There are millions of small businesses in our country that handle sensitive data like credit card information, personally identifiable information (PII), trade secrets, or competitive proprietary information. For any small business, to lose this sensitive and regulated data, or worse, have business records (e.g., shipping data, inventories, or financials) manipulated, could be a devastating loss and potentially threaten business viability.
Below are 14 tips that will actually help you secure your business. You should be able to implement almost all of them free or with a very small investment. Keep in mind, there are no certainties in cybersecurity, and even the best plans often go astray.
1. Find good vendors and partners. This might be the most important tip. I often see business owners who have embraced the cloud or services delivered via the internet. Examples include QuickBooks online, or Square for accepting payments. QuickBooks and Square are two reputable product and service providers, but if there are others you use that aren't mainstream (yet), be sure to read your partner agreements and contracts to understand how these service providers handle your data. Are they encrypting data? Where is data stored? When is your data purged from their systems? The reason I think this is so important is because if you follow the other tips below, it would be shame to send the data out your front door to a "trusted" service partner who subsequently loses it. Big companies struggle with this problem too.
2. Patch/upgrade your computers and devices. I think this one is straight forward, but if you're reading this and still using Windows XP, you should spend some time here. System patches for computers and other devices are released for a reason – some for feature enhancements, some for system stability, some for security. Having worked in IT operations for large Fortune 500 companies, I understand some hesitation around quickly adopt patches and upgrades, but you shouldn't wait too long. If it's a major production to upgrade, start putting together your plan now.
3. Drive employee security awareness and define a security policy. I lumped these two together on purpose. The idea here is to change user behavior and have your employees adopt secure behaviors. Everyone says to adopt a security policy, but I rarely hear people explaining what it should be used for. In short it's for defining how you want your employees to behave related to information security, what behaviors are okay, and how information is governed in your organization. Information security policies might be more permissive in a growth company with hopes that increased connectivity will enable added sales, versus in a more conservative company that might prohibit progressive forms of connectivity and data sharing. In all cases, don't establish policy just to have a policy – it's worse to have a policy that isn't followed.
Once you've figured out your information governance tolerances via policy (e.g., are you going restrict sharing certain types of data, etc.?), you're ready to start security awareness. Security awareness is different from security training. Security training is teaching a skill related to security. Security awareness is making employees aware of risks related to certain behaviors with hopes that they self-select the right behavior when no one is looking. For example, employees are going to be less concerned with losing a company laptop rather than their personal laptop, but if you can drive that emotional attachment to corporate assets the same way as personal assets, you've achieved security awareness. You can do this by appealing to employees on a personal level and finding awareness activities that your employees can relate to their personal life. For example, say that a 16-year-old posts a copy of their new driver's license on Facebook. The privacy impacts of this are profound. Educating employees on the impacts of taking personal actions of this nature might bridge the gap to the impacts of sharing company data. Security awareness requires a little creativity.
4. Back up data. Take backups often and store them someplace safe. It never hurts to take an extra backup and you can always delete it when you don't need it anymore. Ask anyone who's been affected by CryptoLocker or some other ransomware; if they had a recent backup of the file that was held ransom, the could have saved themselves a huge headache by being able to restore their file.
5. Manage mobile devices. These days, mobile devices, specifically smart phones, are fairly easy to manage. Smart phones are becoming encrypted by default and can be remotely wiped. However, given technological security enhancements, smart phones aren't immune from cybersecurity accidents. Vulnerabilities still exist in mobile devices, not all traffic is encrypted, and not all apps are good stewards of your information. Establish good practices for your mobile devices (e.g., limit use of public Wi-Fi, etc.), be prepared to lose a mobile device or two, and make sure you can remotely wipe the device. Being prepared for the loss of a device means having the phone configured for wipe before it's lost.
6. Protect Wi-Fi and network jacks if you have them. Make sure you protect your Wi-Fi with a strong password. There are a lot of ways to really lock down your Wi-Fi access points, but strong passwords are a must. If you have a physical storefront with available network jacks or easy access to network cables, you should make an effort to secure physical access to those, too, unless you have software preventing unknown devices from connecting. Wi-Fi routers should also be physically protected.
