Jason S. Miyares
Attorney General of Virginia

Internet Safety Tips - Businesses

  1. Create a cyber security plan. Develop a plan for your business that includes security measures to detect and protect against cyber threats, policies and procedures to guide your business’s response to cyber attacks, and safeguards to allow for a rapid recovery from cyber security events. Tools like the Federal Communications Commission’s Small Biz Cyber Planner or the National Institute of Standards and Technology’s Cyber Security Framework can aide in the development of a holistic cyber security plan tailored to your organization’s existing assets and unique cyber security threats.
  2. Educate employees. Train employees on cyber security issues, safe social media practices, your organization’s cyber security plan, and the procedures for protecting consumer information and other data. Ensure that each employee understands his or her role in the organization’s cyber security plan.
  3. Protect and update systems. Protect your business’s systems from viruses and other malicious code by installing and regularly updating antivirus and antispyware software. Set this software to update and scan automatically at a time of low computer usage. Set operating systems and applications to automatically install software updates and patches as they become available.
  4. Require strong passwords. Create individual user accounts for each employee and require strong passwords (containing a variety of special characters, numbers, capital and lower case letters). Require these passwords to be changed frequently, at least every 3 months.
  5. Control physical access. Keep computers locked when unattended to prevent access to business systems by unauthorized individuals. Prevent theft of devices like laptops and tablets by storing and locking up these devices when not in use. Never leave these devices in unattended vehicles.
  6. Control cyber access. Install a firewall to protect your internet connection. Make sure that cloud-based systems are firewall protected. Limit employee access to only the data and information necessary for them to perform their job functions. Limit administrative privileges and authority to download software to key personnel.
  7. Track and monitor network access. Use logging mechanisms to track access and user activities on your business’s network and systems. Audit these records frequently to detect suspicious behavior and unauthorized access.
  8. Backup important data. Regularly create backups of important data to prevent the loss of information as the result of a cyber security event. Set your systems to automatically backup data, if possible.
  9. Secure Wi-Fi networks. Keep guest Wi-Fi networks separate from the Wi-Fi networks used to conduct business. Require a password for all Wi-Fi networks. Change the settings on Wi-Fi networks to make them hidden from unauthorized users.
  10. Change vendor-supplied passwords. Before installing any new devices or systems to your network, change the default passwords and accounts. Always use strong passwords and use a different password for each new system.
  11. Develop data retention policies. Establish a data retention policy that limits sensitive data storage and retention time to that which is required for business purposes. Keep stored data encrypted and regularly purge data as it becomes unnecessary.
  12. Protect customer credit data. The Payment Card Industry has developed Data Security Standards to govern the protection of consumer credit data. Compliance with these standards is required of all merchants who accept credit card payments.

Sources and Links:

10 Cybersecurity Tips: Small Businesses
National Institute of Standards and Technology:
Framework for Improving Critical Infrastructure Cyber Security

Security Intelligence: 5 Star Security Program
PCI Security Standards - Quick Reference Guide