Let me begin with a hard truth: Your company is at risk from cyberattack.
It’s true, every firm is at risk, and most will be attacked in some form, at some point in time. It’s nearly inevitable. However, there are things you can do to protect your firm from a cyberattack, and ways you can mitigate the damage if you are attacked.
What kind of company data needs to be protected from a cyberattack?
There are three categories of company data you need to protect. They are the company’s intellectual property, employee information, and client data.
Company Intellectual Property
The company’s intellectual property includes processes and procedures, firm standards, templates, and forms. It also includes firm documentation and how-to information, like patents, formulas, recipes or other proprietary information. It includes marketing information, client names and client information, the types of projects you are pursuing, and other competitive information.
Client Data and Information
The next thing that must be protected is client data. Client data includes work product – such as project drawings, designs, and schedules. It also includes information about move dates and expansion plans. In addition to protecting client project information, you need to protect client intellectual property. This includes clients’ employee names, information about projects you’re working on for them, client growth patterns, and departmental or organizational structures.
Finally, you need to protect your employees’ personal information. Personal information like the names of employees, their addresses, social security numbers, and other personal information like spouse and children’s names. You also need to guard employees’ financial information, information about direct deposit and bank information, as well as payroll and salary information. Finally, you must safeguard employee personal health information like doctor’s names, health claims, coverage amounts, and other confidential information.
What do you need to be protected against?
File Corruption / Loss of Data
You need to maintain data integrity. You could be attacked by malware, ransomware, or viruses. Your data integrity can be compromised by file corruption, backups that fail, or files that cannot be restored.
There might also be data errors caused by a translation. For example, if you send files to others as part of your work process and you translate those files from one program format to another, there might be errors or changes caused by the translation programs.
Access to your Data
In addition to the integrity of the data, you need to protect data access (who can get into and access your information). You must guard against a compromised network or security access problems. Penetration testing can check your vulnerability against an outside attack. There’s also a type of attack called “denial of service” that can prevent you from accessing your data.
A malicious or disgruntled employee might change passwords or erase or steal files. A technology disaster can cut off access to your data. A server or disk drive can fail, or your internet connection can fail or be disrupted. A building or office disaster can keep you from accessing your data. If your office is compromised by fire or another building problem, you might not be able to physically reach your office. If there is a fire or problem in another part of the building, you might be forced to leave and lose access to your data. Then there are plain-old hackers, people who try to break into your network to either cause damage or steal information.
Hackers often use social engineering to get to your data. Social engineering takes advantage of peoples’ good nature; they use peoples’ willingness to help to break in. For example, a hacker might play on someone’s fears by telling them they have a computer virus infection and trick them into loading software, or giving away passwords or user account names. Unfortunately, people are generally trusting and sometimes naive – we don’t want to believe others are malicious. For this reason it’s important to understand that employees can be tricked very easily into sharing or giving access to confidential information.
The last and most important thing is to protect your company’s reputation and your client’s confidence. Your clients count on you to keep their data safe. If there is a security breach or a problem with client data it is very difficult to regain their trust. You can’t unring the bell. It is easy to restore a client’s files but it may be very difficult to regain a client’s trust.
How can you protect your firm from a cyberattack?
To protect your firm, it’s important to always be prepared; expect that you will be attacked at some point. Every firm should prepare for and expect some type of cyberattack. Firms that work more collaboratively – especially when using BIM – are at higher risk. Being more collaborative means being more open, which, in turn, increases your risk.
Expect the unexpected by developing a plan to deal with cyberattacks. You will never eliminate all risk, but you can mitigate most of the risk with a good plan. Your plan should explain step-by-step what to do in the in the event of a cyberattack and explain to employees how to get help. Your plan should not be overly burdensome or people will find ways to work around your security. You can spend a lot of time and money on a security plan, so it’s important to decide how much to spend to get the greatest benefit.
Take the time to train your staff. Your staff needs to understand the risks and know what to do in case of a cyberattack, as well as how they can protect themselves from a cyberattack. There must be policies and penalties for violating the rules. Encourage your company to take security seriously.
Backup / Disaster Recovery (DR) Plan
You must have good backups and a disaster recovery plan. You should have three copies of your data, the original copy, a local onsite backup of the data and an offsite copy of your data.
Check your backups and archived files. Having multiple copies of your data is useless if it’s all corrupted. For archived data, keep in mind that certain file types might be discontinued or no longer usable with current software. For example, does anyone still have old Lotus spreadsheet files? .WKS or .WK1 files? You can’t open them using current spreadsheet software. You might need to archive a copy of the original software and operating systems used to read and access old files or develop a plan to update old archived data. Test restore your backed-up files and don’t assume everything will just work.
Passwords / Encryption
Consider encryption – at least for laptops and mobile devices. Laptops are often lost or stolen, or might be left in a hotel, airport, or cab. If the mobile devices are encrypted, you’ve lost a piece of hardware, but your data is safe.
People must use secure passwords. I know, I know: employees hate using secure passwords that are hard to remember, but requiring a new password every 90 days is not asking much. That’s only four times a year! Consider using multi-factor authentication wherever possible. Multi-factor authentication uses a third party to authenticate access to an account. Any account that needs to be very secure – whether it’s a bank or legal account, or just a secure website – should be using multi-factor authentication to be safe. VPN connections to your office network should also use multi-factor authentication.
Monitor your network access. You need to know who has been on your network and when. If you see anything strange, question it. Do employees really need to be on the network at 3 AM? It might be legitimate, but you should know what they’re doing and why.
Good Policies (with teeth)
Implement written policies that describe and outline what you expect from your employees. You should have a policy for email usage, a general IT policy, an equipment policy, and an internet usage policy. You should outline how to protect the firm’s intellectual property and what you expect employees to do to keep it safe. Your policy should also describe what happens when the rules are not followed and there’s a problem. As I mentioned before – there should be penalties. Policies need to have teeth to be effective. Employees should know that they must follow the rules or bear the consequences.
Anti-virus / Anti-malware / System Patches / Updates
Finally, make sure that your systems are up to date with the latest security. Check your anti-virus and anti-malware software to make sure it is up to date and scanning properly. Change the default passwords on all hardware. Download and install all operating system security patches. If you are still using old software that is no longer supported or updated, you are at risk. Work with your vendor to get your software up to date.
If you don’t have a disaster recovery plan or IT security strategy, now’s the time to make it happen. If you need help protecting your firm from cyberattacks, Advance2000 can help.