If you run a business, you might feel like you have a target on your back. Digital information theft is now a bigger threat than physical theft — it’s the most-reported fraud out there [source: FCC]. Hackers, scammers and identity thieves love to prey on businesses, whether they’re big ones that have lots of money and valuable information or small ones that are comparatively weak and defenseless. The average cost to a company that experienced a security breach in 2014 was $3.5 million, which would devastate most small and midsize businesses [source: Ponemon Institute].
Anyone who wants to do your company harm can infiltrate in a number of ways — through your computer network or your website, using phony emails or other scams to obtain account names, passwords and other sensitive information. It used to be enough to protect the data that existed within the physical walls of your business, but that’s no longer sufficient. Many businesses don’t even have physical walls anymore: They might exist entirely on the Internet, with employees working independently all over the globe. On top of protecting your own systems, you also have to protect your customers’ information. And the laptops and smartphones that make our lives easier also present new and challenging security issues.
Being a business owner can be pretty overwhelming in that respect, but there are plenty of steps you can take to protect yourself against ever-present security threats. Some are simple actions you can carry out on your own, and some might require professional help. But don’t hesitate to improve your systems and fix weak spots — it’ll be well worth the time and effort. Here are some tips.
10. Realize That You’re a Target
It isn’t possible to defend yourself completely against online attacks, but complacency is probably the No. 1 reason a business becomes a victim of a cybercrime. Many business owners make the mistake of assuming that their company is too puny for hackers to bother with. Hackers are very familiar with this way of thinking — they know that most small businesses aren’t helmed by information technology experts with an unlimited security budget. They know “small” usually equals weak and easily exploitable.
So get prepared. There should be one person, whether it’s a full-time job or not, in charge of network administration, setting up the security systems and staying current on potential threats. Creating a culture of awareness in the company is also important — all employees need to understand how to protect against a cyberattack and how to avoid inadvertently causing one. If you’re not sure that everything is secure, hiring a security consultant is never a bad investment. No one is immune from security breaches.
9. Stay Updated and Backed Up
If your computer system has been operating with the same settings since day one, you need to change them. Figuring out default account names and passwords is one of the easiest steps a hacker can take to gain access to your system — it’s like handing them a free pass. But that has a simple fix.
Operating systems with yesterday’s software and security safeguards are also an obvious way in. It’s a no-brainer to install the latest browsers, antivirus protection, spam blockers and spyware detection systems, and they can all be set to update automatically. Make sure the operating system’s firewall is enabled. Your WiFi network should be secure, encrypted and hidden. All of this provides major protection without much installation and maintenance effort.
Regularly backing up files is another simple but crucial precautionary measure. You need to make sure your business won’t be totally devastated if someone or something does infiltrate your systems. This is another task that can (and should) be automated. A weekly update is recommended.
8. Secure Your Site
Your top priority when beefing up your security infrastructure is probably going to be protecting the business itself. You want to ensure that no one can destroy your systems, steal your data or otherwise compromise your business. But you also have to secure your website for the sake of your customers, who submit their personal information through it and trust you to keep it safe.
Hackers exploit flaws in your site’s coding and scripting — any weakness can be a route into your system. Experts say that unless a site has been audited by a security team, chances are it’s rife with weaknesses. Credit card-payment processors are also common targets, so even if your site is ship-shape, your customers are still vulnerable from that angle. For that reason, sometimes it’s best for small businesses to use a service like PayPal to process payments and protect customer information.
An attack that directly or indirectly targets your customers would be disastrous not only for the customers but also for your company. The public relations catastrophe alone could be enough to ruin the business, not to mention the financial aspect. It could take years for people to trust you again, if ever.
7. Keep an Eye on Your Employees
We’re not saying you’ve hired any shady characters, but employees are a common source of security breaches — 60 percent of them occur within the company, according to a survey by the International Data Corporation [source: Staff Monitoring]. For that reason, employees should be given access to only as much sensitive information as they need to do their jobs, and no one person should be able to access all data systems. Employees should be required to get permission before they install any kind of software on their work computers. Lock up laptops when they’re not in use.
Even “innocent” employees can cause security breaches, so no matter how small your company is, it’s vital that everyone is trained on all security issues. Require them to have strong passwords. Using the Internet for personal matters can lead to breaks, so make sure to have a very clear email and Internet use policy. Everyone should know to never open attachments or links in unsolicited emails. Require strong passwords that must be changed at least every few months. Your employees should also be aware that an attack doesn’t have to be web-based — hackers have been known to impersonate employees on the phone in order to get passwords and account information out of IT help desks.
