What can I do to protect my information?
Sadly, identity theft and cyber security losses are still on the rise. The IRS tried to implement face recognition software but many complaints from individuals and the media changed those plans. While I don’t know if the IRS is the right organization to implement and control this type of software, we do need to do more to protect our information. This can affect you both as an individual and as a business. Here are some tips gathered from experts on how to protect your information.
A first step is to ensure that your computer and phone are up to date. The security updates, patches and fixes are critical to staying safe. Never send information of a sensitive nature in an unsecured e-mail. Even if the e-mail gets to the correct recipient, it can be hacked or intercepted. While it can be inconvenient, it is better to send tax documents, pay stubs and identifying information via a secure system. For a business entity, make sure you are protecting your employee’s social security numbers when sending payroll report and your banking information when sending statements and other information. Remember, two critical pieces of information are already printed on every check you cut. If you are at substantial risk, we recommend having limited funds in your account and funding it as checks are cut. Most businesses bank accounts offer positive-pay and other security measures.
Use multifactor authentication, which requires two or more pieces of evidence (factors) to access a system, wherever possible, especially when the data being accessed is extremely sensitive. Also known as 2FA this process ensures that a simple hack of say your phone number or your email will not be sufficient to gain access to your information. We use 2FA when accessing data in tax software and audit software to help reduce the likelihood of a breach.
Ransomware is less likely to affect an individual; however small businesses are generally easier targets. Consult with an IT professional. Some steps you can take initially are to make sure you have an automatic, daily backup. You should have an offline backup that allows you to restore data and systems in the event of an attack. Evaluate your backup restoration to ensure it will work, if needed.
Encrypt mobile devices, such as laptops, tablets, and cellphones, as they are easy targets for theft or loss. Enable remote disabling and wiping to remove sensitive data if the device is lost or stolen. The thought of wiping my phone is terrifying however it would be better than having all my information accessible to a thief. Face and fingerprint recognition are also helpful. While Hollywood has dramatized gruesome methods of accessing the data it isn’t very likely to happen.
Apply the principle of least privilege and limit access to sensitive data on a need-to-know basis. Limit administrator privileges to trusted IT staff and key personnel. Perform routine access reviews to ensure that access remains appropriate. If you store your passwords somewhere, make sure to keep it secure. It is recommended to avoid using the autofill email addresses function and/or implement a “delayed send/confirm” function to potentially catch a misdirected email before it is sent. This can be so difficult in a daily practical application but there are significant benefits to slowing the email process down.
Phishing is one of the most common entry points for cybercriminals. If you don’t recognize it or if you weren’t expecting it, don’t click it! If you get an email from a contact that seems unusual, call them to verify before opening it or any attachments. This is especially true with money, bill pay and fund transfer requests. Never assume that an email request is legitimate, regardless of the sender, amount, or tone. There are generally clues within the email or email address; however, it is better to call and verify than risk a loss.
Training is one of the keys to successfully managing data security risk. Set the tone from the top and remind all company personnel of the significant impact that a cyber incident can have on the company and, so, the need for sustained vigilance by all. Have a clear “think before you react” policy and train personnel on how to respond to potential threats.
