Signed in as:
filler@godaddy.com
Cybersecurity is the practice of protecting computers and electronic communication
systems as well as the associated information. Protecting confidentiality, integrity, and availability are common security objectives for information systems. This forms the foundation for cybersecurity.
Background Information
Information Security
In the business world, there is a tendency to consider as assets of the company only tangible goods: equipment, machinery, servers, etc.
However, we must not forget that there are intangible assets such as client portfolio, rates, business knowledge, intellectual property, or reputation. All these elements are part of the information about a company and constitute important assets of an organization.
Consider, for example, rates the offers we present to our clients, which allow us to position ourselves in the market or against the competition, or in our strategic plans for the growth of our business.
Let's think about the consequences that would have the loss of accounting of the organization, the client portfolio,the confidential information we have about our clients as their accounts banking or intellectual property of our company.
All of these examples are part of our company's information, making it a vital asset that must be protected adequately.
This is what we know as information security.
Although technology is an indispensable element of any organization, it must be used in an adequate way to avoid risks in the management of information.
Therefore, it is extremely important that the necessary decisions and measures are taken before an information security incident/event occurs.
Medical Device Cybersecurity
Malicious Software (Malware)
Unauthorized software designed to cause harm
Malware is a blanket term for malicious software including viruses, spyware, trojans, and worms.
Disrupt. Damage. Deceive
... for profit.
Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control or spy on a user’s computer. What criminals choose to do with this access and data includes:
- Theft
- Pranks
- Activism
- Espionage
- Other serious crimes.
Anyone, anywhere
Malware creators can be anywhere in the world.
They just need a computer, technical skills, and malicious intent. Criminals can easily access cheap tools to use malware against you. It is not personal – they are not targeting you specifically – it is just business
Protecting against malware
- Automatically update your operating system
- Automatically update your software applications
- Regularly back up your data
Ransomware
Certain malware that locks down your computer and files until a ransom is paid
Ransomware attacks are typically carried out via a malicious but legitimate-looking email link or attachment. When downloaded or opened, most ransomware encrypts a user’s files, then demands a ransom to restore access – typically payable using cryptocurrency, like Bitcoin.
Money
Ransom, an age-old and effective crime, is now being committed online. Ransomware offers cybercriminals a low-risk, high-reward income. It is easy to develop and distribute. Also in cybercriminals’ favor, most small businesses are unprepared to deal with ransomware attacks.
Anyone, anywhere - but small businesses are a target
Many small businesses are often less security conscious, are less likely to implement cybersecurity measures.
NEVER PAY A RANSOM
You are not guaranteed to regain access and may be vulnerable to a second attack.
Protecting against ransomware
- Automatically update your operating system
- Automatically update your software applications
- Regularly back up your data
Actions to be taken
Basic Actions to be taken
- Identify and record essential data for regular backups.
- Create a password policy.
- Decide what access controls your users need so they can access only the information and systems required for their job role.
- Switch on your Firewall.
- Install and turn on Anti-virus software.
- Block access to physical ports for staff who do not need them.
- Consider making a password manager available to your staff to secure their passwords.
- Ensure data is being backed up to a backup platform
- Set automated back-up periods relevant to the needs of the business.
- Switch on password protection for all available devices.
- Change default passwords on all internet-enabled devices as per the password policy.
- Install and turn on tracking applications for all available devices e.g. Find my iPhone.
- Enable two-factor authentication for all accounts.
- Apply restrictions to prevent users from downloading 3rd party apps.
- Install the latest software updates on all devices and switch on automatic updates with periodic checks.
- Ensure all applications on devices are up to date and automatic updates have been set to download as soon as they are released.
- Schedule regular manual checks on updates.
- Set up encryption on all office equipment.
Suggestions on HR Practices
Employee Awareness and Education are Critical!
It is common to hear that "the most important link in security is the employee", since avoiding human error could be the key to protecting your systems and information. It is important, in addition to carrying out the appropriate awareness and training to strengthen this link, to take security measures within the HR Department.
A great way to guarantee that you will have a responsible staff in terms of cybersecurity is to establish the appropriate filters, tests, and controls in the relationship with your contractors and employees, especially in the signing and termination phases of a contract:
· what requirements and agreements related to security they must know, accept and comply with;
· what internal policies should apply: use of corporate mail, classification of information, applications allowed, use of the workplace.;
· what training you are going to provide them; and
· what are the processes to register/cancel them in your systems.
Below are a series of controls to review compliance with the security policy in relation to the HR Department.
Contractual clauses -Reflect the most important aspects of cybersecurity in the employment contracts of your employees.
Confidentiality agreements - Specify in confidentiality agreements the way to manage access to the most sensitive information.
Cybersecurity training and awareness plan - Keep your staff aware and trained in aspects related to cybersecurity.
Acceptable Use Policy (AUP) - Inform your employees of the penalties for negligent use of your company information.
Contract/employment termination - communicate to your employees the obligations that they must fulfill with the information of your company at the end of their employment.
Authorized granting of access permits
You grant the appropriate permissions to ensure that each employee only accesses the appropriate information.
Revocation of access permissions - Eliminate the permissions and user accounts of employees who end their contracts.
Additional HELP - We are here to support you
Contingency and Business Continuity Planning
100% security does not exist.
Companies must be prepared to protect themselves and react to potential security incidents that could damage operational capacity or jeopardize business continuity.
They have to respond quickly and effectively to any serious contingency so that we can recover normal activity in a period of time so that our business is not compromised.
We can design a Business Contingency and Continuity Plan, where we will implement the mechanisms to be put in place in the event of a serious security incident. These mechanisms will help a company maintain the level of service within predefined limits, establish a minimum recovery period, recover the initial situation prior to the incident, analyze the results and reasons for the incident, and avoid the interruption of activities.
In the event of a disaster, having defined and being able to apply a Contingency and Business Continuity Plan will have a positive impact on your image and reputation, in addition to mitigating the financial impact and loss of critical information due to these incidents.
Companies must be prepared to prevent, protect themselves, and react to security incidents.
It is necessary to protect the main business processes through a set of tasks that allow the organization to recover after a serious incident in a period of time that does not compromise its continuity.
Cyber INCIDENT RESPONSE PLAN
If you have already created a Cyber Incident Response Plan, that is great, please make sure that you have included a step to contact and notify:
- Your FBI Field Office Cyber TaskForce www.fbi.gov/contact-us/field/field-offices immediately to report a cyber incident and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber crime.
- US-CERT www.us-cert.gov/ncas and FBI’s Internet Crime Complaint Center www.ic3.gov