10 steps every business owner should take
June 14, 2018
David Damiani, CFA
Chief Financial Officer, Balentine
During the first quarter of 2018, almost 1.4 billion records were exposed in 686 reported security breaches. Believe it or not, that’s actually good news; in fact, it was the quietest first quarter for breach activity since 2012. Last year was by far the most devastating, including the Equifax data breach, tax phishing attempts, and global ransomware attacks like WannaCry. In 2017 alone, 1,442 incidents exposed 3.4 billion records.
What does this mean? Are cyber criminals slowing down or are companies getting smarter? Despite the promising Q1 numbers, cybersecurity remains an ever-present threat that can bring a company—or city government, as we saw firsthand in Atlanta—to its knees.
As a fiduciary, Balentine is charged with executing on the highest standard of care for our clients. In today’s information-overloaded world, we believe that extends beyond investments and wealth management to the security and protection of our clients’ personal information. As a member of Vistage and the CFO Leadership Council, I talk daily with other entrepreneurs about these risks and how devastating a breach could be to both our clients and our business. Balentine has taken many proactive measures to maintain our data integrity now and in the future. While by no means exhaustive, below is a list of 10 steps business owners should consider implementing to protect their clients’ data:
- Hire an expert. Several years ago, Balentine undertook an exhaustive RFP process to find a technology partner with expertise in cybersecurity. Our security/technology partner stays up-to-date on all the latest security news and has the tools and software needed to protect our clients.
- Provide ongoing security awareness training for staff. Study after study has shown that the biggest security vulnerability for companies is their own employees. A mistake as seemingly minor as clicking on a hyperlink in an email from someone you don’t know can end up costing a company big time! We mandate annual security training for our staff and provide timely weekly resources with best practices.
- Enact minimum password requirements. Despite all the warnings, the most common passwords in 2017 were still 123456, Password, 12345678, and qwerty. Having minimum password requirements and forcing password updates on a regular basis help mitigate one of the most basic ways in which a breach occurs. Also mandate automatic sleep mode on machines to ensure that data isn’t left in the open during lunch breaks or extended time away from one’s desk.
- Maintain updated systems. Few things slow down a company more than mandated computer updates. As a fellow business owner, I get it. Sometimes systems don’t synch right, someone’s settings get messed up, and everyone gets mad. However, keeping systems updated with the latest malware protection is a crucial step in staying ahead in the cybersecurity game. In addition, have Microsoft (or whatever operating system you use) run automatic updates. Despite the gripes you may receive from employees, these updates are necessary to ensure any bugs or vulnerabilities are addressed before it’s too late.
- Enable hard drive encryption. The encryption program Balentine uses encrypts the entire hard drive of an individual’s computer. It also helps protect against unauthorized changes to the overall system, such as firmware-level malware. This helps mitigate the idea that we’re only as strong as our weakest link by attempting to prevent firm-wide devastation in case of an individual breach.
- Require mobile device management. From CEOs to administrators, it’s rare these days to find an individual who doesn’t have work email synched to his/her smart phone. After all, we live in a mobile, 24/7 workforce. While mobile email access allows for greater flexibility, it also creates greater risk. Balentine requires anyone who accesses firm information on his phone to have mobile device management installed. In case of a lost or stolen phone, our third-party technology firm can remotely wipe a device of all work-related information. They can also wipe an entire device. This is an added benefit for employees who have all their personal information (from credit cards to phone numbers) stored on their devices.
- Install hardware firewalls with intrusion prevention. Balentine’s firewall thwarts more than 100 attack attempts! Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond swiftly to them. An intrusion prevention system (IPS) monitors network traffic and has the ability to take immediate action, based on a set of rules established by the network administrator.
- Undergo routine network penetration testing. You may never know just how strong—or weak— your system is until it’s breached. Routine penetration testing is a good way to test both your systems and employees to identify and repair potential areas of weakness before a real attack occurs.
- Perform annual security risk assessments. The cybersecurity landscape is constantly evolving, and your approach to cybersecurity should, as well. Yearly risk assessments will help your company stay ahead of the curve.
- “If you see something, say something.” In today’s fast-paced work environment, it’s more important than ever for employees to slow down and stay aware. It’s also a good idea to have an anonymous way for your staff to report any suspicious or worrisome activities.
These are just some of the steps Balentine is taking to preserve the integrity of our network and data. Fellow business owners can take these principals and apply them to their businesses, as well. We’ve worked diligently and invested the necessary time and resources to ensure a secured network environment. Though 2018 is thus far trending more positively in regard to data breaches, we know it can all change in just a click of a mouse. Balentine is committed to staying proactive in the face of cybersecurity threats so that our clients can remain confident in us as their partner.
 Source: Infosecurity Magazine