Hardwood Floors February/March 2017

and shipping history. All of these data elements are some of your company’s highest valued assets and need protection, no matter the business size.

take advantage of to guard sensitive data and, with advances in technology over the past decade, these aren’t overly complicated. The first line of defense is always to stop things before they happen. These solutions include using a recognized anti-virus software package that includes frequent updates. Another guard that no business should be without is a firewall. Firewalls come in many varieties including both hardware and software solutions. Free and low-cost solutions exist for anti-virus and firewalls; however, this is not a place to look for a bargain – it’s the guard at the door. Also recommended is a schedule for updating hardware and software. Each company has different needs, so no perfect timetable exists for this. At a minimum, update both hardware and software before they are no longer supported by the manufacturer. Also, apply security updates to all software regularly so your organization is safeguarded from known issues and compliance is maintained. A well-thought-out backup system is your final protection and possible remedy to some of the challenges if your systems or data become compromised by theft or virus. In addition to a backup strategy, an incident response plan is a must. This plan details the individuals in the company responsible for each of the systems, processes and approvals necessary to respond to any incident. For small-business owners, this would simply be determining who to call in case of emergency whether that is an insurance agent, legal counsel, or a local information technology firm. These points are the background for larger conversations with experts. Solutions should be tailored for each business. Since hackers do not discriminate, it is important for businesses of all sizes to discuss possible liabilities and risk tolerance with an insurance agent. Determine what policies and training to consider first. Collaborate with information technology professionals inside your company or, for small-business owners, a local information technology firm to determine improvements. Topics should include security controls, disaster recovery, business continuity and incident response plans. Most importantly, understand that these conversations are important to have. Just like you can’t put the toothpaste back in the tube, once your data is released, the consequences can be devastating for your business. With proper training for prevention, employing a proactive mentality and making knowledgeable investments, risk can be significantly reduced. WHAT NOW?

BUILDING A CULTURE OF SECURITY AWARENESS

With all this data hidden in systems and processes, you may be wondering how you can make an impact. Your first step is to determine the types of policies and education needed for your environment. Larger companies typically need to implement policies whereas small businesses may simply need education on the areas of concern. The Ponemon Institute, an independent research group on privacy, data protection and information security policy, confirms that training and awareness programs reduce data breach costs. Since data security can be a broad subject, focus on the following four key areas of awareness and development: 1. POLICY: Establish an acceptable use policy to protect company-owned equipment from being breached and misused. Additionally, if you allow employees to utilize their own devices including computers, phones and tablets, a Bring-Your-Own-Device (BYOD) policy is a must to ensure employees don’t unknowingly put data at risk. 2. PASSWORDS: Follow good password practices. Password hacking is a common problem, but also the easiest to fix. Strong passwords contain at least 12 characters and include a variety of text, numbers, and special characters. They should never contain personal information such as birth dates or a child’s name. Passwords should be updated at least every 90 days and be completely private to you. This means passwords should not be shared among systems, with others or written down. 3. SECURITY: Another easy solution is to lock all devices when you are away from them including cell phones, laptops and desktop computers. Having a strong password does not help if the device is not locked. 4. EDUCATION: Finally, educate employees on how to avoid phishing scams. Phishing scams are attempts by scammers to trick individuals into giving out personal information such as bank account numbers, passwords and credit card numbers. Be wary of emails from unfamiliar individuals that contain a strong sense of urgency or poor spelling and bad grammar. Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments, especially if they don’t recognize the sender as they can carry harmful viruses. The National Cyber Security Alliance website, staysafeonline.org/business-safe-online, contains a variety of helpful resources on these and other topics.

IMPLEMENTING SECURITY CONTROLS

Jodi O’Toole is Director of IT and Web Development at the National Wood Flooring Association in St. Louis. She can be reached at jodi.otoole@nwfa.org.

There are also technical safeguards that any company should

the magazine of the nat ional wood f loor ing associat ion

31