Experts in cybersecurity always say that it’s a matter of “when,” not a questions of “if.” Unfortunately, in today’s day and age, protecting your online assets – whether it’s your website, your cloud account, or your email – is a top priority for your businesses.
While it’s true that no system is 100% hackproof, the more steps you take to add layers of security to your online assets, the less likely a hacker is going to bother with your complicated setup and move on in search of easier prey.
As a small business owner, it falls on you to be proactive about cyber security, both for your company and for your customer’s information. Keeping their information safe, especially sensitive data like personal information or financial data, is your responsibility. If you fail to protect your customer data, you won’t have any customers.
This guide is intended as an overview covering the major topics of cyber security for small businesses. Each layer of security you add to your computers, network, and online presence is one more level of difficulty for hackers to find, probe, penetrate, and exploit.
How Do Hackers Find Me?
You may think your small business is not a target, and you’re right; it isn’t. But that doesn’t matter to the automated programs that search for vulnerabilities. All they see is IP addresses, and all they know is how to probe for weaknesses that they can report once found. Once a weakness has been identified, further research may reveal a known security risk that can be exploited. This is known as an attack vector. There are databases with hundreds of thousands of known exploits for different online services. Online cyber security companies such as Rapid7 and Offensive Security maintain these databases for security professionals to secure their systems, but hackers use them to exploit vulnerable systems.
This is the hardest question to answer. Some hackers do it simply for the thrill of it. Some are politically motivated and may use information stolen to harass your company or provide your sensitive data your competitors. There are hackers that are hired specifically to steal company information. Many times, hackers use your computers to attack other computers, in what’s known as a botnet.
The latest trend in hacking servers is to use the server’s CPU power to mine for cryptocurrency. Because finding new cryptocurrency is time-consuming mathematical calculations, the more computers that hacker-miners can use to “crunch the numbers” the faster they will be able to find new cryptocoins.
Whether it’s for fun or for illicit gain doesn’t really matter. What matters is that your system is protected from these people. Below are a number of methods and policies you can use to help protect your small business from being attacked, compromised, and damaged.
Password Security and Authentication
Passwords are the easiest way for hackers to penetrate a system. By using a list of common passwords and dictionary word combinations, a hacker can set a script to try millions of combinations until a username and password that match is found and can be used to infiltrate a computer system.
Two-factor authentication is now a popular addition to passwords. With two-factor authentication, a separate email or text message is sent to you by the system with a code you need to enter in addition to your password. While this may seem laborious, it can also alert you if someone has your password.
WiFi security passwords can also be stolen by interrupting your computer’s connection and forcing it to send the wifi password again, which it can then read. If a hacker gains access to your network, all of the other computers on the network are exposed, along with all of the data, files, and browser histories they contain.
It’s a good idea for your small business to establish a password rotation policy. The more characters you use for your password, the harder it will be to guess. Using all upper, lower, digits, and symbols is a total of about 90 characters, versus only 26 lowercase letters – needless to say, this will make it harder for someone to steal your password.
Try to establish a policy to change your passwords monthly, or immediately if you think you’ve been probed by a hacker.
Trust and Social Engineering
It’s unfortunate that we can’t trust everyone and everything nowadays. But the simple fact is that even if the person is trustworthy, their laptop or mobile phone may have been compromised.
Treat every file you receive or device you connect to as potentially damaging, or with the ability to circumvent or disable your security.
Social engineering is the method used by hackers to get employees to let them into the system. They do this by masquerading as technical support, remote employees, service representatives, even family members, and gaining the trust of the person they contact. By preying on the good nature of people, they can gain enough information to penetrate your system and compromise your security.
If you would like to see a frighteningly realistic example of this, watch the first scene of Matchstick Men starring Nicolas Cage, where an old woman is conned out of her money.
Employee Provisioning and Deprovisioning
Signing on a new employee requires granting access to your internal systems. A new email address, new collaboration account, and so on. Be sure to only grant them access to systems that they need to have access to. Simply giving them open access to everything means there’s one more vector that attackers can exploit. Restrict access to everything they don’t need and turn it on as needed.
