a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.

Extract and ex-filtrate

Attacks siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.

Discovery and clean up

When the organization finally discovers the compromise, typically more than 200 days to detect a breach, stopping the attack begins.

Top 10 Best Practices Ransomware

Top 10 Best Practices Ransomware

Best Practices Ransomware

Best Practices Ransomware – Ransomware is a class of malware that holds a computer or data “hostage” until the user pays a particular amount or abides by specific instructions. The ransomware restricts access to the data and the system. Some cases of ransomware also repeatedly show messages that tell users they must pay the “ransom” or perform a particular action. There are some ransomware variants that encrypt files found on the system’s hard drive. Users must pay the ransom in order to decrypt the data that was altered by the ransomware.

Cybercriminals behind this threat made use of online payment methods as a way for users to pay the ransom.

  1. Have remote backups of your data that is not “mapped” to your computers and network.
  2. Show hidden file extensions. One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. In order to mitigate this re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
  3. Have your email server filter out all files that are executables. If there is a need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected) or via cloud services.
  4. Disable files running from AppData/LocalAppData folders. One of the way that ransomware works is to place an executable within those Wndows folders and then launch the programs. By disabling those files you eliminate a major weakness in your operating environment.
  5. Disable Remote Desktop Protocol (RDP) which allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your environment.
  6. Keep your software current by applying patches and updates in a timely manner. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
  7. Utilize a security suite that has large user base and is updated frequently.
  8. If you run WiFi in your environment, ,make sure that all of the routers in the network are secure, utilize strong passwords and change their passwords at least quarterly. If you do have a ransomware attack turn your WiFi off immediately.
  9. Provide in-depth training to all users who have access to your environment on what they can and cannot do such as accept files that are suspicious or from unknown users.
  10. Stay current with all breaches and ransomware attacks that are reported and adjust your operating environment to address exposures that others have faced.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

Why You Need a Security Consultant — and What to Look For

Why You Need a Security Consultant — and What to Look For

SecurityManual -- Policies & Procedures
Security Policies

Security Consultant – For years now, security experts have warned small businesses: You are a target for cybercriminals. While the news media focuses on the major security breaches affecting millions of individuals, what’s often overlooked is that smaller businesses are not only victims of hacking more often, but that they are also often a key piece of the puzzle when investigating larger breaches.

In short, the simple fact is that small businesses are at risk for cyber-attacks, and even if you think you are too small to be of any interest to hackers, you might want to think again.

Security-ConsultantThe problem for many small and micro businesses is that they simply do not have the resources to fully protect their business and their data. While it would be great to hire a full-time, dedicated cybersecurity professional (or even an IT person, in many cases) most smaller companies don’t have the money in the budget to do so.

As a result, they piecemeal security solutions together: They secure their Wi-Fi, use antivirus software, set up firewalls, etc. These are all important steps, but while they may be enough for the average home network, they represent only the beginning of the protection necessary for business.

Since most entrepreneurs aren’t well versed in the latest cyber-protection methods —and don’t necessarily have the time to learn — there is a growing number of security consultants who specialize in small businesses and designing security protocols to protect their valuable data. For a fraction of the cost of hiring a full-time employee, businesses can implement the security measures they need to keep their data safe, remain in compliance with industry security regulations, and stay ahead of emerging threats.

What Will a Security Consultant Do?

SolutionIf you cannot bring a dedicated security professional onto your staff, a security consultant is the next best thing. However, it’s important to understand a few key considerations before you sign a contract.

First, it’s very important that you hire an independent consultant. Many security companies, particularly security software vendors, will offer consulting services for “free.” However, these consultants are typically employees of that software company, and the recommended solutions for your security issues are likely to be limited to the products and services offered by that company.

That’s not to say the advice isn’t relevant and valid, but you want to make sure that you are receiving the unbiased evaluations and recommendations to ensure that all of your bases are covered and that you aren’t purchasing products and services that you don’t necessarily need.

It’s also important to understand what a consultant will do for you. In most cases, the consultant will conduct a thorough risk assessment and evaluate your current security set-up to identify potential problems, and identify solutions to minimize risk. From here, consultants will either do the work themselves (or through their team) or recommend qualified vendors to implement security solutions for you.

Most security consultants work on a project basis. Some offer ongoing service and support, but most will leave the ongoing implementation up to you. These are points that you will work out in the contract, but understand that usually, your consultant is there to assist with a specific project and not to fill the role of a staff IT security professional.

What to Look for in a Consultant

Finding the right consultant involves more than just choosing someone who works independently of a specific company. Ask a few important questions, including:

What is your background? Choose a consultant with an advanced educational background, ideally with a degree in information security and experience within your industry. Some consultants have even earned the Chartered Security Professional (CYSP) designation, indicating a high level of knowledge and experience within the realm of cybersecurity.

Do you have experience within our industry? Different industries have different needs in terms of security. If you are bound by regulations such as HIPAA or PCI, does the consultant have the knowledge and experience required to incorporate those regulations into your security plan?

Who will perform the necessary work? If you are working with a consultant who will implement your security upgrades, be sure to determine who will be actually doing the work. In some cases, the experienced principal of the firm conducts the analysis and makes recommendations, and then sends less-experienced individuals to conduct the work. Know who you will be working with and their qualifications from the start.