6. Be Smart About Smartphones
A desktop computer and a landline used to be all we needed for a solid day of work — simple, effective and fairly straightforward in terms of security. But now it’s a completely different story. Sure, many people do sit at a desk all day, but most of us carry around laptops, tablets, USB drives and smartphones, all of which we might use for both professional and personal reasons. This, clearly, is a security nightmare.
And then there’s the not-insignificant concern of lost smartphones. A lost business phone in the wrong hands could be a complete disaster. At the very least, all phones used to conduct business should have password protection, whole-disk encryption software and a remote lock-and-data-wipe app. That way, you can erase all the information on a lost phone and prevent anyone else from using it.
5. Do “Remote” Right
The rise of flexible work-from-home policies has been a major trend in recent years, which is generally great for employee morale but not so great in terms of security. It’s tricky but obviously crucial to keep up security measures when employees are doing their jobs remotely. The guidelines about smartphones apply here, but you also need to ensure that strong safeguards are in place on all company computers and devices, no matter where the employee is working.
To that end, make sure that anyone who uses the company network from home has a strong firewall system. You should also utilize virtual private network (VPN) software to protect data, encrypt Internet traffic and ensure security on all remote computers. It’ll also update software and check for viruses.You can require extra passwords for remote access. Warn employees to avoid connecting to public wireless networks and to never submit sensitive information or perform business transactions on public WiFi.
4. Consider the Cloud
All of these security warnings and instructions might cause a panic in a cash-strapped, struggling small-business owner. Good security is just as important to a 10-person business as it is to a huge corporation, but it’s a lot to take on. That’s where cloud-based services come in — they’re a godsend to anyone who doesn’t have the the funds, time or staff to install and monitor security systems. To get this level of security, you used to have to invest in email and file servers and hire at least one IT staffer or consultant.
Subscribing to a cloud service lets you hand over data-security duties to a company that specializes in handling these things. It’s also an easy way for employees to retrieve data remotely, although you should definitely control and limit access to the cloud account. Cloud services can monitor employee Internet use.
But also be aware that you can’t just sit back and relax when you have a cloud service — they won’t make you invincible. You have to cede a lot of control to a third party and trust them to be reliable, which can be an uneasy proposition. Most experts recommend backing up your data to both a hard drive and the cloud.
3. Manage Your Risk
You can decrease your vulnerability to cybercrime — or at least minimize the damage of an attack — with a few pretty low-tech precautions. They require some time and effort, but you should be able to do it without outside help. First, you need to be aware of all the information that your business contains, from the minor stuff to the valuable records whose loss would be devastating. Record where it’s stored, exactly who has access to it, if it’s connected to the Internet (which makes it more vulnerable) and what its value is to you.
Now you should be able to discern what information is in a secure place and what needs to be backed up, encrypted or moved to a safer spot. You might realize, for example, that you want a dedicated, stand-alone computer for your payroll program and banking activities. When you’re done, you’ll have a better handle on the next steps to fully secure your systems.
2. Dispose of Data Safely
When outdated computers are phased out or an employee leaves the company, you can’t just throw the equipment into the trash and call it a day. You have to make a concerted effort to completely destroy all the data on that hard drive, whether the computer will eventually be junked or repurposed for another employee. Otherwise, you’ll always wonder if that information could come back to haunt you someday.
Manually dragging files to the desktop recycling bin won’t cut it, and bashing the thing with a hammer, a la “Office Space,” probably isn’t the most professional option. Experts recommend a one-two punch: “wiping” or “degaussing” combined with physical destruction via a hard-drive shredder or crusher. Wiping software replaces all the information on the drive with gobbledygook characters. The degaussing process demagnetizes the hard drive, rendering it completely useless. Not as much fun as smashing it to smithereens but much more effective.
1. Respond and Report
In the event that your company does experience a cyberattack, waste no time responding. Quarantine the equipment that might have been infected, and clean it out. Notify business partners and contacts who might have been indirectly affected by the attack. Figure out if any of your customers’ payment information has been compromised. If you don’t have IT staff, you should definitely hire a professional to analyze the problem and resecure your system.
You also need to report the incident immediately to local authorities, the Internet Crime Complaint Center and possibly the FBI. You might want to just forge ahead and put the whole ordeal behind you, but reporting the crime will protect you and other businesses from further attacks. It’ll help law enforcement gain clues about the perpetrators and how they operate. They might not be brought to justice immediately — or ever — but it’s an important step.