14 Cybersecurity Tips to Secure your Small Business Without Breaching your Wallet
by: Justin Fimlaid
There are millions of small businesses in our country and many of those businesses handle sensitive data. These businesses could hold credit card information, Personally Identifiable Information about their customers, trade secrets, or competitive proprietary information. For any small business to lose this sensitive and regulated data or equally worse having business records manipulated such as shipping data, inventories, or financials could be a devastating loss and potentially threaten the viability of the business.
Below I’ve included the top 14 tips that will actually help secure your business. Almost all of these tips you should be able to implement for free or with a very small investment. Keep in mind there are no certainties in cybersecurity and the best plans often go astray.
1. Find good vendors and partners. In my opinion this might be the most important tip, but I could argue a couple others in the top spot. I often see business owners who have embraced the cloud or services delivered via the internet. Examples might be Quickbooks online, or SQUARE for accepting payments. Quickbooks and SQUARE are two reputable product and service providers, but if there are other providers you use in your business that are not mainstream (yet), then you should read your partner agreements and contracts to understand how these service providers handle the data you send to them. Are they encrypting data, where is data stored, when is your data purged from their systems, etc? The reason I think this might the be one of the more important tips in this list is because if you follow the other tips below to secure your own computers it would be shame to send the data out your front door to a “trusted” service partner who subsequently loses it. Big companies struggle with this problem too.
2. Patch/upgrade your computers and devices. I think this one is straight forward, if you’re reading this an still using Windows XP then you should spend some time here. System patches (for computers and other devices) are released for a reason–some for feature enhancements, some for system stability, some for security. Having worked in IT Operations for large Fortune 500 companies, I understand some hesitation to be too quick to adopt patches and upgrades but you shouldn’t wait too long and if it’s a major production to upgrade then start putting together your plan now.
3. Drive employee security awareness and define a security policy. I lumped these two together on purpose. The idea here is to change user behavior and have your employees adopt secure behaviors. Everyone says adopt a security policy, but I rarely hear people explaining what it should be used for–in short it’s for defining how you want your employees to behave related to information security, what behaviors are okay, and how information is governed in your organization. Information Security policies might be more permissive in a growth company with hopes of increased connectivity will enable added sales, versus a more conservative company might prohibiting progressive forms of connectivity and data sharing. In all cases, don’t establish policy to have a policy–it’s worse to have a policy and not follow it.
Once you’ve figured out your information governance tolerances via policy (e.g. are you going restrict sharing certain types of data, etc) you are now ready to start security awareness. Security awareness is different from security training. Security training is teaching a skill related to security, and security awareness is making employees aware of risks related to certain behaviors with hopes they self-select the right behavior related to security when no one is looking. A great example is employees are going to less concerned with losing a company laptop rather than their personal laptop, but if you can drive that emotional attachment to corporate assets the same way as personal assets you’ve achieved security awareness. You can do this by appealing to employees on a personal level and finding awareness activities that your employees can relate to their personal life–an example that comes to mind is say a 16 year old posted a copy of their new driver’s license on Facebook, the privacy impacts of this are profound; educating employees on the impacts of taking personal actions of this nature might bridge the gap to the impacts of sharing company data. Security awareness requires a little creativity.
4. Back up data. Take backups often and store them someplace safe. It never hurts to take an extra backup and you can always delete it when you don’t need it anymore. Ask anyone who affected by CryptoLocker or some other Ransomware; if they had a recent back up of their file that was held ransom, the could have saved themselves a huge headache by being able to restore their file from a recent backup.
5. Manage Mobile Devices. Nowadays mobile devices, specifically smart phones are fairly easy to manage. Smart phones are becoming encrypted by default and can be remotely wiped. However, given technological security enhancements smart phones aren’t immune from cybersecurity accidents. Vulnerabilities still exist in mobile devices, not all traffic is encrypted, and not all apps are good stewards of your information. Establish some good practices for your mobile devices (e.g. limit use of public Wi-Fi, etc) and be prepared to lose a mobile device or two and make sure you can remotely wipe the device. Being prepared for the loss of device means having the phone configured for wipe before it is lost.
6. Protect Wi-Fi and network jacks if you have them. Make sure you password protect your Wi-Fi with a strong password, there’s a lot of ways to really lock down your Wi-Fi access points but strong passwords in a must. If you have a physical storefront with available network jacks or easy access to network cables you should make an effort to secure physical access to those too unless you have software preventing unknown devices from connecting. Wi-Fi routers should also be physically protected.
