5 Ways to Avoid a Data Breach

We’ve heard a lot recently in the news about data breaches. Don’t let your business fall victim to the plethora of threats out there to one of your most vital resources. Keep your data safe and protect confidential information with these five expert tips brought to you by the FTC’s East Central Region in the first of a two-part series.

When managing your network, developing an app or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlines in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

There’s another great source of information from the FTC about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements—no findings have been made by a court—and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, staff from the FTC’s East Central Region present in this article five lessons that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose. 

Lesson No. 1: Start with security

From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades many companies. Experts agree that the first step in managing confidential information is to start with security. Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc.  Collecting and maintaining information “just because” is no longer a sound business strategy.  By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business.  

Lesson No. 2: Control access to data sensibly

Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. Not everyone on your staff needs unrestricted access to your network and the information stored on it. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job.

Lesson No. 3 Require secure passwords and authentication

If you have personal information stored on your network, strong authentication procedures— including sensible password “hygiene”—can help ensure that only authorized individuals can access the data.

Insist on complex and unique passwords

“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. For example, you can require employees to choose complex passwords and train them not to use the same or similar passwords for both business and personal accounts.

Store passwords securely

Don’t make it easy for interlopers to access passwords. Three of the FTC’s settlements in this area have alleged that:

  • The company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network;
  • The business allowed customers to store user credentials in a vulnerable format in cookies on their computers; and
  • A company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts.

In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections—two-factor authentication, for example—that can help protect against password compromises.

Guard against brute force attacks

Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password.  Implementing a policy to suspend or disable accounts after repeated login attempts may help to eliminate the risk from brute force attacks.

Protect against authentication bypass

Locking the front door doesn’t offer much protection if the back door is left open. In one settlement, the FTC charged that a company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

Lesson No. 4: Store sensitive personal information securely and protect it during transmission

Use strong cryptography to secure confidential material during storage and through all phases of transmission. The method will depend on the types of information your business collects, how you collect it and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. Several companies have unnecessarily risked attacks that could have been prevented if the companies’ implementations of SSL had been properly configured.

When considering what technical standards to follow, keep in mind that experts may have already developed effective standards that can apply to your business, including widely-accepted encryption algorithms. Savvy companies don’t start from scratch when it isn’t necessary and could subject data to significant vulnerabilities if deviating from tried-and true industry-tested and accepted methods for securing data.

Lesson No. 5: Segment your network and monitor who’s trying to get in and out

When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).

Share
  • Email
  • Next up: 5 ways to drive energy efficiency at your business in 2016
  • More in Operations
  • 5 ways to drive energy efficiency at your business in 2016

    The energy market has slipped into new low territory as cold air remains trapped in Canada with mild U.S. temps now stretching into the New Year. We experienced near record mild temperature trends in December that remain broadly based across the eastern 2/3 of the US and forcing the cost of the natural gas futures to curve downward into 14-year lows. Still, there are ways for your business to continue to drive down usage and build up your bottom line. Here are five things you can start doing today that will help keep your energy costs in check during 2016.

    The energy market has slipped into new low territory as cold air remains trapped in Canada with mild U.S. temps now stretching into the New Year. We experienced near record mild temperature trends in December that remain broadly based across the eastern 2/3 of the US and forcing the cost of the natural gas futures to curve downward into 14-year lows. Still, there are ways for your business to continue to drive down usage and build up your bottom line. Here are five things you can start doing today that will help keep your energy costs in check during 2016.

    1. Smart energy is getting smarter: More small businesses are integrating smarter solutions to both control energy costs as well as better understand and manage their overall energy use. The combination of cloud-based information systems plus storage can enable smart, connected buildings that use and manage energy more efficiently than ever before. Better information means greater visibility over your energy use—and more control over your bottom-line energy costs.
    1. Don’t get left in the shade: Solar solutions are more modular and streamlined today, so installation is simplified. The market has been innovating relentlessly and truly revolutionary approaches are making their debut. It is easy to generate and offset more than 80% of your electric, which allows you to cut costs faster and save even more. With the 30% tax credit that was just extended until 2019, who doesn’t want free cash back on their project?
    1. Control for behaviors: If you still have old fluorescent lighting, it’s time to upgrade. LEDs are now affordable and provide reduced maintenance and significant energy savings. However, just because you install new energy efficient lighting, you still need to remember to turn it off when not in use!  Today, advanced controls for lighting, HVAC, refrigeration, occupancy, etc., are more widely adopted and integrated into a centralized energy management system.
    1. Use the data: If you are like most small businesses that have conducted an energy audit of your facility, you might not have done anything with that report since it was presented to you. Don’t let it continue collecting dust.  Take a good, hard look at that report and figure out what areas of your business you need to prioritize for your next energy project.
    1. Take ownership: Energy accountability still is lacking in many organizations. While more management teams realize the importance of managing energy use, who specifically is responsible for driving improvements (operations, real estate, sustainability, etc.) remains fluid, and thus reduction programs stall. Dedicate one person or team to being your business’s “energy champion” devoted to keeping a constant watch over energy consumption.

