Data breaches are a nightmare for any company, large or small. We hear about major data leaks regularly in the news, but those cases barely scratch the surface. The Identity Theft Resource Center (ITRC) tracked 1093 data breaches in the U.S. last year alone — a 40 percent increase over 2015’s near-record high.
We take security seriously at Rezgo, using the best industry practices and state-of-the-art technology to keep your data and your customers’ information safe. But that’s only part of the picture. Any sensitive information you store digitally anywhere could be a target, including employee Social Security numbers or customer credit card records. These tips can help you keep control of your data and keep your tour company secure.
Use the Best Passwords
Password security is the first step in keeping your business secure. Having a short, memorable password may make your life easier, but you significantly increase the risk of your passwords being cracked.
A strong password has several elements: it should be at least 12 characters long, and it should include both small and capital letters, numbers, and symbols.
Experts are divided on the best approach to strong passwords, but there are two leading recommendations. The first is to come up with a multi-word phrase that you’ll remember and that meets the criteria above. The phrase “My GPA is 3.90!” might be easy to learn from a social engineering perspective, but it’s hard to crack and easy to remember. It’s even better to use a longer phrase and keep, for example, only the first letter of each word, any numbers and all the punctuation.
The alternative is to create a randomized password, like F&d%dyZ6v8aT. That’s hard to crack, but it’s also nearly impossible for most people to remember, especially when you consider that you should have a unique password for every single service you use.
Either way, you can help your memory along by using a password manager like LastPass, 1Password or Dashlane. They store all of your login information behind a single, master password, so once you memorize one ultra-secure password you can safely forget most of the rest.
If you’re thinking that will leave you with a single point of password failure, you’re absolutely right. That’s why the final step is to use multi-factor authentication wherever you can. Many services allow you to set up a confirmation SMS, email, or authenticator app so that logging in will require something you know (your password) and something you have with you (your phone or authenticator). That way, someone trying to steal your data from the other side of the world won’t be able to get into your account even if they have your password.
Your password managers and email accounts should definitely make use of multi-factor authentication if possible — if a hacker gets into either of those, they can easily access the rest of your private accounts and information. If your domain registrar offers multi-factor authentication, take advantage of it. If someone gets ahold of your domain, they can create all kinds of chaos.
Watch What You Click
Malware has been a big deal as long as we’ve had the Internet, but it’s gotten a lot worse in recent years. The rise of ransomware — malware that locks businesses out of their data until a ransom is paid — has hit businesses and organizations worldwide with terrifying results. On Black Friday last year, San Francisco’s transit network ticketing system was taken down by hackers who demanded $73,000 in exchange for access to their data. In January, an Austrian luxury hotel had its key card system locked down by hackers. While early reports that guests were locked in their rooms proved to be false, the hotel was unable to make new cards and is now abandoning key cards for traditional analog locks.
Avoiding ransomware attacks requires a two-pronged approach. The first step is to protect your data. Keep off-site backups of important information. Don’t go out of your way to store all of your company’s most important data in one place — that way, if you get attacked, you won’t lose access to everything. Even better, keep financial records and employee and customer information safely segmented from the rest of your network.
The second step is to practice good malware habits. Make sure your employees know not to click strange links or open unexpected attachments in emails. Keep your software up to date, and stick to software from trusted vendors. Ensure that every system you use has a regularly updated virus scanner, like Windows Defender or AVG.
Keep Your Staff Accountable
We want to believe we can trust everyone who works for us, but sadly, that’s not always the case. Insider theft and employee negligence accounted for over 15 percent of data breaches reported last year.
To limit your risk, make sure your employees don’t have access to more data than they need. Everyone should have their own accounts wherever possible — shared accounts not only make data breaches more likely, they also make tracking the source of those breaches nearly impossible. With Rezgo, you can restrict users’ access to any part of the system with custom security levels, and track the activity of each user account.
Make sure your employees are educated on password security, phishing methods and ransomware hacks. A password security policy can prevent your employees from accidentally giving hackers access to your data with a common, weak password. Here’s how to set up an automatically-enforced security policy in Rezgo. You can use our parameters for inspiration in creating a company-wide policy, too.
Triple-Check Your Emails
Hacking and phishing are most common vectors for data theft, accounting for 55% of data breaches last year according to the ITRC. Hackers go to great lengths to disguise their data collection tools as common websites where you wouldn’t think twice about entering your login information, like Gmail or PayPal. Once you “log in,” they have your data, and you’re in trouble.
Just about everyone gets a phishing email once in awhile — if you’re lucky, your spam filter catches them before you even see them. If not, they’re usually easy to spot. We’ve put together some tips for identifying phishing emails.
Sometimes, they’re much more serious. According to the FBI, the past two years have seen a dramatic increase in so-called CEO phishing. These are messages that seem to come from a superior in your company, asking for access to sensitive information or wired funds. They’re targeted, so they won’t get picked up by your spam filter, and they’re clever, possibly using email addresses that look very close to real ones or even using a hacked address from within your company. Hackers research these scams carefully, so you can expect them to say all the right things to set your mind at ease.
There’s one simple way to avoid CEO phishing schemes: verify any email that asks for sensitive information or money transfers. Email is a convenient tool, but a simple phone call can clarify whether you’re helping out your boss or revealing the contents of your secure systems to a hacker. Don’t just use the phone number you find in the email signature — that could be fake, too. Look it up internally. A few moments inconvenience could save your business from being the victim of massive data theft.
Is It Already Too Late?
If you think one of your accounts has already been compromised, don’t panic — there are still steps to take to prevent or mitigate the damage.
Change your passwords
If you still have access to the compromised account, change its password immediately. Any account that shares a password with the one that’s been compromised should be changed as well, using a new unique password. If you’re concerned your system may also be compromised, make the changes using a different computer.
Inform the people who need to know
If you have a company IT department, they should know about any potential data compromise. If not, let your superiors know. It can be embarrassing to admit that you made a mistake, but it’s far worse to wait until the situation explodes.
Scan your systems
Update your virus and malware scanners, and run a full scan. If your virus scanner finds anything, follow its instructions for removal. You may also want to search the name of the virus to see whether there’s a removal tool available — but don’t download any tools that aren’t from sources you fully trust.
Escalate the issue
If your system has been encrypted with ransomware or you’ve suffered a major data breach, you or your company should also contact data recovery experts and the authorities. There’s no guarantee that paying a ransom will solve the problem. Even if you think it has, there’s a good chance that hackers now have a backdoor into your systems, so talk to an expert. The security of your data is worth it.