By Richard Kao
Running a small business can be tedious work, with customers to satisfy, bills to pay, vendors to negotiate with, employees to train, and the list goes on. With other priorities taking up most of a business owner’s time and attention, cybersecurity is often tossed onto the “to do someday” pile.
Yes. We’re in the business to make money and grow – not to lock down networks, computers, and mobile devices. But ignoring even the basics of IT security can be crippling. The rising cases of ransomware attacks, data breach, and identity theft are matched only by the financial damages they leave in their wake.
Fortunately, you don’t need a CISSP certification to protect your business from cyber threats better (though hiring someone who has is probably a good idea). The following steps can lend a solid foundation to your business’ IT infrastructure.
Always Use Strong Passwords
Passwords and authentication processes are your front-line defense against unauthorized access. But if a report by a leading security firm is any indication, businesses don’t pay enough attention to their passwords and put themselves at risk.
According to Trustwave’s 2012 Global Security Report, “Password1” is the most common password among business users. Sure, it has 8 characters, a capital letter, and a number. But you can’t expect it to keep cyber-crooks at bay.
Even free brute-force tools readily available on the internet can crack “Password1” in mere minutes or even seconds! Here’s how you can make your passwords or codes a tougher nut to crack.
Let’s start with the don’ts:
- Password and user are big no-no’s
- Words easily found in the dictionary
- Passphrases that use adjacent key combinations (ex: 123456)
- Your birth date (or that of a family member), SSN, phone number, and any personally identifiable information
If your passwords fall into any of the categories above, you will want to change them into something unique and harder to guess. Keep them 8 to 10 characters long, and use a combination of uppercase and lowercase letters, special characters, and numbers.
If, for whatever reason, you insist on using “Password1,” change it to “P@55w0rdI.” The combination is still easy to remember. But by replacing ordinary letters with characters and numbers, cracking tools with built-in dictionaries will have a harder time figuring it out.
Note: “P@55w0rdI” is still a terrible one and it’s just an example!
You can use the same approach to words you can easily remember. Or even better, you can take a familiar phrase or an inside joke and turn it into a password.
Here’s another example:
You can change the meme “That’s Gangsta” into “7h@t5-6an657@.”
Besides creating tough-to-crack combination, author of the book Perfect Passwords, Mark Burnett, recommends changing passwords every 6 to 12 months. Changing it every few months is overkill, and nobody wants to memorize a new string of letters, numbers, and characters all the time!
And one more important tip:
Enable two-factor authentication if the option exists.
Two-factor authentication (2FA) adds an extra layer of security by requiring more than the username and password.
Depending on the service and the user’s settings, 2FA may also require a piece of info only the user knows or a hardware token like fobs and cards. Other services use SMS technology for authentication by sending a one-time code (which expires in minutes) which the user types in for access.
The good news? Many online services like email, online banking, and digital storage offer 2FA. And you’d do best to take advantage of the extra protection against breaches and theft makes perfect sense.
Always Backup Your Most Important Data
Can your business survive if it loses access to its onsite data? For the South Korean hosting company, Nayana, the answer was no. And when a ransomware scum locked them out of their 150 servers, Nayana had no choice but to pay the $1 million ransom.
For the uninitiated, ransomware is a type of malware that infiltrates a network and encrypts all the files it can find until the victimized business pays up. WannaCry, which claimed 200,000 victims across 150 categories, belong to this category of malicious software.
But the worst is yet to come. A cybersecurity research and intelligence company estimated that global ransomware damage costs would exceed $5 billion before 2017 ends.
If you don’t want to be part of that statistic, backup your business’ data.
First things first:
Regular backups won’t stop a ransomware attack (more on this later).
Having one, however, means you can wipe your machines clean and restore your most recent data. Downtime and losing money might be inevitable, but nowhere near as devastating as in Nayana’s case.
A reliable backup system has 3 components: local files, onsite backup, and offsite backup.
The local files sit on your business computers, laptops, and servers for employees to use and access on a regular basis.
The local backup, like the former, sits in your office and gives you instant access to whatever data you’re working on. With a local backup, you can quickly retrieve files that were deleted or overwritten.
You may store your local backup on external hard disks or even USB thumb drives (if you’re a solopreneur or a micro-business). But keep in mind that external disks and thumb drives may stop working due to wear and tear. Not to mention they’re hard to track. So while these storage devices are affordable, they’re not 100% reliable.
