Why you need to make them, and how to do it
We stand on the brink of a new year. It will be challenging, of course, but also (we think) more hopeful and more positive. 2021 offers us a fresh start, albeit still saddled with some familiar health safety constraints. These should (we think) lift gradually as herd immunity continues to build and vaccine distribution becomes more widespread.
As we stand here, against that backdrop, it’s appropriate to think about our organizations, our plans for new business, products and services, and our data and intellectual property. To keep all of it humming, we recommend four business resolutions that are equally important for enterprise IT teams and SMB business owners as we begin 2021.
Resolution 1 – Change Passwords for Everything
Passwords are the first line of defense in protecting your databases, networks, websites, and other online assets. Using weak passwords is not only risky for individuals and their data—but also makes company data and intellectual property vulnerable to theft.
A year ago, the United Kingdom’s National Cyber Security Center disclosed the three most hacked passwords of 2019. They were 123456, 123456789, and qwerty. We also know that more than half of American computer users (53%) take the easy road by using the same passwords for multiple accounts. That’s a big no-no, because if hackers get into one account, it gives them easier access to other accounts.
Below are some other taboos in password management. Are you guilty of any of them?
- Using information that is easily guessed, or easily discoverable online. In addition to using your own name as a password, this could include your birthdate, your address, or the name of the website the password accesses.
- Using information that is easily minable on social media. The possibilities are limitless, depending on how much you share, and could include a family member’s name, a pet’s name, your hobby, favorite book or movie, or the name of your favorite celebrity or superhero.
Responsible password management is easy once you commit to it. We recommend two basic steps to strengthen this important first line of defense for your business.
- Use phrases, not single words. A “passphrase” is a string of words, which is much harder to guess and therefore to hack. Algorithms used by hackers to crack passwords are known to be less successful beyond 10 characters. Like passwords, passphrases can be sensitive to punctuation, symbols, numbers, and capitalization. Examples of what a passphrase might look like are 1H@te2SHOPon5aturDAY or ThisW3Bsite5ellsb00KS.
- Implement password policies and tools. Business tools such as encrypted password managers are available to help users access their passwords or phrases and avoid reusing old ones. Whoever manages your systems should set up automatic rules that require passwords to be changed every 3 months and passphrases every 6 months, as well as auto-rules that require minimum lengths of 10 characters per password and 15 characters for passphrases. System admins, executives, and other privileged users should follow even stricter requirements because of the high value of the data and other resources they have access to.
Resolution 2 – Update All Software Apps
We live in the age of the app. Software that runs on our various devices ranges from system software to programming software to application software. Application software provides exciting new functionality that enriches our devices and, by extension, enriches us. We have weather apps, news apps, game apps, media apps. Apps for our websites, for our emails, for our spreadsheets. Apps that help us work. Apps that let us play.
Apps may come with our devices, to be activated when we set up the devices. Apps may be researched, selected, and downloaded to our devices. Or apps may run online when we access them through links or websites.
No matter which way we get them, apps are wonderful things. But apps can become liabilities if we don’t keep them up-to-date. That is, if we run old versions that we don’t update. The best security practice, when it comes to apps, is to run current versions only.
This is important because new versions of a familiar software application, in addition to delivering new and enhanced functionality, often contain security updates that fix bugs or make the application less vulnerable.
For system software and most programming software, the vendors push software updates (sometimes called patches or releases) directly to registered devices whenever they develop a new and improved version of their software. Most browsers, email apps, and other critical applications will update automatically and transparently to the end user.
For other apps, the end user is responsible for using the most current version. This may involve taking a few minutes to download the update when the vendor alerts you that a new version is available for install.
If you’re a business owner using QuickBooks, for example, you can request automatic updates in Settings. The vendor, Intuit, will issue updates periodically through the year. You’ll be advised of a new release when you open the application, and you’ll have a choice to update it then or to be reminded later.
Here are two security tips that apply to the IT team as well as accountants, HR managers, business owners, and others responsible for business software updates:
- Don’t postpone the update more than once or twice, thinking there will be a more convenient time. Chances are there won’t be. And every day you postpone that update, you may be risking the security of your data or intellectual property.
- Don’t update blindly. Make sure the update is legitimate—that it is coming from the real vendor. Fake updates are a ploy by hackers to install malware on your device. Do a few minutes of online research to verify that a new update is actually available, and to be super safe go to the vendor’s website and download the update from there. And make sure the website URL is legit, without misspellings or funky formatting that often signal phony or spoofed websites.
Many software patching tools are available to make the patch management process easier for businesses. Check them out or ask us for suggestions.
Resolution 3 – Get a Security Risk Assessment
Undergoing a security risk assessment is like having an annual physical. A standard battery of tests is performed to assess the health of various parts and systems. Additional special tests may be included based on known health issues.
A security risk assessment also consists of a battery of accepted tests, including internal and external penetration testing and vulnerability assessment, penetration testing of web applications, social engineering testing, physical security testing, and risk assessments of third-party vendors, suppliers and partners. The parts and systems tested relate to information security and include policies, procedures, personnel, technology, and strategy.
In addition to being a fundamental security best practice, most regulated industries require periodic security risk assessments as part of an effective and compliant security program. One is ISO/IEC 27001, which governs information security management systems across all industries. In healthcare specifically, the HIPAA Security Rule, the 21st Century Cures Act, and the CMS Interoperability and Patient Access rule all mandate the security and privacy of patient information. The financial services industry and payment card industry are others.
Where you have mission-critical information systems in place to collect, process, and store sensitive customer, employee, payroll, patient, or payment data—an annual risk assessment is smart business regardless of your industry, size, or circumstances.
As part of your assessment, you’ll receive reports that explain what your vulnerabilities are, where they exist, how severe they are, and how to address them in order to improve your security and reduce your risk.
Just as it’s important to have an annual or periodic physical to discover and treat what may be ailing you, it’s important to have a regular security risk assessment to discover and address what may be jeopardizing your business.
To learn more, we recommend downloading a complimentary copy of our easy-to-follow, complete guide to your security risk assessment.
Resolution 4 – Attend Security Webinars or Read Security Newsletters
Our world is dynamic. Technology changes rapidly. The Internet of Things is exploding like a supernova. Information bombards us constantly from all sides.
In this environment, it’s important to keep up with new hacking exploits, new ransomware ploys, new regulations, and new tools and technologies in cybersecurity. And not to be distracted by noise.
You can also sign up for newsletters from 24By7Security, get them delivered directly to your inbox at no cost, and decide which ones to read based on relevance to your organization and personal interest.
We also host frequent webinars, and all of our webinars are recorded. They’re available on our website under Webinars. You pick and choose which ones are most helpful to your situation. They’re all complimentary. While you’re at it, have a look at the other Resources we’ve made available, with our compliments. Ideas for new topics are always welcome!
As we begin a new year with hope and a positive outlook, this is the perfect time to make some resolutions. To resolve to take a few actions this year that will enhance our cyber health by improving our cybersecurity.
Two of the most basic best security practices call for updating our software and changing all of our passwords. And make this the year you schedule and complete a Security Risk Assessment for your business. It’s the foundation of any security program at any organization because it will tell you where your risks are and how to mitigate them. To keep your data in, and hackers out.
Life is better when we are able to learn something new every day. So, make this the year you listen to more webinars on cybersecurity, read more newsletters on good security practices, and download more resources from respected associations in the cybersecurity industry.
By being better informed, you’ll be better able to protect your business. And have a safe and secure new year!