Keep your small business cyber safe
Starting a business is never easy. One could argue that it's exponentially more difficult to start and maintain a business today, tomorrow or any day in the future.
And if getting a business going in today's competitive and increasingly saturated world wasn't difficult and costly enough, we now have the rapid rise of cyber crime to add to the list. Here we give you some advice for keeping your small business cyber safe.
The Federation of Small Businesses (FSB) claims that 45% of its members have been victims of online crimes such as malware infections, hacking attacks or full-on data breaches in 2016/17. The average cost per business was £1 400. For the small and medium enterprise (SME) owner in particular, the impact of such attacks go beyond the immediate financial loss and disruption to the daily working schedule; there's the loss of reputation and customer trust to factor in, too. Despite this, it's SMEs that have the most difficulty finding affordable and doable security measures. This can lead to substandard protection or, worse still, no security at all.
As attackers get more sophisticated, and more businesses have the potential to be targeted, how do you keep your company's data safe?
Here are 11 ways to help protect your small business:
* Know your data
Not all data is equal. The starting point for any business lies in understanding what data is business-critical or sensitive. You must identify how it is used and where it's stored. The most basic of audits can be accomplished just by considering what might happen if a breach were to occur and data, such as financial data, or employee or customer records, were compromised. Once you understand the likely effect on your business, and there can be multiple "what if" scenarios, depending on the nature of the incident, you'll have a blueprint for your business-impact levels. High-risk data needs to be appropriately secured, and you can devote more of your resources to ensuring it is. But your job doesn't stop there; you can't ignore data that you've classified as less risky. Rather, you must prioritise your security efforts accordingly.
* Write up your policy
You need to do this because small businesses and start-ups are targets. An integral part of any small-business IT security strategy is a formal document that goes into proper detail and is then kept updated, rather than stuffed in a drawer and forgotten about. It may sound tedious, but you must plan not only how to protect your data and resources, but also what to do in the event that things go wrong. Size is really irrelevant when it comes to online crime and fraud, and smaller businesses are easier targets due to limited or no in-house IT support. Teach employees and re-teach them about your security requirements. Your policy should include, but not be limited to the following:
* Determining which applications can be loaded on a company computer and which are prohibited.
* Ensuring applications have strong passwords.
* Enforcing consequences. What happens if the policy is not followed? Be prepared to back up your words.
* Rules on the proper usage of a company-issued computer, on a "use it, don't abuse it" basis. This includes use of the Internet.
* Educating staff about e-mail use. Include internal and external communications as well as what should and should not be opened or forwarded.
* Implementing an "encrypt and be clear" policy. Decide if an e-mail encryption solution to protect your sensitive information is required and when.
* Appointing a "go-to" person. Who is the person who employees can turn to if they have questions about the policy or computer security in general?
Everyone in your business must understand company security policy and know why it's important. Did you know that up to 80% of all data loss is caused by human error? Employees may send out confidential or sensitive information to the wrong people or in an unsecured way.
Education doesn't need to be expensive: it can be integrated easily into the staff induction process, and you should consider six-monthly refreshers to bring existing employees up to speed with any changes, including threats of which they should be aware. Only an hour is needed every now and then to sit with an employee to explain how security applies to their particular role and to answer any questions.
Remember: Education and communication are tools against cyber crime that are just as important as the computer technology you use to defend your data. However, in order to be effective, it has to be implemented from the bottom up and the top down; that is, everyone from the CEO to the summer temp needs to be on board if a security policy is to work.
That doesn't mean the same training should be given to all; the best training is tailored to the specific role of the employee and the threats they may encounter.
Passwords are at the core of every security policy, yet ensuring they're strong, secure and enforced isn't easy. The more keystrokes and characters you add, the stronger your password will be.
* Start out strong. Require strong passwords with a length of at least eight characters with embedded numbers, so you can stop simple attacks that guess passwords.
* Time to change. Time out old passwords and require password changes frequently.
* Keep them safe. Educate employees about why writing down passwords, storing passwords on cellphones or using guessable choices puts company security at risk. LastPass and other such services have enterprise versions available at a low cost per user. These offer all the basic secure password-generation options you'd expect, with a variety of business-orientated extras: for example, you can set company-wide minimum password standards to meet your policy requirements, or apply customised policies to restrict access to specific devices, groups or locations.
* Then there's Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) integration. This can import existing AD profiles, automate reporting tools to highlight weaknesses in the password security chain, and offer real-time syncing across devices to help with the rise of the "bring your own device" (BYOD) culture. It can be protected by a master password, which can be reset or revoked by the administrator.
* Protect your employees from phishing
Cyber criminals want your data, and "phishing" is one way they pick the locks of your virtual doors. This popular intrusion method is behind many large and small attacks you've likely read about in the news. Phishing refers to an attempt to trick someone into giving up access to service, often by directing you to a fake login page through a link over e-mail. E-mails can come from anyone and anywhere, so it's easy for criminals anywhere in the world to show up at your virtual doorstep and try to fool you into letting them in. Help your employees recognise the signs of phishing. Here are some common qualities of a "phishy" e-mail, text or social media post:
* It contains an unfamiliar link.
* It comes from a misspelt domain.
* The format of the e-mail is slightly off or unusual.
* The e-mail asks for your password in a login screen that isn't exactly the same as the one you're used to.
* The e-mail or message is from someone you know, but contains a strange request
Tell employees to avoid clicking on links or attachments associated with strange e-mails or messages. Have them forward suspicious content to you or your IT manager. If a suspicious request comes from someone an employee knows, have the employee reply in a separate thread and ask if the message was intentional. Bottom line: if you see something odd or unusual, report it.
