In the first part of this series we discussed the factors that are currently driving increased information security concerns for the cooperative and condominium industry and the initial steps you should take to improve your information security stance. In this part, we will be working our way through some of the specific protections that can be put in place and the tradeoffs involved.
Like any good protection plan, your information security should be built on several layers to provide in-depth defense. Most of us would never think of running our workstations or laptops without some sort of antivirus protection and most of us are also aware that if we’re going to connect to our corporate systems from our workstations or laptops when we are away from the office, we should be using a virtual private network (VPN) to ensure those connections are encrypted and secure.
What many people do not know is that the same comments apply to all your other software, including operating systems, word processing, spreadsheets, presentations, email, and industry specific applications such as accounting, property management, etc.
There is a reason regulatory agencies ask about software maintenance agreements – software that is not updated on a regular basis can turn into a giant security hole almost overnight. Which means you unless you have a specific piece of specialized software that presents compatibility issues, all of your workstations and servers should be set to automatically update operating systems (Windows, MacOS, etc.), application software (Office, Outlook, Access, SQL Server, Adobe, etc.), and browsers (Microsoft Edge, Google Chrome, Firefox, Safari, etc.).
You must also mindful of when software is approaching the end of its support lifecycle – vendors do not support old software forever. Doing all of this ensures you are always running the latest version of your software and leveraging the expertise and continuing investments of the large technology companies to protect your systems and data.
Place a little extra attention on security measures when selecting online services for your business. For many services the evaluation of the impacts of a security breach would most likely indicate minor consequences, however, you need to be mindful of what data you expose to these services. It’s one thing to buy your office supplies from just about anywhere, it’s quite another to use an online payment service for sending and/or receiving payments – payment services will of necessity have names, addresses, phone numbers, email addresses, taxpayer ID numbers in many cases, and, of course, banking information (lots of personal identifying information [PII] all in one place). So do your research, ask current and prospective online vendors appropriate security questions, and choose wisely.
With all of this to consider, many people struggle to figure out how to get it done in a competent, cost effective manner. Most of us have plenty on our plates just getting our work completed so unless your enterprise is large enough to have at least several full-time information technology staff members, you are probably prepared to do all this yourself.
Therefore, most small businesses should outsource most of their IT work, including desktop support, server, and application support, as well as software support and security. If you’re still running your own physical servers and/or a physical phone system, that’s most likely going to come to an end sometime soon as well.
We recommend one stop shopping for all of these services – servers in the cloud, cloud-based phones and productivity software, and, of course, security services. In effect, your IT vendor becomes your IT department. In the end, they’re better at it and less expensive than doing it yourself.
Finally, a word about cyber insurance. Of course you need it – a single data breach may expose you to hundreds of thousands or even millions of dollars of damages. So you must first assess your exposure, just like any other insurable risk. Suppose in the nightmare scenario, your system contains sufficient identifying information on a high net worth individual to enable identify theft. Then you suffer a data breach and the hacker uses that data to steal significant amounts from that individual. Your company could be held for the financial loss for not appropriately safeguarding that data.
Make sure any cyber insurance policy protects against this type of exposure. Many policies only provide for repairing the breach, recovering data, and minimal amounts of credit watch services for customers and vendors whose data has been stolen. Further, any cyber insurance company is going to look closely at what security features you have in place and properly functioning when assessing any losses.
In the next part of this series we will dive further into specific protections that can be put in place to protect the cooperative and condominium industry, and the tradeoffs involved.