For bigger businesses, a network-attached storage (NAS) is often the better option. The advantages of having a NAS include:
- Pooled storage for the entire team
- Keeps everyone within the network in sync
- RAID for better tolerance against hardware failure
The last component, offsite backups, is your insurance should anything happen to your local data and backups. If a ransomware, natural disaster, or a burglar strikes, you can turn to offsite backups to bring your machines up to speed.
Cloud-based storage is best suited for offsite backup. Today’s cloud providers use multiple data centers for added redundancy while encrypting your data whether it’s in transit or at rest in their offsite storage facilities.
Always Encrypt Your Data
Strong passwords, two-factor authentication, and regular backups make an excellent starting point for bolstering your small business’ cybersecurity.
The bad news, however:
A determined hacker with sophisticated tools can still sniff out a vulnerability in a network and use it as a backdoor. Even with your best preventive efforts, your data can still land in the wrong hands.
For businesses that collect personally identifiable information from customers, vendors, and partners, data theft can bring about a cocktail of serious financial, legal, and reputation problems.
The good news:
Reliable encryption practices can render stolen confidential files useless for the perpetrator. Encryption turns plain data into ciphertext – unintelligible strings of characters, letters, and numbers. A user needs the decryption key to turn the encrypted data into “standard” and readable files.
Among encryption protocols accessible today, AES (Advanced Encryption Standard) is the most popular, embraced by the US government and by multinational companies like Google and Apple.
The protocol is resistant against common attacks, while those that proved effective against it require high computational complexity which run-of-the-mill hackers don’t have.
So which components of your network should you encrypt?
Here’s a short list to get you started:
- Laptops and workstations: Go for full-disk instead of file-level encryption. For Windows users, BitLocker is a free and built-in solution. Apple users, on the other hand, can encrypt their machines in a few clicks with FileVault.
- Smartphones: iPhones boast a quick encryption process via “Touch ID & Passcode” section of the settings, while the latest Android phones have encryption turned on by default. If you’re using an older Android phone, go to “Settings” and “Security” to get started. But make sure your phone’s battery is beyond 80% and that you have a charger nearby.
- External and USB storage devices: Portable devices are double-edged. They’re just as easy to transport as they are easily lost. You can use BitLocker To Go for your external disks and USB drives. Or, you can buy USB drives with built-in encryption like those from SanDisk.
- Internet traffic: Logging into unsecured public networks to access company data sometimes can’t be helped, especially for employees on the go. To keep hackers and eavesdroppers at bay, encrypt your Internet traffic with a virtual private network (VPN) like NordVPN.
Always Update Your Software
With update notifications popping up as soon as a patch is made available, you’d think that most businesses are up to speed with their software. But Verizon’s 2015 Data Breach Report says otherwise.
Almost all (99.9%) of the data breaches they’ve looked into happened because of vulnerabilities and exploits that are more than one-year old. And even more shocking, many were almost 8 years old.
Updates may come at the most inconvenient of times. But ignoring updates for years is just terrible business practice!
If you have more than a dozen employees and use an array of applications to run your business, a handful of guidelines can help you better manage software updates.
First on the list:
Perform an audit. Doing so can help you keep track not only of the software you use for mission-critical processes but your hardware assets, too. You see, the hardware you use can affect your organization’s ability to keep their software up to date.
Take the NHS for example. Critics believed the national healthcare system kept using the unsupported Windows XP because some of its machines won’t work with anything else. NHS even signed a £5.5-million deal with Microsoft to provide security support for XP until 2015.
And not long after the deal ended, the WannaCry outbreak caught NHS in its web.
Don’t end up in the same deep waters. Audit both the software and hardware in your network, making sure nothing gets in the way of updates.
After recording your technology assets, you want to establish a baseline for every computer – including the operating system, applications, and hardware components. For the applications and operating system, their latest versions available serve as the baseline.
One benefit of having a baseline is that you can rebuild a computer to a particular state with relative ease.
After setting baselines and updating your applications to their latest versions, establish the best way to get future updates to make your job easier. Not all software self-updates, and you may need to contact the support team for assistance especially for security patches.
Cybersecurity may not be on top of your list of priorities as a small business owner. However, recent developments in the IT space proves that companies, regardless of their size, must take information security seriously.
Gone are the days when the adage “don’t fix what isn’t broken” applies in IT. Keeping a reactive stance for long enough will turn you into a target for a data breach, identity theft, and a host of other business disasters. Be proactive, follow the guidelines above, and you’ll be better equipped to withstand the next wave of cyber attacks.
Richard Kao is the sales director of COSSales, a UK-based office and tech solutions provider. A fan of digital marketing and workplace security, he loves reading blogs like www.smallbizdaily.com to grow his knowledge and expertise.