* Personal devices used for work (BYOD)
The level of adoption for employees bringing their own devices to work in the small and medium business market is soaring. But, what about the security risks: is it cyber safe? The fact is that mobile data needs to be secured with the same rigour as that on your own network. The mixture of personal and business data on mobile devices, together with a lack of corporate security controls outside of the workplace (when connected to the home network, for example) is a recipe for disaster. Here are some measures you can apply to handle these BYOD concerns:
* Develop a BYOD plan for your company. A BYOD plan will provide a safety net against legal repercussions and mobile system costs. Draft a comprehensive, clear, and customisable BYOD policy that covers pertinent data deletion, location tracking, and Internet monitoring issues.
* Take advantage of mobility management tools and technologies; things like "locked down" devices, work data encryption and remote-wipe facilities. Although mobile device-management solutions are beyond the budget of most SMEs, a combination of educating users about the risks, on-device security software and properly implemented network controls can offer reasonable all-round protection at a relatively low cost.
* Measure the benefits and effects of BYOD programmes. Most small businesses adopt the BYOD trend because of the increased productivity and overall competence it provides. However, not all take the time to gauge if the trend is worth the costs it accumulates. Monitor your use of BYOD to help justify its deployment and prevent future device security problems.
* Guard access to your data kingdom when employees leave
Turnover happens. Chances are, you already have some routines in place to deal with it. When someone leaves, you stop paying them. They turn in a copy of their keys or badge. But are you considering their access to data in your services? Add a data access component to the checkout process by tracking which services your employees rely on to do business.
Take action to disable access the moment someone stops working for you. Use features like "remote wipe" to remove any company data stored on a former employee's devices. Financial records, contracts and tax numbers are just a few of the bits of information that can be accessed by your employees. Which services contain the most critical, confidential material? Be proactive and make a short list of the services on which your company relies, and whether they make it easy for you to handle turnover. If they don't (for instance, by not offering remote wipe), consider upgrading to a more business-friendly service. Together, these processes ensure that when your employees become exes, you get all the office keys back.
* Use the cloud
Despite gathering momentum and appeal, many SMEs still don't use the cloud for data safety and security. However, the cloud can be a genuinely secure choice for most small businesses. In particular, it makes sense if your company doesn't have the time or knowledge to be on top of all the security issues, and the updates and implementations it needs, because a good cloud service provider (CSP) does have time.
Don't be scared of the cloud for data storage or application-serving usage, since a reputable CSP will be more proactive than you at maintaining software patches and implementing security; because in order to survive, CSPs have to take security seriously. What's more, they can do so at less cost to your bottom line than you can. The anytime/anywhere nature of cloud access even provides a good disaster-recovery route for smaller businesses.
Of course, the cloud isn't 100% secure, and you need to think about where your data is located and who has access to it. Here, though, encryption is your friend, as are single sign-on tools for cloud usage, which enterprise password managers can often provide.
* Tackle social media before it trips you up
Social media is here to stay, so empower your employees with best practices and guidelines to keep your business cyber safe. The following are ways to minimise risks in social networks:
* Look who's talking. Decide who can speak on behalf of the company. Provide guidelines and a forum to develop them. Social media posting for the company should have guidelines about what information is okay and who can post. Guidelines need to go beyond security.
* Define what's confidential. In your security policy, cover social media sites like Facebook, Twitter, LinkedIn and more in your non-disclosure agreement for confidential business information.
* Protect customer information and egos. Remind customers not to share personal information in a post and where to go for help with questions involving confidential information.
* Be social, but be smart. You should only publish information that you are perfectly comfortable with being disseminated widely, depending on what you want to accomplish.
* Encourage employees to limit the amount of personal information they share online for their safety and your company's safety.
* Add only people you trust to your contact list.
* Avoid clicking on unexpected links coming from people you do not know.
* Time to get physical
Good data security isn't all about bits and bytes; it's also about the bits and bobs, from the front-desk PC to the phone in your pocket. You need to secure your hardware and secure access to your premises. Every SME's security policy should embrace the physical, or it could be counting the cost when someone walks in and steals a laptop, and in so doing, potentially steals access to the network and data, too.
Simple things can reduce the risk of data loss, such as keeping doors and windows locked whenever the office is closed, fitting alarms, using Kensington locks on desktops and laptops, and requiring users to have lock-screens activated whenever they're away from their desks, along with being careful about who you let onto your premises. Shred documents to prevent paper trails that could be useful to cyber criminals, and keep your paper files in locked cabinets. Finally, seeking advice from a local crime-prevention officer is a good idea.
* Choose a security partner, not just a vendor
Select a vendor who understands the unique needs of security in a small business environment. Choose a security vendor. Consider if your vendor is focused on security as a core business or as a part of their conglomerate. Check their record. Vendors with a proven track record of years of defence against multiple threats, with knowledge of both small business and enterprise experience, can best support your protection.
Decide to protect right now. Stay cyber safe
The security of your business data doesn't have to be daunting. New breaches will emerge, but if your doors are locked, your data protected and your employees educated, you'll greatly reduce the risk of becoming the victim of an attack. Taking simple steps to protect yourself and your data is one of the wisest long-term decisions you'll make.
CybACADEMY courses powered by GoldPhish educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our FREE Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.
If you want more information on products and services provided by GoldPhish, e-mail firstname.lastname@example.org.