Cybersecurity threats and actual attacks have become the new normal. You, a small business owner, you have heard about this. Security breaches are more often in the news than ever before. However, what do you do to deal with this new norm? You are busy already. And you want to do what is necessary and not go overboard at the same time. What cybersecurity for small businesses do I need to have in place?
This blog lists 22 actions for you to take on. Hopefully, most of them you can do on your own. And for those you need help with, visit www.ncsc.gov.uk/smallbusiness of the National Cyber Security Center to learn more. Or simply send us an email.
- Whichever electronic device you have, a laptop, a personal computer, a mobile phone, or a tablet, make sure that you must enter a password, a PIN number or use fingerprint recognition to launch it. If your device is not asking you to enter a password for example, then switch it on under the protection settings of your device.
- Why? The data on your device will be encrypted. That means that nobody can read the data that is on your device unless that knows your password.
- Use two-factor authentication for important websites such as banking and email. This assumes that they provide you with this option.
- Why? Logging on to your account becomes a two-step process. After entering your username and password, you will receive a secret and one-time code from the website. After you enter this code, you have identified, or “authenticated”, yourself twice (“two-factor”) before accessing your account, emails or other important data. It is like opening a door with two different keys.
- Avoid using predictable passwords. Here is a list with the worst passwords people used in 2019. Other passwords that anyone can easily find out are your family and pet names.
- Why? Hackers nowadays use programs that create passwords based on what they know about you. These programs come with those passwords that most people use. You don’t want to make it that easy for them.
- If you think someone else is using your password, then contact your IT department or the company you have the (support) agreement with (e.g. email service provider). Don’t have an IT department or support agreement? Depending on the severity of the potential breach, contact the authorities and/or have your computer looked at by a specialist.
- Why? You want to minimize the damage. And, you want to make the necessary changes rather sooner than later to avoid lengthy down time.
- Change the manufacturer’s default password that devices are issued with before you distribute it to your staff.
- Why? Hackers know these default passwords. They even share them among each other. These are often the first passwords that they try.
- Provide secure storage so that staff can write down passwords and keep them safe. Using password management software is highly recommended.
- Why? This avoids your staff writing passwords on paper. It also makes sure that you use passwords that hackers can easily figure out themselves. And, it keeps an eye on using different passwords for the different devices. Never use the same password on two different devices.
Smartphones, Laptops and Tablets
- Switch on PIN, Password Protection, or Fingerprint Recognition for all your mobile devices that can be outside of the protection of your home or office.
- Why? Statistically, these mobile devices get stolen more often.
- Configure in your Settings option, these mobile devices so that when they do get stolen, that they can be tracked, remotely wiped, or remotely locked.
- Why? That way you have a better chance ever location our device. And you can minimize the data getting stolen.
- Keep the software on your mobile devices up to date by using the “automatically update” in your Settings option.
- Why? Software is frequently updated for the sole purpose of keeping it secure. Not every update comes with new features. More often, these updates have better security and therefore making you less vulnerable.
- When sending sensitive data (e.g. bank information, personal information, credit card information) do not use public Wi-Fi hotspots (e.g. stores, airports, restaurants). Instead use 3G, 4G or 5G connections. Or, even better, use a VPN (Virtual Private Network) connection.
- Why? VPN connections offer the best protection when sending sensitive data. VPN connections are like your private network. Consider purchasing a VPN service.
- Replace old devices that are no longer supported by the manufacturer.
- Why? These devices will lack in cybersecurity protection over time. Hackers will have easier access to them or have easier access to other devices through these outdated devices.
Backing Up Your Data
- Daily backup your data such as documents, contacts, emails and calendars. Consider subscribing to an automated cloud backup service.
- Why? Losing more than a day’s worth of work is difficult to overcome. And when hackers want you to pay to get access to the data on your device, i.e. a ransomware attack), you have the option to purchase a new device and load all your data that you’ve backed up.
- Make sure your backup device is not physically connected to your computer all the time. Disconnect the backup device when you are done. Same for the backup device that is on your network. Disconnect it after using it.
- Why? By keeping your backup device disconnected most of the time, you minimize the chances that hackers also compromise the backup device.
Preventing Malware Damage
- Use anti-virus and anti-malware software on all your computers, laptops, tablets and mobile phones.
- Why? Malware is malicious software such as a virus. The anti-virus and anti-malware software are continuously being updated by the software provider to make sure that you are protected against the latest threats from hackers.
- Only install approved software from vendors your IT department has vetted and verified. When you don’t have an IT department, do your own due diligence. For any software that you need (e.g. email, banking, bookkeeping) you will find comparisons that are being done on the Internet. Make sure the individual or organization who is doing the research, is credible. Sponsored comparisons may be biased.
- Why? Not every organization is making security as much of a priority as needed. Leaving software vulnerable to breaches. Even reputable software firms have their cybersecurity challenges.
- Patch all software and firmware by immediately applying the latest updates provided by the manufactures and the software provider. It is these patches that often have the latest cybersecurity improvements. Make sure that your device automatically makes these updates.
- Why? Daily, hackers come up with new ways of attacking your device. Devices lacking the latest updates are most vulnerable to these attacks, leaving you with the (irreversible) consequences.
- Control access to removable media such as SD cards, memory or USB sticks or thumb drives. Consider disabling the ports on your computer one can plug-in these devices. Or, limit the use of these removable media devices. Encourage staff to use email or your cloud storage solution to transfer files.
- Why? Malware can easily be transferred onto your computer through these removable media devices. One only finds out if the removable media device is compromised after it is already attached to your computer and when it is too late.
- Switch on your firewall. Most operating systems these days have a firewall build-in. Also, routers come with firewalls.
- Why? A firewall is like an electronic wall around your device that prevents malware from “entering” your computer. When having firewalls on your network router and on your computer, you have two electronic walls. Two is better than one.
Avoid Phishing Attacks
- A phishing attack is when scammers ask for sensitive information (e.g. bank or credit card information) on websites or through an email. Or when you are encouraged to click on (suspicious) links that take you to bad websites. Send such email to your staff every quarter and test if they pay attention.
- Why? You want to make sure that everyone always stays alert. Scammers have become very proficient.
- Staff members who have administrator privileges never browse the Web or email from accounts with these privileges.
- Why? This will reduce the impact of successful phishing attacks.
- After a successful phishing attack, immediately scan for malware and change passwords. Never punish staff.
- Why? You want to encourage everyone to report such attack. Also, in the future.
- What to look for when suspecting a phishing attempt? Bad grammar or bad spelling. The logos look of low quality. The sender’s email address looks fake. Or is trying to mimic someone you know.
- Why? Hackers can use your email address to make pretend it is you.
Cyber attacks have become the new norm. That doesn’t mean that you must accept this. It also means that you can no longer pretend that you will not be attacked. Even more when considering that your contact information may have been breached by another organization you have left your information with. Assume, for example, that at least your email address has ended up in the hands of hackers at least once a year this past decade. Who knows what other information they have of you…?
Spend the time and money in (automated) solutions such as:
- Password management software subscription
- Automated backup subscription
- Virtual Private Network (VPN) service
- Anti-virus and anti-malware protection subscription
Spend time on going over the cybersecurity or protection settings that your device comes with. Turn on those security features that are important to you. Contact the manufacturer when a setting is not quite clear to you. These firms have become very friendly and patient when dealing with small businesses like yours who are not experts in this area. You represent a large market and you are important to them.
And finally, we are here to help. We conduct cybersecurity certification and awareness courses and workshops. We coach and consult in cybersecurity. And, we even help organizations getting certified to boost their cybersecurity posture. Since the mid-90s!