7. Secure customer facing PC’s. My absolute favorite is publically facing PC’s that aren’t secured, all too often I see customer facing USB ports and someone with intent and motivation could access your computer in seconds with just a USB drive. I’ve seen a case where a USB drive is inserted into a PC, creates a network backdoor, and that same person can access your computer remotely from your parking lot. In short if you have customer facing PC’s, disable USB and serial ports if there is no need for them.
8. Control physical access. This goes with saying, computer or cybersecurity is only good to a point because at the end of the day someone can still physically steal your PC. If you have a store front, or have customers that come to you location give physical security some consideration. There is a concept of defensible space, which means traffic moves around the store in a way that discourages someone from hanging out in a corner and doing something nefarious. Banks are usually really good at the concept of defensive space–they usually have vehicle traffic travel around the building in a way that would make it challenging for a robber to go undetected.
9. Use strong usernames and passwords. You hear it all the time–use strong passwords, and you can use strong username too to make the username and password combination more challenging. An example for a person named Jonny Appleseed might choose to have a User ID of [email protected], and an equally strong password. People talk about strong passwords which is easy but having an uncommon Username makes guessing the username and password combination that much harder.
10. Control your Social Media accounts. More than likely this is where your customers are, so you need engage your audience here. There are some good practices you should abide by when conversing in the digital space. The first is be weary of what people send to you via social media, open with caution or not at all. Attachments and some messages can be used as delivery mechanism to exploit and compromise your account. The next point, be very cautious as what your employees post on social media. Folks who use social media often give away sensitive information without knowing it, example being LinkedIn; people are usually pretty quick to connect once they’ve established a new connection–however much of this information is public for anyone with a LinkedIn account. So if I see an US based company with an increase of employees making connections in emerging markets–it might be a safe assumption that there’s some international business plans in the works. Lastly, make sure you follow tip #9 here, this is your brand and if you lose control of your account it could have irreversible impacts to your brand and reputation. Keep in mind everything you post on social media can be retrieved by anyone, for example a product named Tinfoleak can retrieve information about any Twitter User including devices used, applications used, places and geographies where tweets are send from, all hashtags, all mentions, and all pictures. Odds are you need to be using social media so be smart in how you use it.
11. Take inventory of your information, know what you have to protect. In order to protect your information you need to know what you are protecting. This might seem obvious, but I can’t tell you how many business don’t know what data they are trying to protect. If you know what data you have and you know where that data is stored, securing it will be much easier.
12. Use an Anti-Virus tool. Try to find a main stream anti-virus tool to deploy on your systems. Full disclosure, anti-virus tools aren’t full proof and some disclose there’s about a 30 day lag-time before threats are identified by the anti-virus provider and when the virus signature is sent to your computer. In other words, there anti-virus providers (most of them) know about vulnerabilities and viruses long before they provide protection to your computer. This shouldn’t be your only line of defense.
13. Keep work at work and personal separate. This might be hard to do for some but if you have a work PC, keep it as a work only PC. All too often I see work PC’s being used for personal use which includes use by kids or other family members. When a PC has a dual work/personal purpose it’s hard to main good hygiene of your PC when other people are installing personal programs, enabling services that aren’t needed for work, and checking email that might have an higher likelihood for malicious files or links.
14. Seek advice from a security professional. Information Security is a profession. Cybersecurity is complex and you can’t “Google” your way through it without the foundational knowledge about how computer systems work. Similar to a doctor, lawyer, accountant you might not have enough cybersecurity work to employ someone full-time but from time to time you need a professional opinion just to make sure you don’t inadvertently land yourself in a regrettable situation. Information Security should be the same, having a security professional look at your business or systems might help you from being in the newspaper for a data breach. Outsourcing your cybersecurity needs is becoming increasingly common, and can help you significantly reduce risk in a cost-effective way.
To maintain a successful security posture while growing your business is about the power of “know” versus “no”. This means you need to enable your workforce and you need to be able to embrace technology to do “things” faster and be more competitive. You can’t always say “no” to these technologies and meet customer demand, but you should “know” how technologies work and what data is being shared. How much should you “know”? Enough that you could explain to your customers or clients if they ask how you are protecting their data, which often means tracing data flows through technology, business processes, and your vendors or suppliers which would mean reading partner agreements. Hopefully you found these 14 tips helpful. If you found this information helpful please “Like” our new Facebook page here: https://www.facebook.com/NuHarbor-Security
About NuHarbor Security
NuHarbor Security is a leading provider of information security services and solutions that combine people, process, and security technology. NuHarbor offers a full suite of information security services that allow organizations to improve their information security programs and reduce security risks in a way that is predictable and measured saving organizations time and money. NuHarbor is headquartered in Burlington, Vermont and has offices throughout the United States. For more information about NuHarbor Security, visit NuHarbor’s website at http://www.nuharborsecurity.com.