Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues.
[I] have been saying you need to implement the best-practice security guidelines, but you are asking, “What do I need to do?”
First, be sure all your computers have the latest updates. This cannot be overstated.
However, you have to know what third-party software is installed. A third-party program is one not provided by your vendor’s software manager. For example, Adobe Reader, Java, Adobe Flash, WinZip, etc., aren’t updated when you perform Microsoft updates. (Ask your tech person if the Oracle version of Java is installed; if so, that one needs to be updated separately.) For home Windows users, Flexware Personal Software Inspector does an awesome job at keeping the third-party software updated.
For small businesses and nonprofits, it may be worth it to purchase a commercial tool such as Ninite.
If you have an external drive plugged into your computer, then ensure both are plugged into a surge protector.
If you are not sure all this is important, think about how much information you’d lose if all your computers at your place of business crashed and became unusable. Then think of how long it would take to get that information back to the same state before you lost it — employee records, inventory, payroll, accounting, customer contact information, emails, historical state and federal documents, legal contracts, client notes or your document archives.
SpiderOak is unique because your data is encrypted (unreadable without a password) before being stored on the company’s servers. Just don’t forget your password, because SpiderOak can’t help you.
One note about backup services involves the concept of syncing. This occurs when you make a change to a file on your local computer and it is updated automatically on the backup source. If your computer becomes infected with a virus like ransomware that encrypts your data, syncing could enable the virus to affect the backup copy as well. When a file is encrypted, the syncing software will detect that change and send the ransomware-encrypted file to the backup. That makes your backup files unusable too (unless you pay the ransom).
For this reason, a service like SpiderOak that allows you to restore older versions of files is ideal. The other option is to forgo syncing but perform backups on a nightly basis. The nightly backup is different because it is a new copy of all documents you specify each time the backup routine runs. This allows you to recover from a ransomware attack without having to pay the very high fees to get your files back.
Also, determine if your cloud provider helps protect against ransomware attacks with its backup solutions.
Finally, periodically restore some files from your external backup source to ensure those can still be read — please! The files can be copied to a temporary location, then opened and deleted once you have verified those are still readable.
Third, if you use a point-of-sale system attached to a computer, don’t allow web surfing or emailing on that computer. Same for computers that have your QuickBooks or other financial software. If you are a mental health counselor, for example, and save notes about clients on a computer, I’d recommend that PC be used only for that purpose. It is worth the investment to purchase a new or used Chromebook or another PC for your day-to-day web surfing and emailing. Basically, use a separate computer from the one that has your sensitive data on it. And don’t forget to back up that sensitive information.
These are three major keys to protecting your data. In another column, I’ll look at other minimum security controls to implement.
