Written by: USB Security Team
Union Savings Bank wants to help you keep your business and data safe. According to studies conducted by the Small Business Committee, 71 percent of cyberattacks occur at small businesses with fewer than 100 employees. You can help prevent cyberattacks from happening to your business by implementing the right policies and procedures and employee training.
As we wrap up our three-part blog series, Protecting Your Small Business from a Security Breach, we wanted to expand upon two key topics in security awareness: password maintenance and crisis communication plans.
How often should I change my password?
Password security is a subject of great discussion in the cyber security community. The traditional suggestion has been to change passwords often. This quickly leads to one of two problems: you may have to write the password down in order to remember it, or you may end up using an easy password. If you have to write it down somewhere, then there is a physical copy that may be easy to obtain. If your password is not complex enough, it may be easier for hackers to guess it.
Obviously, it is much more difficult to guess a complicated password, but most people do not want to memorize a long, complex password, especially if password security best practices means they must change it regularly. As a result, many people come up with systems to help them remember their new passwords. For example, you might include a date within your password that you simply update every time you have to change it. This pattern is easy for hackers to recognize, allowing them to predict upcoming passwords, which is worse than them knowing your current password.
So, what’s the solution to password security? Ideally, you should have a complex password that is encrypted and stored in a password vault. If a hacker were to find the encrypted password, all he or she would see is random letters, not the actual password. This password should be, at the very least, eight characters using upper case, lower case, numeric and special characters, but twenty-character passwords with the same requirements are much stronger. While this requires longer more complex, encrypted passwords, you can go for longer periods of time without changing them.
Additionally, to prevent a security breach, encourage users to generate a new password for each website or application. Many password vaults can create and store new complex passwords at the push of a button. This means if a hacker finds a password for one site or application, he or she cannot use that password to log into other websites using the same user ID.
Crises communication plan
It’s critical for your small business to have a plan for cyber security awareness that can address a potential breach both internally and externally.
As soon as you recognize the breach, contact law enforcement. Depending on the size and scope of the breach, you may also want to hire a cyber security team to investigate it. They can tell you how the hackers got in, how long they were there and what they stole. From this information, they can provide network security solutions for you to determine how to prevent future breaches and how to communicate this to your employees.
The next step in your small business crisis communication plan should focus on gathering information and notifying customers, but you need to use caution here to best protect your business’s reputation. You need to be timely, but you also need to give yourself enough time to gather the facts.
The timeline for notifying the customers whose data has been compromised is dictated by state law, and you will need to send a written notification that clearly explains the security breach, how it affected their personal data, how your company is working to resolve the issue and what actions customers can take.
As part of statute 36a-701b, amended in 2015, the state of Connecticut requires businesses to offer a minimum of one year of “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” if customers’ Social Security numbers were compromised.
You may also need to file a notice with your state attorney general’s office depending on how many customers you must notify.
Honesty, as always, is the best policy with cyber security awareness. Once you start trying to cover things up, you risk your business’s hard-earned reputation and the possibility of negative news coverage.
As the world of cyber security continues to evolve and hackers continue to find new ways to get into businesses’ networks, it is necessary for small business owner to stay on top of these trends and continually work to improve their network security. By implementing company policies and procedures, employee training, following strong password protocol and knowing your state’s laws, you can protect your business and your customers from a security breach and minimize the impact of a breach should one occur.
Stay tuned for more business management tips by subscribing to our Business Blog.