7. Secure customer facing PCs. My absolute favorite is publicly facing PCs that aren't secured. All too often I see customer-facing USB ports – someone with intent and motivation could access your computer in seconds with just a USB drive. I've seen a case in which a USB drive is inserted into a PC, creates a network backdoor, and that same person can access your computer remotely from your parking lot. In short, if you have customer facing PCs, disable USB and serial ports if there's no need for them.
8. Control physical access. This goes with saying. Cybersecurity is only good to a point, because at the end of the day, someone can still physically steal your PC. If you have a store front, or have customers that come to your location, give physical security some consideration. There's a concept of defensible space, which means traffic moves around the store in a way that discourages someone from hanging out in a corner and doing something nefarious. Banks are typically very good at the concept of defensive space – they usually have vehicle traffic travel around the building in a way that would make it challenging for a robber to go undetected.
9. Use strong usernames and passwords. You hear it all the time: use strong passwords and a strong username to make the combination more challenging. For example, a person named Jonny Appleseed might choose J@ppl3s33d as a user ID and create an equally strong password. People talk about strong passwords, but having an uncommon username makes guessing the username and password combination that much harder.
10. Control your social media accounts. More than likely this is where your customers are, so you need engage your audience here. There are some good practices you should abide by when conversing in the digital space. One, be weary of what people send to you via social media; open with caution or not at all. Attachments and messages can be used as delivery mechanism to exploit and compromise your account. Two, be very cautious as to what your employees post on social media. Social media users often give away sensitive information without knowing it. For example, on LinkedIn people are usually pretty quick to engage once they've established a new connection. However, much of this information is public for anyone with a LinkedIn account. So if I see an U.S.-based company with an increased number of employees making connections in emerging markets, it might be a safe assumption that there's international business planning in the works. Lastly, make sure you follow tip #9 above. This is your brand, and if you lose control of your account, it could have irreversible impacts to your brand reputation. Keep in mind, everything you post on social media can be retrieved by anyone. For example, a product named Tinfoleak can retrieve information about any Twitter user, including devices and applications used, places and geographies where tweets are sent from, and all hashtags, mentions, and pictures. Odds are, you need to use social media, so be smart in how you use it.
11. Take inventory of your information; know what you have to protect. This might seem obvious, but I can't tell you how many business don't know what data they're trying to protect. If you know what data you have and where that it's stored, securing it will be much easier.
12. Use an antivirus tool. Try to find a main stream antivirus tool to deploy on your systems. Full disclosure, antivirus tools aren't foolproof. Some even disclose that there's a 30-day lag time between when threats are identified by the antivirus provider and when the virus signature is sent to your computer. In other words, most antivirus providers know about vulnerabilities and viruses long before they provide protection to your computer. This shouldn't be your only line of defense.
13. Keep work at work and personal separate. This might be hard to do, but if you have a work PC, keep it a work-only PC. All too often I see work PCs being used for personal activities, which includes use by kids or other family members. It's hard to main good PC hygiene when other people are installing personal programs, enabling services that aren't needed for work, and checking personal email that might have an higher likelihood for malicious files or links.
14. Seek advice from a security professional. Information security is a profession. Cybersecurity is complex and you can't Google your way through it without the foundational knowledge of computer systems. Similar to a doctor, lawyer, or accountant, you might not have enough cybersecurity work to employ someone full-time, but from time to time you need a professional opinion to make sure you don't inadvertently land yourself in a regrettable situation. Information security should be approached the same way. Having a security professional look at your business or systems might help you from being in the newspaper for a data breach. Outsourcing your cybersecurity needs is becoming increasingly common, and can help you significantly reduce risk in a cost-effective way.
Maintaining a successful security posture while growing your business is about the power of "know" versus "no." This means you need to enable your workforce and be able to embrace technology to do things faster and be more competitive. You can't always say no to these technologies and still meet customer demand, but you should know how technologies work and what data is being shared. How much should you know? Enough that you could explain to your customers or clients how you're protecting their data, which often means tracing data flows through technology, business processes, and your vendors or suppliers, which means reading partner agreements.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.