Over the past year, several industry firms have been victims of data breaches, underscoring the importance of strong cybersecurity practices. Below are tips that promo firms of all sizes can use to shore up their networks.

[At left] Seth Kusiak, VP of Infrastructure Services at ASI; [At right] Dave Lakshmanan, CTO of ASI

Counselor: What are some basic data protections promo firms should put in place?
DL: If you’ve collected customers’ information, such as email addresses and credit card information, make sure to save it in a place only you have access to. Password-protect the files and computers that contain sensitive information. Make certain the passwords are complex and changed periodically. If an employee leaves a company, terminate their access and change passwords for the systems they had access to. If you have a website, you must at least use Secure Sockets Layer (SSL), which encrypts the data so sensitive information shared with that site is private. Websites with SSL are indicated with “https” at the beginning of the URL. Also, have the most up-to-date anti-virus software and firewalls, and require multiple security challenges to get access to sensitive information.
SK: I’d add that it’s important to disable macros in Microsoft Office as well. Many security incidents are a result of someone opening and executing malicious macros contained in Office documents. If you’re not using macros, I strongly advise you to disable them. If you must keep macros enabled, be extra careful to only enable macros in documents you fully trust and know are safe.

C: For larger companies with more employees, what else do you suggest?
SK: First, control the software installed on employees’ computers. Also, ensure the software comes from trusted sources and that you’re monitoring for security updates and advisories for them. Next, lock down lateral movement within the network. Workstation-to-workstation communication should be blocked to reduce the mass spreading of malware/ransomware in the event a user’s machine is infected. Another thing: Require local unique admin passwords on company endpoints, like laptops, PCs and servers. Use a tool like the Microsoft Local Administrator Password Solution to help automate unique passwords. Finally, ensure administrators have separate accounts and systems from their general use accounts and workstations. System administrative activities should always be performed independently from general-use computers and accounts.

Podcast

Dave Lakshmanan, ASI’s new chief technology officer, teamed up with ASI’s VP of Application Development Ryan Hutchison to share insights on everything from digital commerce to exciting tech advancements coming in the promotional products industry.

C: What does internal staff need to know as one of the first lines of defense?
DL: Phishing is the easiest and most common way hackers get access to confidential information or implant a ransomware or malware. Most of these scams occur through email. Be very careful about emails that have explicit calls to action like “Pay immediately or your account will be locked.” Check the email address of the sender. If you don’t recognize it, it’s probably not legitimate.

C: What are other good rules of thumb for recognizing threats?
DL: Look for unusual activity on your company store and emails from unrecognized senders, especially those with sudden and specific requests to download software. Pay close attention to any alerts your anti-virus and firewalls generate.

C: What are the consequences of not putting protections into place?
DL: Sensitive company and customer information could be compromised, including bank and credit card information, which could result in financial losses that may not be recoverable. If such a compromise occurs, immediately take action, like changing passwords on all access points (computers, files, etc.), and communicating with the parties affected so they can take remedial action, including alerting banks and credit card companies. Always err on the side of caution if you suspect your systems have been compromised.

C: What are some suggestions for damage control if a threat does impact a firm?
SK: Having a well-defined and thoroughly tested incident response plan is essential to ensure the recovery of your company’s operations. The truth, however, is it’s easier said than done and requires good allocation of resources to implement properly. Companies should confirm backups of critical systems are performed and successful recovery of that data is periodically tested. Also, because recovery can be very costly, it’s a good idea to have cyber insurance and understand what’s covered in your policy.