Small Business Cyber Security
Is Your Staff Prepared?
If you think your small business is not vulnerable to a cyberattack, you are not alone. A staggering 87 percent of small business owners think there is little risk of being hacked, according to a 2017 survey conducted by Manta. Industry experts estimate, however, that more than half of all small businesses are hacked at some point.
In a recent Keeper Security study, 61 percent of small businesses reported experiencing a security breach in 2017, up from 55 percent in 2016.
Hackers are attracted to small businesses because there are fewer data protections and minimal online security. When a cyber-attack does happen, the damage is devastating. According to the Ponemon Institute, the average price for small to medium sized businesses to recover from a data breach is about $690,000. But some businesses never recover. The U.S. National Cyber Security Alliance reported 60 percent of small businesses close six months after a cyberattack. Losses are not just financial. Data breaches cause substantial harm to brand reputation and customer loyalty.
External threats may not be your only concern. Negligent employees are a leading cause of data security breaches. How your employees respond to a threat is just as critical. Here are nine ways you can prepare your business and staff against cyber threats.
1. Start off on the right foot
Install the latest internet security software/antivirus, email security, operating system and web browser on all your computer systems. This will be your number one defense against malware, viruses and online attacks. Update your antivirus software frequently and scan your computers systems periodically. Install every security software update when they are available.
2. Train basic security skills to your staff
Develop best practices and security policies for your employees to follow 24/7. Start with creation of strong passwords, formation of email security plans and internet access protocols.
Require passwords to include a unique string of upper and lower characters, numbers and special characters (symbols). Passwords should be changed every three months.
Email protocols should include advising employees that message from an unknown source or any non-work-related emails (spam) should not be opened. If something seems to be “off” in an email from a colleague, such as an odd subject or different sender address, pick up the phone and ask if they sent the email before opening it. Confidential content, such as passwords or sensitive client information should never be sent in an email.
Business computers should be restricted from personal use. Employees should not be allowed to install a software application on any computer without permission. Formulate guidelines on internet access at work, with consequences if security policies are violated. Apply URL filtering to restrict what sites employees can access.
3. Limit data access
Create accounts with different levels of permissions for employees, giving specific access to information that fits their job description. For example, an employee may only need access to a shared folder with project details and resources, not the entire company data set.
Business owners should always have control over employee account access. Only give administrative privileges to your trusted IT staff and relevant administrative personnel.
4. Set up a mobile device security plan
Mobile devices also need protection, especially if they contain sensitive data or connect to your main computer network. Establish user protected passwords to allow access to the business network. Install mobile device security apps and encryption to prevent hackers from accessing data. In case of a lost or stolen mobile device, prepare an immediate reporting procedure.
5. Setup a firewall system for your computer network
Your private business network should be protected using a set of related programs called a firewall to prevent an outsider from gaining access to your data. Any telecommuting employees should be required to install a firewall on their home computer to protect company information either stored on their system, or when connected to the company network.
6. Restrict physical access to your computer network
Secure each computer with a screen login that can only be accessed by authorized users of the machine.
Lock laptop and desktop computers that are not being used to avoid theft or unauthorized access.
7. Backup your business data
Backup data automatically or on a regular schedule and store copies of your critical information in the cloud or off-site. If employees are in charge of monitoring backups, do periodic checks to make sure it is done correctly. In the case of a data loss, these backups will restore your critical business information.
8. Formulate strict guidelines on credit cards
Confirm with your card processors and banks that data is encrypted and tools used are validated and trusted. Avoid using the same computer to browse the internet and process payments. Use multi-factor authentication, such as a password and security questions, whenever accessing a bank account.
9. Secure your Wi-Fi networks
Wi-Fi networks are some of the most vulnerable access points for a data breach. If you have a Wi-Fi network in your office, ensure it encrypted and secure by setting up a secure router password. Do not use the default password that came with the router.
To hide a Wi-Fi network more securely, set up an access point (like a relay station) that does not broadcast the network name.
When written policies are in place and clear expectations are communicated, employees can be important allies in cyber security. No system is bulletproof, but following these basic tips will help small businesses prevent cyber threats.