There is an interesting article on NOLA.com today that paints a grim picture about your data finding its way onto the dark web. “While it’s true that there’s little you can do to prevent your personal data from ending on the dark web or remove it, once it’s there you can limit the damage, investigators said.”
While I agree that there is nothing you or I can do about a 3rd party website loosing our information, there is plenty we can do to protect ourselves and our employees.
First and foremost is password management. Do not use the same password, or a variation of the same password for multiple sites. Keeping track of all those passwords can be daunting, so use a password manager to safely store them. I use the open source password manager KeePass for my personal passwords, but I have recommended LastPass to friends and family (I have no affiliation with either of these products other than I use them). For work passwords I take it a step further and use a password platform that protects everything with 2 factor authentication.
If 2 factor authentication is available, use it. I can’t state that enough, especially for anything involving money or communication. It can really save your bacon should you fall victim to a phishing attack.
While on the subject of phishing attacks, DNS filtering is often overlooked for small businesses. Using one that can block access to domains that are less than 30 days old will go a long way in blocking a common phishing tactic. Often the attacker will create a domain that looks similar to a real company then start sending out the phishing emails. All of this takes place over a short period of time. If new domains are blocked, this can prevent you from falling victim to a good portion of them.
Email filtering with advanced protections is a must. Often, when an account is compromised, the attacker will send an email to everyone in the address book, often containing a link to a virus infected file or website. Because the email came from someone you know and possibly trust, this has a higher rate of victims. Advanced Threat Protection will rewrite the link causing it to go through additional virus scanning before being opened, even if the message sits in your inbox for some time. Some filtering services will also take it a step further and virtually click all the links checking the files and websites in a “sandbox” to observe if anything behaves in a way that indicated it may be a virus.
Keep your computers up to date on security patches. From time to time, patches cause issues with break something, but the good far outweighs the bad.
Train your users. This option is usually pretty cheap, and pays dividends in preventing issues that cause downtime and lost productivity.
Lastly, understand that you are responsible for the information that your customers entrust to you. You can (and should) demand that your employees do not use work computers and networks for personal use. Create a separate wireless network for personal phones and devices that is separate from the data you are protecting. Insist that employees do not plug in their personal computers to the same network as your customer data unless it has up-to-date patches and antivirus software installed, and other common sense items like that. Everything here is something you can do yourself to protect your business. If you are already doing all this, you can look your customers in the eye and let them know you are doing everything reasonable to protect their data. If you have any questions about implementing the items noted here, feel free to reach out.