    And here’s a bonus tip: Don’t feel like you need to go it alone when it comes to energy usage. The COSE Energy Team stands ready to assist. Contact us at 216-592-2205 or energy@cose.org.

    Share
  • Email
  • Next up: 5 Things Middle Market Companies Need to Know About IT Projects
  • More in Operations
  • 5 Things Middle Market Companies Need to Know About IT Projects

    From training employees to getting buy in from leadership, there’s a lot that goes into rolling out a major IT project. During a panel at last fall’s BusinessTech18 conference, a group of middle market IT experts identified the top five things companies should keep in mind.

    A panel of IT experts took the stage during BusinessTech18 last fall to shine a light on what middle market companies need to understand about how the rollout of IT projects interact with their overall business strategy. The panel, which included Martin Ziemianski of Ozanne; Christian Tracy of GMS; Dean Wolosiansky of Lindsay Precast; and Matt Gabel of Westfield Bank identified five critical items these companies should have on their IT Radar. And they are:

    No. 1: Training is the hardest part

    It’s one thing for a company to invest in its IT infrastructure. It’s another thing entirely for employees to buy in. One way to increase employee buy in is to have an outside firm come in for a talk. The panelists likened it to how children will listen to an outside voice more closely than they will to mom and dad.

    No. 2: Build a relationship with vendors

    Speaking of third-party teams, it’s often best to allow this outside team handle major tech rollouts as they often are in the best position to understand how that particular application was intended to be used. It also allows companies to avoid having to employ a huge team of developers.

    No. 3: Think about the end user

    When considering adding or changing any technology, companies should put some thought into how this platform will impact the end user, whether that’s customers or employees. Leadership needs to step outside of themselves and look at what the best value is for the business.

    No. 4: Get leadership’s buy in

    While it’s important for a company’s leadership team to step back and let experts handle implementation, it is nonetheless crucial to get buy in from this group. Achieving this buy in is important because it can help to influence the rest of the organization’s employees to buy in to the project as well.

    No. 5: Don’t back off once you’re done

    It’s important to keep in mind that your job is not finished once the tech is implemented. It’s easy for attentions to backslide once all the work is done. The panelists suggested implementing training related to the project in short sprints over a longer period in order to better retain people’s attention.

    BusinessTech18 was just one of the many events the Greater Cleveland Partnership participated in to help companies obtain the education and resources needed to succeed. Click here to view a list of upcoming events that could help your business in 2019.


    Share
  • Email
  • Next up: 6 Steps to Improve Cyber Security
  • More in Operations
  • 6 Steps to Improve Cyber Security

    While cyber threats to your business evolve over time, the basic principles of defense remain the same. It’s with that thinking in mind that the Federal Trade Commission published its report “Start with Security: A Guide for Business” which details cyber security best practices as gleaned from previous FTC cases. Following are six steps you can start implementing today to keep your network safe.

    While cyber threats to your business evolve over time, the basic principles of defense remain the same. It’s with that thinking in mind that the Federal Trade Commission published its report “Start with Security: A Guide for Business” which details cyber security best practices as gleaned from previous FTC cases. Following are six steps you can start implementing today to keep your network safe.

    1. Think Security First

    Regardless of what action you want to take, make your choice with security in mind. For instance:

    • Don’t collect data you don’t need: Review what you’re asking your customers to provide. Is any of it sensitive data that could compromise them if you’re hacked? Do you absolutely NEED to have all of the information you’re asking for?
    • Hold on to information only as long as you need it: Collecting personal customer data can be a necessary action companies have to take, but once the deal is done, it might be unwise to hold onto it. If your business is storing credit or debit card numbers for days after a sale is finalized, you might be leaving yourself vulnerable if you’re hacked.
    • Keep Data Secure at All Times: Utilizing encryption methods are important, but make sure that data stays encrypted at all times. Encrypting does no good if, for example, it’s decrypted at some point by a service provider and then emailed back to your office.

