Technology alone cannot make your business secure.

Implement our comprehensive Actions Checklist to protect & defend your business from a cyber breach.

Electronic & Paper Data Security
  • Implement a data security policy immediately.
  • Train your employees not to open suspicious emails.
  • Ask your IT professional to test employees with intentionally suspicious emails.
  • Use encrypted corporate email for all business correspondence.
  • Have physical safeguards on all portable equipment, like laptops, tablets and smart phones.
  • Schedule regular data backups.
  • Limit removable media like flash drives to trusted sources.
  • When retiring a computer, remove data and consider having a professional physically destroy hard drives.
  • Shred all paper that contains sensitive information.
Password Best Practices
  • Ensure passwords are a random combination of letters, numbers and symbols.
  • Passwords of least 10 characters are exponentially more difficult to break.
  • Send monthly reminders to all users to change passwords.
  • Employees should not store personal or financial passwords in corporate password management software.
  • Enable two-step authentication for password changes and resets.
Network Security
  • Work with your IT professional to implement secure internal network and cloud services and website security.
  • Secure and encrypt your company’s Wi-Fi and separate it from public Wi-Fi.
  • Update all software when recommended, including virus and operating systems.
  • Ensure that any remote access allowed to your internal network is secured.
  • Set up a spam filter to help limit potentially malicious emails.
Contractual
  • Obtain proof of insurance for cyber liability insurance from relevant vendors.
  • Review vendor contracts with an attorney.
  • Use ‘hold harmless” wording in contracts.
Insurance
  • Discuss your data breach exposure with an insurance professional.
  • Consider Cyber-liability insurance for 1st and 3rd party coverage.
  • Select added insurance coverages for Business Interruption, Public Relations after a breach, Risk Management Services, Voluntary Credit Monitoring.
  • Consider Cyber-crime insurance for fraudulent theft of money, such as a bank account breach.

For assistance in crafting your cyber plan, visit https://www.fcc.gov/cyberplanner

Cyber Security Glossary:

Anti-Virus Software– Software designed to detect and potentially eliminate viruses before they have had a chance to wreak havoc within the system. Anti-virus software can also repair or quarantine files that have already been infected by virus activity.
Authentication– Confirming the correctness of the claimed identity of an individual user, machine, software component or any other entity.
Backup– File copies that are saved as protection against loss, damage or unavailability of the primary data. Saving methods include high-capacity tape, separate disk sub-systems or on the Internet. Off-site backup storage is ideal, sufficiently far away to reduce the risk of environmental damage such as flood, which might destroy both the primary and the backup if kept nearby.
Dictionary Attack– A password-cracking attack that tries all of the phrases or words in a dictionary.
Domain Hijacking– An attack in which an attacker takes over a domain by first blocking access to the domain’s DNS server and then putting his own server up in its place.
Encryption– A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that it appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.
Firewall– A hardware or software link in a network that inspects all data packets coming and going from a computer, permitting only those that are authorized to reach the other side.
Keystroke Logger– A specific type of electronic infection that records victims’ keystrokes and sends them to an attacker. This can be done with either hardware or software.
Malware– A generic term for a number of different types of malicious code.
Man-In-the-Middle Attack– Posing as an online bank or merchant, a cyber-criminal allows a victim to sign in over a Secure Sockets Layer (SSL) connection. The attacker then logs onto the real server using the client’s information and steals credit card numbers.
Phishing– Soliciting private information from customers or members of a business, bank or other organization in an attempt to fool them into divulging confidential personal and financial information. People are lured into sharing user names, passwords, account information or credit card numbers, usually by an official-looking message in an email or a pop-up advertisement that urges them to act immediately, usually by clicking on a link provided.
Pharming– Redirecting visitors from a real website to a bogus one. A user enters what is believed to be a valid Web address and is unknowingly redirected to an illegitimate site that steals the user’s personal information. On the spoofed site, criminals may mimic real transactions and harvest private information unknowingly shared by users. With this, the attacker can then access the real website and conduct transactions using the credentials of a valid user.
Skimming– A high-tech method by which thieves capture your personal or account information from your credit card, driver’s license or even passport using an electronic device called a “skimmer.” Such devices can be purchased online for under $50. Your card is swiped through the skimmer and the information contained in the magnetic strip on the card is then read into and stored on the device or an attached computer. Skimming is predominantly a tactic used to perpetuate credit card fraud, but is also gaining in popularity amongst identity thieves.
Social Engineering– A euphemism for non-technical or low-technology means—such as lies, impersonation, tricks, bribes, blackmail and threats—used to attack information systems. Sometimes telemarketers or unethical employees employ such tactics.
Spoofing– Masquerading so that a trusted IP address is used instead of the true IP address. A technique used by hackers as a means of gaining access to a computer system.
Spyware– Software that uses your Internet connection to send personally identifiable information about you to a collecting device on the Internet. It is often packaged with software that you download voluntarily, so that even if you remove the downloaded program later, the spyware may remain.
Vishing– Soliciting private information from customers or members of a business, bank or other organization in an attempt to fool them into divulging confidential personal and financial information. People are lured into sharing user names, passwords, account information or credit card numbers, usually by an official-looking message in an email or a pop-up advertisement that urges them to act immediately—but in a vishing scam, they are urged to call the phone number provided rather than clicking on a link.
Worm– Originally an acronym for “Write once, read many times,” a type of electronic infection that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. Once this malicious software is on a computer, it scans the network for another machine with a specific security vulnerability. When it finds one, it exploits the weakness to copy itself to the new machine, and then the worm starts replicating from there, as well.

Source: National Institute of Standards and Technology:
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf