Your Business Checklist for NCSAM 2016

Can you confidently say your business is following best practices when it comes to online security? Do you know what types of apps and technologies your employees are using, and how they’re using them? Do you know if they’re using strong passwords when they login to those technologies? Or are you unknowingly at risk of data theft and fraud because it’s the Wild Wild West when it comes to technology at your office?

If you can’t confidently answer the above questions, then you’ve got some work to do, and October is the perfect month to take action. October is National Cyber Security Awareness Month, and over the next four weeks we’ll be bringing you tips and tricks to help you be safer online, both in your personal life and in the workplace.

To help you get started, we’re sharing a helpful checklist put together by StaySafeOnline.org to help you identify the technology in use in your business, and the steps you need to take to protect that technology. This may be especially helpful for small business owners who may not have a full-time IT person to help them audit, implement, and secure their technology.

You’ll notice that many of the below tips revolve around strong, unique passwords. The humble password is still a critical part of your cybersecurity strategy, though it should be supplemented with two-factor authentication when possible. If you’re struggling with the password piece of the picture, LastPass has the solution with LastPass Enterprise. By getting your business set up with a team password manager, you’ll ensure you have the control and visibility you need to protect your business, while employees can be more productive.

Use the checklist below to identify problem areas for your business and start taking action throughout the month of October to address security concerns. Truthfully, these are good tips for all of us to follow, inside and outside the officer. There’s also a PDF version available for you to print or download.

Technology Checklist

WiFi:

  • Use strong administrative and network access passwords
  • Use strong encryption (WPA2 and AES encryption)
  • Use separate WiFi for guests
  • Physically secure WiFi equipment
  • Get savvy about WiFi hotspots: 
    • Limit accessing sensitive information on public WiFi
    • Use VPN when using public WiFi

Virtual Private Network (VPN):

  • Use strong passwords, authentication and encryption
  • Limit access to those with valid business need
  • Provide strong antivirus protection to users

Network Devices:

Routers and Switches

  • Use a network monitoring app to scan for unwanted users
  • Restrict remote administrative management
  • Log out after configuring
  • Keep firmware updated
  • Use strong passwords

Firewalls

  • Default rules should block everything that is not specifically necessary for the business

USBs:

  • Scan USBs and other external devices for viruses and malware when connected
  • Only pre-approved USBs allowed in company devices
  • Educate users about USB risks

Mobile Devices:

  • Keep a clean machine: Update security software on all devices
  • Delete unneeded apps
  • Secure devices with passcodes or other strong authentication such as a finger swipe and keep physically safe
  • Encrypt sensitive data on all devices
  • Make sure “find device” and “remote wipe” are activated

Website:

  • Keep software up to date
  • Require users to create strong passwords to access
  • Prevent direct access to upload files to site
  • Use scan tools to test your site’s security – many are free
  • Register sites with similar spelling to yours
  • Run most current versions of content management systems or require web administrator/hosts to do the same

Email:

  • When in doubt, throw it out: Educate employees about remaining alert to suspicious email
  • Provide all email recipients with an option to opt off your distribution list
  • Require long, strong and unique passwords on work accounts
  • Get two steps ahead: Turn on two-factor authentication

Social Networking:

  • Create page manager policies and roles
  • Limit administrative access
  • Require two-factor authentication
  • Secure mobile devices

File Sharing:

  • Restrict the locations to which work files containing sensitive information can be saved or copied
  • If possible, use application-level encryption to protect the information in your files
  • Use file-naming conventions that are less likely to disclose the types of information a file contains
  • Monitor networks for sensitive information, either directly or by using a third-party service provider
  • Free services do not provide the legal protection appropriate for business

Point of Sale (POS):

  • Make unique, strong and long passwords and change regularly
  • Separate user and administrative accounts
  • Keep a clean machine: Update hardware and software as needed
  • Avoid web browsing on POS terminals
  • Use antivirus protection

Copiers/Printers/Fax Machines:

  • Understand that digital copiers/printers/fax machines are computers
  • Ensure devices have encryption and overwriting
  • Take advantage of all the security features offered
  • Secure/wipe the hard drive before disposing of an old device
  • Disable the web management interface or change the default password

Cloud and other 3rd Party Vendors:

  • Discuss the approach to security and codify in any agreements and contracts

Other:

Secure Disposal

  • Be aware that many devices, not just PCs and phones, have memory. Know how to clean old data before disposing

Internet of Things (IoT) Consumer Protection and Defense Recommendations

  • Isolate IoT devices on their own protected networks and change default passwords
  • Know what information is being collected and how and where it’s being stored and protected
  • Consider whether IoT devices are ideal for their intended purpose
  • Purchase IoT devices from manufacturers with a track record of providing secure devices
  • When available, update IoT devices with security patches