    2. Control Access

    Not everyone on your staff needs access to the sensitive data you have on hand. Put controls in place to ensure only those on a “need to know” basis can see this data.

    3. Secure Passwords and Systems

    Insist on complex and unique passwords to access your administrative system. And guard against brute force attacks—programs that endlessly guess at passwords until they luck into a match—by restricting the number of password attempts.

    4. Monitor Your Network

    All of the computers on your network don’t need to talk to each other. House particularly sensitive data in a secure place on your network. And monitor activity on your network, too. Look for suspicious activity that could indicate unauthorized access.

    5. Remote Access

    Have a mobile workforce? Before you activate a remote login account, assess whether it is secure. And ensure virus protections are up to date on any online portals. Relatedly, update and patch any third-party software you might be using.

    6. Verify Security of Service Providers

    It doesn’t matter how secure things are in your own house if the security your service providers use is lacking. Make sure to put security standards in writing in any contracts you have with the firms. And if they say they have secure processes in place, verify that this is true.

    Share
  • Email
  • Next up: 7 Digital Marketing Tricks to Know
  • More in Operations
  • 7 Digital Marketing Tricks to Know

    With the rise of additional channels such as mobile, digital marketing has taken on an increased importance in recent years. But according to a recent Adobe survey, just 9% of marketers believe their digital marketing strategy is working. How can your small business cut through the clutter and devise a digital marketing plan that gets results?

    With the rise of additional channels such as mobile, digital marketing has taken on an increased importance in recent years. But according to a recent Adobe survey, just 9% of marketers believe their digital marketing strategy is working. How can your small business cut through the clutter and devise a digital marketing plan that gets results?

    That’s the question we posed recently to Nicole Burke, a veteran marketer and founder of consulting firm The MOD Pros. She identified seven steps small businesses should take to ensure a successful digital marketing campaign.

    1. Discovery Phase

    This is one of the most critical parts of the process. It’s where you compile research and get insights about your brand. Look at competitors. Where your customers make their buying decisions and how they think of your brand. It’s important at this stage to remove your bias and think critically about what people think of your brand.

    2. Digital Footprint Assessment

    After the research is done, now it’s time to take the next step and create a digital footprint assessment. This is a picture of your entire footprint on the Internet comprising your social media, your partners, your website, etc. This process includes looking at your website, are your links working, is your content current? This process also covers social media. Is your messaging consistent with your brand? Are you getting interaction?

    3. Website Design and Accessibility

    Make sure your customers can browse and interact with your site regardless of the type of screen they are using. It has to be responsive to smartphones as well as desktop machines. This will help build credibility with your audience and build conversion rates. Search engines such as Google, which want to provide the most relevant content to searchers, also give preference to responsive sites.

    4. Content and SEO

    This might be the most difficult step. Start with the end in mind as it relates to content. Have a strategy, process and schedule. Circle back to your business objectives. As for search engine optimization, ensure the design of each page of content is accessible to search engines, including internal text links, metadata, etc.

    5. Social Media

    Make sure your business is playing on the right social networks. How do you do that? Take a step back and understand your business does not have to be on every single network. Where are your customers? Does this social network make sense for my product or business? What am I trying to share? If it’s images, then think about Pinterest; if it’s broader awareness, consider Twitter or Facebook.

    6. Backlinking and Directory Listings

    Backlinks are incoming links to a Web page. You want to make sure the sites linking to you are credible and there are a few free tools that can help you do that. Check out OpenLinkProfiler, RankSignals and SEO SpyGlass

    7. Review, Measure and Analyze Results

    Now that you are putting your digital marketing framework into action, you need to ensure a system is in place to measure and act on results. Here are a few key performance indicators to watch:

    • Total visits: This will give you a big picture view of how your content is faring.
    • New sessions: This will show you how “sticky” or how many visits are new or recurring.
    • Channel-specific traffic: The point of origin for your traffic.
    • Bounce rate: The number of visitors who leave your site before exploring further.
    • Conversion rates: The number of people who took a desired action, such as signing up for a newsletter, made a purchase, etc.

    View COSE webinars on other topics such as legal, sales and more.

    Share
  • Email
  • Next up: 7 Marketing Tactics to Know
  • More in Operations
  • 7 Marketing Tactics to Know

    Seasoned marketer Nicole Burke gives the inside scoop on the tools, tips and tactics you need to add to your marketing mix.

    Seasoned marketer Nicole Burke gives the inside scoop on the tools, tips and tactics you need to add to your marketing mix.


    Share
  • Email
  • More in Operations