Marketlend Academy: Cybersecurity for small businesses – 5 things to do to protect your company
Small business owners continue to make the mistake of thinking they are too small and insignificant to be of any notice to cyber criminals. That notion simply couldn’t be more wrong. It is precisely this type of thinking that makes the job of the hacker so easy.
The good news is that small business owners are well poised to stand in the breach of security breaches by just doing the simple things that amount to security best practices even at the consumer level. The real problem is not that security is too hard, or too expensive, or too inconvenient.
The problem is that too many people just fail to do even the minimum. When consumers have this lapse, they endanger themselves and their families. When small business owners have this laps, it endangers the entire system.
As the frontline in this struggle against hackers to keep customer information safe, there are things you can do, and in doing so, help secure everyone. The first step is to know how hackers think, what they are after, and how they plan to get it.
1. Secure BYOD Policies
Bring youR own device (BYOD) is one of the better corporate moves in a long time. But there is bathwater with the baby that needs to be drained. BOYD policies only make sense in the context of strong mobile device management (MDM) infrastructure. For small businesses without an extensive IT department, the better strategy is to keep personal devices firewalled from the corporate network altogether.
Leaving malicious intent aside, it is too easy to start working with sensitive information on a personal device. Of course, you will bring that device home to continue working. that is how many breaches occur.
The better policy for small business is to disallow personal devices on the company intranet. And provide a separate Guest network for personal devices and visitors. Let them check their social media on devices and networks that don’t touch company information.
2. Develop and Stick to a Written Password Policy
If you don’t have a written password policy that is enforceable, then you don’t have a password policy at all. Try using a password policy template to get you started. Your policy should include the following:
- Sufficient complexity, no dictionary words, combine upper and lowercase letters and special symbols
- Each password must be unique, never reused for any other account in or outside the company
- Passwords must be changed on a regular basis
- All default passwords must be turned into unique passwords immediately
- Never use unauthorized password managers
- Never write passwords in plain text to be placed in unencrypted files
- Never write passwords on a piece of paper or sticky note
There is nothing particularly corporate about these policies. They are the same policies you and your family should already be using at home. At work, these policies cost very little to implement. It is more a matter of vigilance and accountability. That is something you are already doing as a small business owner.
3. Physical Access
Cybersecurity is not just about what happens out there, in the cloud, and over the net. Every hacker knows that if they can gain physical access to your system, there is no security model that can keep them out.
The VA incident is one of the early breaches sometimes referred to as the one that started it all. It involved 26.5 million records of discharged veterans including SSN, names, and birthdays. This assault against our nation’s veterans was not a matter of hard computer science. It did not take the resources of a foreign nation. It happened because an employee brought a laptop home, left it unsecured, and had it promptly stolen.
There is still no simpler way to perform a cyber attack than to game physical access to a seemingly insignificant system. Unshredded documents left unattended on a desk is enough to bring a company down. Physical security is still the first line of cybersecurity. Policies should include the following:
- Use Kensington, or other brands of physical locks for laptops and workstations.
- Never leave laptops or papers visible in an unattended vehicle.
- Always shred before discarding papers.
- Work laptops and smartphones should be securely locked away in something like a safe when at home and not in use.
4. Limit Vendor Access
After hackers accessed Target’s network on Nov. 15, 2013, Target claimed they were “the victim of an especially sophisticated cyber heist.” But thanks to Krebs, we now know the cause was “much more mundane and wholly preventable.”
A username and password was lifted, not from Target, but from an HVAC vendor that contracted with Target. This is the textbook example of attacking a small business to get to a big one. The contractor was tasked to monitor temperature and energy consumption at the retail stores. But those systems were not walled off from other systems like cash registers.
Never give vendors permanent access to your network. And be sure that when vendors must have access, it is to systems and functionality firewalled from other critical services. If they must work on critical services, have them do so on premises.
When a tech is on premises working on your critical systems, watch them.. It does not have to be done in a disrespectful way. You don’t even have to understand what you are seeing. About any unscrupulous tech will think twice before trying anything while someone is present.
5. Updates and Patches
Finally, let’s not forget the WannaCry/WannaCrypt ransomeware attack that took down the healthcare system in Britain, and other parts of the world. The attack was only possible on old, unpatched Windows computers. If you are still rocking a beige box under your desk, you are asking for an attack. It can’t be patched to modern-day standards.
Your 5 year old PC is a liability. It doesn’t matter if it still works. The world of cybersecurity has changed since your last computer purchase. Be sure to run your business on the most recent hardware you can afford. Next, be sure to keep it updated constantly as security models constantly change. Finally, develop a backup strategy so that simple attacks like ransomeware can never cripple your business.
No one thing can protect you from every possible cyber threat. But securing BYOD, developing a written password policy, monitoring physical access, limiting vendor access to networks, and keeping systems updated and patched will keep you protected from most cyber attacks for years to come.