- Take advantage of all the marketing opportunities that the show planner offers. This may include access to an attendees list. If so, use this to send out a few introductory emails prior to the show including your booth number. Send one the day of the show reminding the reader where you are.
- Sponsorships are also an opportunity, if your budget allows it. This can be a small ad in the program or sponsoring an event or get-together during the conference. This is a bigger step and may be beyond the budget of a SMB.
- Social Media: Use social media to introduce yourself before the show. This means an active presence on Facebook, Twitter, and Linkedin. Send a brief announcement of who you are and that you will be exhibiting at the show, and then a reminder the day of the show or the day before.
- Website and blog: Post an invitation to the show on your website and your blog. This should go up about one week prior the to event.
- Showing up in search rankings. If you want to be found in a search and appear high in the ranking, you need to have a “mobile optimized” site. Google has now included the failure to have a mobile optimized site as a specific reason to lower a website in its search rankings. If you don’t have a mobile optimized site, you slip lower in the ranking. Slip lower in the rankings and fewer people ever find you in a search.
- More search and web activity now occurs on mobile devices than standard PC and laptops. If you want attention, you need to be “mobile ready.” You can’t just write off those mobile users- there are too many of them.
- If your site is too difficult to use on a phone screen, the user is just going to jump to another vendor. There’s nothing else to say.
- Change Passwords – Most security experts recommend that companies change out all passwords every 30 to 90 days.
- Password Requirements – Should include a of mix upper and lowercase, number, and a symbol.
- Teach employees NOT to use standard dictionary words (any language), or personal data that can be known, or could be stolen: addresses, tel numbers, SSN, etc.
- Emphasize that employees should not access anything using another employee’s login. To save time or for convenience, employees may leave systems open and let others access them. This is usually done so one person doesn’t take the time to logout and the next has to log back in. Make a policy regarding this and enforce it.
“You’re FIRED!” ( now give me your password)
Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.
- When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
- Voluntary terminations - Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.
This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they’d be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn’t possible when data was stored on paper.
Defense in Depth Part II
In our last blog we started talking about the different layers of security necessary to fully defend your data and business integrity. Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are “assuming their employees know internal security policies: and “assuming their employees care enough to follow policy”.
- Guessing or brute-force solving passwords
- Tricking employees to open compromised emails or visit compromised websites
- Tricking employees to divulge sensitive information
For the human layer, you need to:
- Enforce mandatory password changes every 30 to 60 days, or after you lose an employee
- Train your employees on best practices every 6 months
- Provide incentives for security conscious behavior.
- Distribute sensitive information on a need to know basis
- Require two or more individuals to sign off on any transfers of funds,
- Watch for suspicious behavior
The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files.
However, they are all transmitted in the same way:
- Spam emails or compromised sites
- “Drive by” downloads, etc.
To protect against malware
- Don’t use business devices on an unsecured network.
- Don’t allow foreign devices to access your wifi network.
- Use firewalls to protect your network
- Make your sure your WiFi network is encrypted.
- Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
- Use programs that detect suspicious software behavior
The mobile layer refers to the mobile devices used by you and your employees. Security consciousness for mobile devices often lags behind consciousness about security on other platforms, which is why there 11.6 million infected devices at any given moment.
There are several common vectors for compromising mobile devices
- Traditional malware
- Malicious apps
- Network threats
To protect your mobile devices you can:
- Use secure passwords
- Use encryption
- Use reputable security apps
- Enable remote wipe options.
- Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
- The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
- For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.
- Keep all computers and devices under the supervision of an employee or locked away at all times.
- Only let authorized employees use your devices
- Do not plug in any unknown USB devices.
- Destroy obsolete hard drives before throwing them out
Phishing Scams – A People Problem
There are some things that only people can fix. There are many security risks to which your data is susceptible, but there is one method that remains a wonderfully effective hacking tool. That is the phishing scam. This is a legitimate looking email that asks the reader to click on a link. If clicked, the link can infect the user’s computer with malicious software that can steal passwords, logins, and other critical data. Alternatively, the email appears to be from a legitimate source, perhaps even duplicating a legitimate webpage. The distinction is that the phishing email asks the user to enter personal information, including passcodes. In either case, that is how hackers easily get into your systems.
Hearing “all of your confidential information is extremely vulnerable, we know this because…” is bad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.
- “All of your confidential information is extremely vulnerable… we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
- “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
- Added new network infrastructure or applications,
- Made significant upgrades or
- Modifications to infrastructure or applications,
- Established new office locations,
- Applied a security patch
- Modified end user policies.