When an employee’s time at the company is over, be sure to immediately revoke their access to all parts of your system. Disable their accounts and change commonly used passwords – a bad practice to begin with – if needed. This isn’t to be mean or paranoid, it’s a security measure to protect your system, just in case they’ve already been breached and don’t know it (or sadly, in case a former employee has a vendetta against your company and may use your passwords for illegal uses).
Having your most critical data backed up is one of the best defenses you can have against data loss. There are any number of ways to back up your data, but whichever way you choose, it is your responsibility to ensure that the backups are working properly. Checking once a month is usually enough.
Ransomware has made the news recently. A hacker downloads a program that encrypts your files, then sends you a note telling you to pay the ransom or the files will be deleted. Companies without a good backup system have no choice but to pay the ransom – a costly lesson. Companies with proper backups only need to worry about the changes of information from the last backup, often only a few hours’ worth.
It’s a good idea to have several different types of backup. Incremental backups of data mean that you will always have the latest version of your documents and files without having to back them up all at once. System backups mean the entire computer is imaged and stored offsite. Offsite backups are important to prevent hackers from being able to access and potentially delete all of your data in one place.
Backing up your critical or sensitive information to a cloud service is a reasonable solution to begin with, but it has the same potential vulnerabilities.
You may think backups are an expensive solution for protecting your company information and customer data, but a simple rule of thumb is to calculate how much business would be lost without it, plus how long it would take in work hours to replace the lost or stolen data. That’s how much you need to spend on your backup system.
Web Server Security
Having a website for your small business is critical for getting people to buy your products and services. If your website is compromised, you may find that major search engines will put up a warning page instead of your site, which will certainly scare away customers. Other possibilities are that they may program your website to download malware onto your visitors’ computers, causing them to be infected and giving you a bad name.
Fortunately, web servers are usually easy to protect. A firewall is simply a list of rules that a server follows to allow or deny connections. If hackers don’t have an easy way in to your web server, they won’t be able to cause any damage. Make sure your webmaster or system administrator has a firewall in place to prevent remote probing and attacks and restricts access to your website only for web traffic.
Another important requirement for web site cyber security is protecting your website with an SSL certificate. It’s a mechanism that creates a secure connection between your server and your customer’s web browser. This prevents hackers from capturing the information sent back and forth, including client information, passwords, or financial information.
Email is one of the most common vectors that hackers use to circumvent cyber security. While the email itself is harmless, any of the links that an unsuspecting person might click on can unleash a maelstrom of attacks against your system. While antivirus programs are useful, it is human trust and gullibility that cause the most damage.
Phishing is the hacker’s way of getting people to breach their own security. They create realistic-looking emails, and when someone clicks on a link in the email, it sends a message to a listening program that responds with a payload that can compromise a system. Sometimes it displays a realistic-looking login screen, and when you enter your username and password, it is sent to the malicious server! Once hackers have a username and password, they can use it on the real site to steal data or even money.
People have been clicking on things in their email since the early days of the internet. Many times, these clicks lead to malicious programs, aka viruses, being installed on computers without the owner’s knowledge. Nowadays, antivirus software can root out these bad programs and eliminate them, or even prevent them from being installed in the first place.
Evaluate several antivirus programs and choose the one that best suits your needs.
Honeypots, Tripwires, and Firewalls
Tired of being exploited by hackers who have nothing better to do than cause you aggravation and misery? You can use a honeypot to lure hackers into attacking what they think is a vulnerable server. Once they’ve taken the bait, you can gather information on them and turn it over to the authorities. Accessing a computer system without permission is illegal and can land the hacker in jail.
A tripwire is a program that notifies an administrator if changes have been made to a particular folder or file. Often hackers leave small files behind that they can access remotely. If a file is created in a directory that shouldn’t have any new files in it, a tripwire program will send an alert.
These types of defenses are usually set up by network security professionals. Check with your system administrator or contact a trustworthy system security specialist.
Security Risk Assessment
One of the most comprehensive things you can do to protect your company is hire a security firm to do a complete security risk assessment. They will go over your current cyber security position and make recommendations or implement changes in your system that will deny hackers many of the more common vectors of attack that hackers use to penetrate systems. A good security firm will provide custom recommendations for your particular needs, and help you implement them to provide better security for your systems.
Get started on your cyber security plan for your small business right now (seriously, do not wait). You aren’t going to solve everything all at once, but once you get started, you’ll begin to understand why security is so important for your company and your customers.