Times have changed. Today, information is a currency unto itself. And using stolen access to small office networks can often be just as valuable as the data that might be stored there.
Unlike larger corporate networks, many small businesses don’t have the budget to afford full-time IT person to keep a network secure. Many IT security concerns get overlooked. Mix all the above and it becomes easy to see why small offices with 20 employees or less are among the top soft targets that are ripe for hackers and cyber-criminals.
Here’s some advice on how businesses can deal with the top 10 cybersecurity concerns:
Beware of Insider Threats
Close to 50 percent of all corporate cyber crimes are facilitated by insiders.
- Teach employees to click cautiously when opening unfamiliar emails. Small businesses are a huge target for email phishing scams. Fake emails from Amazon, photocopiers, fax machines and Administrators bombard office networks all the time. One click can unleash a beast that bypasses security and causes all kinds of damage. In early 2015, Russian hackers used this tactic to compromise the official Whitehouse email servers – proof that anyone can fall for this trick.
- Keep an eye on employees who seem bitter or dissatisfied. When people feel underpaid, slighted out of a raise, or otherwise desperate for money their loyalties can change. They may be prone to do something detrimental to the company or assist an outside adversary. Revenge comes in many forms — and most insider-driven cybercrimes start this way.
- All non-business online activities should go through the guest network. This applies to visitors and staff.
- Ban the use of unauthorized USB devices on the network. This is often easier said than done. Typically this requires an IT person to set up controls to manage (or block) their usage. USB storage devices (flash drives, external drives, SD cards) can easily get infected on outside computers and then introduce viruses onto your network, allowing hackers to bypass many security safeguards.
- If you can’t stop ‘em, use ’em. Without a firewall that blocks content, keeping employees from sneaking onto Social Media websites during office hours is like trying to prevent hay fever in spring. Find ways to reward them for using that Facebook and Twitter time to help promote your business. Be sure the staff knows what should and shouldn’t be discussed on social media websites.
- Make employees aware of social engineering techniques. Hackers know that the right phone call to an unsuspecting employee can bypass more security than months of skillful hacking. Employees should be trained to recognize these con games. Think of this like teaching street smarts and “Stranger Danger” for the office.
- Make sure your customers know that your company will never request personal information by email. Although this isn’t an inside job, cybercriminals have been known to spoof emails from a company to contact their customers and ask for account information, social security numbers, passwords and etc.
- Avoid browsing websites and processing online orders using the same computer. This includes clicking on unfamiliar links in orders received by email. All it takes is clicking on a bad link and an infected computer instantly becomes a compromised computer. That’s why a click inside the wrong email can open a customer database up to hackers.
Physical security is just as important as network security
Even the best computer security becomes useless if a bad actor gets physical access to the machine. Most small offices are reasonably secure with decent locks and an alarm system. The problem is that the keys and codes never change, regardless of employee turnover.
- If possible, use an alarm code that is at least 6-digits long.
- Change your alarm security codes every 12 to 24 months. Most small offices never change their alarm codes until they get ripped off – without any sign of forced entry.
- Re-key your office locks every three to five years, sooner if you have high employee turnover.
- Any mission-critical computers with sensitive data (e.g. – customer information, inventory, production files, financials, websites, etc.) should be kept in a closet or office space with a lockable door. This includes network equipment such as cable/DSL modems, routers and firewalls. All it takes is five minutes and an ounce of moxie to remove a piece of equipment that can shut an office down indefinitely – sometimes permanently.
Enforce stronger passwords
Without a well-defined IT policy, most small offices allow staff to choose passwords that are easy to remember – and hackers can crack them in minutes. Staff should choose passwords that fit the following criteria:
- At least 12 characters long,
- Uses upper and lowercase with one or more numbers and special characters,
- Does not use proper names or words from the dictionary,
- Unique (as in not used for anything else), and
- Stored only in a Password Manager app (e.g. – KeePass, 1Password, LastPass, etc.).
Never write down passwords on Post-It notes; for hackers this is like putting your house key under a fake rock on your front porch. A good rule of thumb to follow: any password that is written down or in print should be considered as good as hacked.
Set up a guest Wi-Fi network
Most wireless routers have an optional guest wireless network feature. This should always be enabled for the following reasons:
- The guest Wi-Fi provides visitors access to the Internet without giving them access to other computers on your main network.
- Any infected laptops or devices on the guest network cannot infect computers on your main network.
- Under optimal conditions, anyone with your wireless password can sit up to 1000 feet outside your office and use a laptop or smart device to access your network. Visitors with guest access cannot come back to snoop around on your main network.
Some guest Wi-Fi access can be set to automatically turn off after business hours. Make sure the guest SSID name and password are different than your main wireless network.
Let staff check their personal business on their own devices
BYOD (Bring Your Own Device) policies allow employees to connect their smartphones, tablets and laptops to the office guest Wi-Fi network. By letting them handle personal affairs on their own devices this greatly reduces the chances of accidentally infecting company computers. The BYOD policy provides a clearly-defined set of rules, standards and penalties for this privilege. These rules should be easy straight forward and easy to follow.
Subscribe to an endpoint security protection provider
A basic antivirus is not enough. Seek out an endpoint solution that can handle PC, Mac, and smart devices. Along with scanning files and emails, this should also scan any USB flash drives or SD cards that get inserted into any office computer.
Subscribe to a third-party spam filtering service
Although most Internet Service Providers have some form of spam filtering in place, they can’t keep up with the tsunami of junk email. By subscribing to a third-party spam filter, incoming email gets checked through their service first then forwarded to your company inboxes. This greatly reduces the amount of phishing emails that employees may get fooled into clicking on.
Accessing the business network from outside the office should always be done over a VPN connection
Short for Virtual Private Network, a VPN creates a secure Internet tunnel from your computer or device to the office network. This prevents hackers from stealing passwords from employees connecting in over public Wi-Fi networks.
Check your backups by testing them regularly
Data breaches, disasters and virus outbreaks on the office network should be treated like catching the common cold – sooner or later it will happen to you. Solid backups are your only true protection against potentially losing everything.
Don’t use vector-based company logos in PDFs available on your website
Vector-based logos are made of paths, allowing them to be scaled to any size without a loss of quality. Raster-based logos are made up of dots and quickly lose image quality if the size is manipulated. A savvy adversary can lift a vector company logo out of a PDF and use it to forge exact copies of your print letterhead, company emails and even company ID badges – anything with your logo on it. By using raster logos (high compression JPEGs, PNGs, etc) this makes forging your company materials more difficult.
Finally, Treat all your data as valuable
To a seasoned hacker on the hunt, data comes in two types: data to exploit and data to steal (and sell). Even the most innocent information can be parlayed into playing a role in cracking into your network. Take nothing for granted… and shred everything once it has outlived its usefulness.
For more tips and advice on protecting yourself, your PCs and your data check out Surviving the Zombie Apocalypse: Safer Computer Tips for Small Business Managers and Everyday People.
- Protecting businesses from the top cybersecurity concerns - June 10, 2015
- Protecting yourself after a massive data breach - June 9, 2015