October is Cyber Security Awareness Month: Do Your Part. #BeCyberSmart.

A graphic that says "Do your part. #BeCyberSmart." next to the image of a young woman wearing headphones in front of a laptop. She is smiling and taking notes on a notepad.

The City of Houston’s Office of Emergency Management is recognizing October as Cyber Security Awareness Month. Houstonians are encouraged to follow this year’s theme of “Do Your Part. #BeCyberSmart.” and learn how to secure their information through computers, mobile phones, and other devices.

During the COVID-19 pandemic, technology has helped alleviate the separation of social distancing and maintain normalcy. Technology, however, also comes with its own sets of risks as criminals can more easily steal personal data and use malicious software.

“As we use our digital devices more than ever, Houstonians must be vigilant. Everyone is a potential target for cyber attacks, which are only growing in frequency,” said George Buenik, Director of the Mayor’s Office of Public Safety and Homeland Security. “This Cyber Security Month, we want residents to know how to prepare and deal with these threats.”

Protecting Personal and Business Information

  1. TAKE STOCK

Know what personal information you have in your files and on your computers.

Effective data security starts with assessing what information you have and identifying who has access to it.

Understanding how personal information moves into and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities.

You can determine the best ways to secure the information only after you’ve traced how it flows.

  • Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to find out where your company stores sensitive data. Also, inventory the information you have by type and location.

Your file cabinets and computer systems are a start but remember: your business receives personal information in several ways—through websites, from contractors, from call centers, and the like. What about information saved on laptops, employees’ home computers, flash drives, digital copiers, and mobile devices?

No inventory is complete until you check everywhere sensitive data might be stored.

  • Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel, and outside service providers
  1. LOCK IT

What’s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it’s stored.

The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers

Physical Security

  • Store paper documents or files, as well as thumb drives and backups containing personally identifiable information, in a locked room or in a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
  • Require that files containing personally identifiable information be kept in locked file cabinets except when an employee is working on the file. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
  • Require employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day. 3 Lock It 9
  • Implement appropriate access controls for your building. Tell employees what to do and whom to call if they see an unfamiliar person on the premises.
  • If you maintain offsite storage facilities, limit employee access to those with a legitimate business need. Know when someone accesses the storage site.
  • If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow you to track the delivery of your information.
  • If you have devices that collect sensitive information, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.

General Network Security

  • Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments may range from having a knowledgeable employee run off-the-shelf security software to having an independent professional conduct a full-scale security audit.
  • Don’t store sensitive consumer data on any computer with an internet connection unless it’s essential for conducting your business.
  • Encrypt sensitive information that you send to third parties over public networks (like the internet) and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.
  • Regularly run up-to-date anti-malware programs on individual computers and on servers on your network.
  • Check expert websites (such as www.us-cert.gov) and your software vendors’ websites regularly for alerts about new vulnerabilities and implement policies for installing vendor-approved patches to correct problems.
  • Restrict employees’ ability to download unauthorized software. Software downloaded to devices that connect to your network (computers, smartphones, and tablets) could be used to distribute malware.
  • Scan computers on your network to identify and profile the operating system and open network services. If you find services that you don’t need, disable them to prevent hacks or other potential security problems. For example, if email service or an internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
  • When you receive or transmit credit card information or other sensitive financial data, use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit.

5 Ways to be Cyber Secure with your Work

  1. Treat business information as personal information. Business information typically includes a mix of personal and proprietary data. While you may think of trade secrets and company credit accounts, it also includes employee personally identifiable information (PII) through tax forms and payroll accounts. Do not share PII with unknown parties or over unsecured networks. Be careful of how you dispose of this information as well.
  2. Don’t make passwords easy to guess. As “smart” or data-driven technology evolves, it is important to remember that security measures only work if used correctly by employees. Smart technology runs on data, meaning devices such as smartphones, laptop computers, wireless printers, and other devices are constantly exchanging data to complete tasks. Take proper security precautions and ensure correct configuration to wireless devices in order to prevent data breaches.

Good passwords are:

  • Longer and complex with varied character types.
  • Do not include personal information like name, age, or address.
  • Not shared with other people, not even your spouse or favorite coworker!
  • Unique to a specific account.
  1. Be up to date. Keep your software updated to the latest version available. Maintain your security settings by turning on automatic updates so you don’t have to think about it and set your security software to run regular scans.
  2. Social media is part of the fraud toolset. By searching Google and scanning your organization’s social media sites, cybercriminals can gather information about your partners and vendors, as well as human resources and financial departments. Employees should avoid oversharing on social media and should not conduct official business, exchange payment, or share PII on social media platforms. Loose lips sink ships!
  3. It only takes one time. Data breaches do not typically happen when a cybercriminal has hacked into an organization’s entire infrastructure. Many data breaches can be traced back to a single security vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages immediately

For tips and tools to get your family and community cyber prepared, visit cisa.gov/ncsam. Additional preparedness information is also available at houstonoem.org.