By: Christian Wolgemuth
Entrepreneurs are people who like to get things done, and checklists are a great tool for accomplishing tasks and reaching milestones. A business plan is just another form of a checklist. “Identify your target market, secure financing, hire employees,” etc. These are all items you would expect to see on a checklist for starting a business. An item that must be included in any startup business plan, and which deserves a checklist of its own, is cybersecurity. The following checklist should serve as a guide for entrepreneurs trying to navigate the world of cybersecurity concerns while starting a business.
Use strong passwords
Passwords protect sensitive information from unauthorized access, but having a weak password is just like leaving the front door unlocked. Default passwords absolutely must be changed, and passwords must be complex enough that no one can guess what they are. This is true for administrative passwords as well as personal passwords. Furthermore, passwords should never be written down. The best practice is to use password management software or a password “vault” that can safely store passwords in an encrypted format. An added benefit of password vaults is that they can help enforce strong password management policies, like changing passwords regularly and mandating complexity requirements.
practice good email hygiene
Many highly publicized data breaches have been the result of phishing attacks. Never open attachments or click on email links from someone you don’t know. If you can run a security check on an attachment or link before opening it, you should always do so.
Also, never communicate with an unfamiliar party via email. Scammers and hackers can spoof the sender address of an email to make it look like it came from someone else. Be alert and skeptical of any emails that seem fishy or out of place. If you receive an email from someone you have done business with, call them on the phone to confirm the authenticity of the email before replying with any sensitive information.
enable strong network security
Every connected device is a possible entry point into your network and to your sensitive information. Businesses need to keep track of those devices and keep them individually safe to protect the entire network. Whoever the IT person is – whether it’s a dedicated employee or the general manager – he or she should take an inventory of every electronic device in use by the company. Every one of those computers and devices should be behind the network firewall, and network communication between those devices should always be encrypted. When using mobile devices outside of the office, use a secure VPN to connect to both the internet and to company resources. Mobile devices should NEVER be used on unsecured public wi-fi. Once strong network security is enabled, companies should consider conducting penetration tests with the assistance of outside security firms.
Know where you are “doing business”
Different jurisdictions have different legal rules and requirements. This means that businesses must pay very close attention to where they are “doing business.” Even just the phrase “doing business” can mean something different in different states. Generally speaking, if you have an office, have customers, or advertise your products or services in a state you are likely “doing business” in that state. If you are doing business in a state then you must be aware of and comply with that state’s laws of data collection, data processing, and data breach notification.
know your industry-specific rules
Certain industries have specific laws for how data can be collected, processed, and shared. The most obvious example is the healthcare industry and the Health Insurance Portability and Accountability Act (“HIPAA”). The finance and automotive sectors are also examples of industries that have specific laws. Every business should look into whether there are specific rules that apply to them, and what the requirements are for compliance. For example, any business that accepts credit card payments will need to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).
take an inventory of data being collected, and only collect the minimum necessary data
Legislation like GDPR and the California Consumer Privacy Act limit the amount of consumer data that businesses can collect. As a general practice, businesses should be aware of and deliberate with the specific data they collect about consumers. Businesses should collect no more data than is necessary for their specific business purposes. Not only is this necessary for complying with legislation, but it helps to minimize the risks of liability if and when a data breach occurs.
only allow the minimum access necessary
Similar to only being permitted to collect the minimum data necessary, employees should only be allowed to access the minimum amount of data necessary to fulfill their job responsibilities. With a data inventory complete, job roles and responsibilities should be granted access only to the data required for that position.
have policies and plans in place
Businesses must have written policies in place. This includes public-facing policies, like a privacy policy and data use policy, as well as internal policies governing the responsibilities and obligations of employees. All written policies must be kept up to date, disseminated to all employees, and strictly followed. If a situation arises where you think you may need to deviate from your policy, you should carefully analyze whether it is your policy or your business practice that needs to be adjusted.
Businesses should also have plans in place to respond to both common and emergent situations. This includes regular activities like conducting system maintenance and updates, as well as disaster recovery, business continuity, and data breach response plans.
training and the human element
All of the items previously discussed are only effective if entrepreneurs and their employees actually take them seriously. Employees must be trained in how to keep themselves, the business, and the business’s customers safe from cybersecurity risks. Training should be tailored to the particular business, job position, and industry. Finally, cybersecurity must be a priority at the individual level, and finding ways to achieve employee “buy-in” is the best way to keep a business safe from cybersecurity threats.
Christian Wolgemuth is, at the time of this post, a third-year law student at Penn State’s Dickinson School of Law. Prior to law school, he spent five years as a cybersecurity consultant for both Accenture and Deloitte. Wolgemuth served both private sector and government agency clients all over the country, helping to design cybersecurity systems used by millions of customers worldwide. As a law student, he has interned with the Pennsylvania Office of Attorney General in the Bureau of Consumer Protection working on data breach and privacy infringement litigation. After law school, he will work in the litigation group of a private law firm in Harrisburg, helping clients navigate the continuously changing world of cybersecurity and privacy law.
Photo Sources:
https://www.google.com/url?sa=i&source=images&cd=&ved=2ahUKEwjggZ_L59bmAhUtT98KHR7XCZQQjRx6BAgBEAQ&url=https%3A%2F%2Fechalliance.com%2Fcybersecurity-is-forcing-a-rethink-of-strategic-autonomy%2F&psig=AOvVaw2bw7XpykUzGw5aDpZPvBIy&ust=1577569664547131
https://www.google.com/url?sa=i&source=images&cd=&ved=2ahUKEwiLj4T_6dbmAhUtc98KHdPxA38QjRx6BAgBEAQ&url=https%3A%2F%2Fwww.iconfinder.com%2Ficons%2F688373%2Fcheckbox_checklist_checkmarks_list_icon&psig=AOvVaw2cF_QVOPihmS53z7WBk-GG&ust=1577570436851381
https://www.google.com/url?sa=i&source=images&cd=&ved=2ahUKEwjEjPe0ldzmAhWLZd8KHS4qAacQjRx6BAgBEAQ&url=https%3A%2F%2Fwww.flickr.com%2Fphotos%2F140988606%40N08%2F27891579948&psig=AOvVaw3h68uVDo8lDJDxGuhKQQ0X&ust=1577753860544116