Of course, cost is always a factor, but as with anything, the least expensive option is not always the best option. Keep in mind that you will be trusting this person (or team) with your most valuable and sensitive data, and select a consultant who has both the technical and the project management skills necessary to ensure your business is fully protected.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

Size Doesn’t Matter: Every Business Needs Security

Size Doesn’t Matter: Every Business Needs Security

 

Business-storeOf the hundreds of data breaches that occurred in 2015, most people can only name those that targeted major corporations: BlueCross BlueShield, Experian, Ashley Madison, etc. However, just because these massive thefts were the only ones to make the news doesn’t mean smaller businesses are safe from cyberattacks; in fact, oftentimes they are even more vulnerable to digital disasters.

A majority of small businesses are woefully under-protected against cyber-threats, but erroneous feelings of invincibility are preventing businesses from correcting their cybersecurity mistakes. Learning why security is important for every business ― no matter how small ― will help companies stay alive in this dangerous digital climate.

The Temptation of Small Businesses

A common belief among new entrepreneurs is: “My business isn’t as profitable as larger companies, so hackers wouldn’t gain much by targeting me.” However, small businesses actually tend to be most criminals’ bread and butter.

Password-hiddenIn reality, the size of a business isn’t what attracts a hacker ― it is the type of data the business collects. Cybercriminals make money from mining and selling personal data, such as health information, financial information, or contact information. Digital thieves build automated viruses and malware capable of locating and stealing this data, so hackers make few conscious decisions regarding the size of business they target. Usually, larger enterprises have the resources to protect their digital cache while smaller companies make more digital mistakes, such as:

  • Lacking a dedicated IT specialist on staff
  • Lacking employee training for digital security
  • Failing to update security programs
  • Failing to secure endpoints, especially mobile devices

No matter how little revenue a startup makes in a year, its data is usually low-hanging fruit for cybercriminals to pluck and enjoy, causing untold ruin for the business and its customers.

The Essential Defenses

Fortunately, digital security isn’t difficult to enact quickly. In fact, many experts have compiled lists of basic defenses every business should have to be effectively secure. Essentially, a business can avoid harmful attacks with antivirus software, anti-spam software, and anti-phishing software, which are usually bundled together in a neat security suite. Thousands of security software providers exist, but businesses would do well to trust industry leaders, like Trend Micro.

However, before any business begins downloading programs and hiring system administrators, it is crucial to have strong security policies in place. Software is only as powerful as the people using it, which means employees must be trusted to uphold security measures, like using strong passwords and keeping those passwords secret. The security policies should explain punitive measures for those employees who skirt the rules, as they put the entire enterprise at risk.

Additional Technologies for Added Protection

In addition to basic protection, businesses can adopt a number of supplementary technologies to keep their data safe. Many of these target specific security risks incurred by alternative business practices.

For example, businesses that employ a number of employees who use networks remotely might be interested in using a virtual private network (VPN), which is a device that allows users to connect through browsers, encrypting any and all network traffic. Usually, VPNs require a username and password, but some businesses take security a step farther with a token that randomly generates passwords, like the RSA SecurID.

Additionally, businesses could complete full-disk encryption on all of its devices. This process translates all data stored on the machine into incomprehensible characters which can only be read with the proper password. Once again, users can use a security token, or businesses might prefer to use biometrics such as fingerprint scans or voice recognition, which is in early stages of use.

Common Security Mistakes

Some small business owners might believe they are protected ― after all, some pay big bucks for fancy security systems which are installed on every company-owned device. However, even small businesses with a satisfactory security budget are susceptible to cybercrime, all because of human error. Before any business believes itself secure, it should ensure it isn’t engaging in these major security mistakes:

  • Relying on the cloud. It is acceptable to store some data on the cloud, but businesses must have complete faith in their cloud-provider’s security first.
  • Ignoring smart devices. Nearly every piece of tech in the modern office can connect to Wi-Fi, which means hackers potentially have several unprotected entry points. Businesses must research everything, from office phones to printers, to be secure.
  • Forgetting to dispose of data. When tech gets old, many businesses sell, donate, or throw it away without doing a proper memory sweep. Criminals can find everything from passwords to actual information on unwanted devices.

Order Security Manual Download Selected Pages

Top 10 Worst Passwords

Top 10 Worst Passwords

Security PoliciesUsers have continued to use the same worst passwords to access secure systems for several years

Top 10 worst passwords – Passwords are the first line of defense in securing systems, yet users continue to circumvent that basic security by using the same easily hacked passwords.

Below is a list of the historic top 10 worst passwords that Janco has found users continue to use.  As can see the same ones appear year after year.

 

2016

2015

2014

2013

2012

#1

123456

123456

123456

password

password

#2

password

password

password

123456

123456

#3

12345678

12345

12345678

12345678

12345678

#4

qwerty

12345678

qwerty

abc123

qwerty

#5

12345

qwerty

abc123

qwerty

abc123

#6

123456789

1234567890

123456789

monkey

monkey

#7

football

1234

111111

letmein

1234567

#8

1234

baseball

1234567

dragon

letmein

#9

1234567

dragon

iloveyou

111111

trustno1

#10

baseball

football

adobe123

baseball

dragon

In order to counter this here are 5 easy rules that can be implemented in your password routines. This will minimize the risk that your users will use these easily hacked weak passwords.

  1. Include in the list of unacceptable passwords the ones list above.
  2. Move towards biometric passwords or dual step authorization for access to systems.
  3. Do not allow users to use a previous password when a password reset is done.
  4. Do not allow the same password to be used by multiple users in the organization.
  5. Once an employee leaves see that his/her password is eliminated and see that all of the passwords in that “area” are changed in a timely manner.
Weak Passwords - Security Policy
Weak Passwords – Security Policy
Order Security ManualDownload Selected Pages