Hackers seeking to steal data and money used to target primarily large corporations and government bodies. In recent years, however, they have shifted focus, and now direct quite a bit of attention to hacking small businesses and individuals.
This change is not surprising: bigger organizations may offer larger higher bank balances and “treasure troves” of data to steal, but they also have both armies of information-security personnel and tighter relationships with law enforcement–lowering the odds of a hacker’s success and increasing the chances of his or her getting caught and imprisoned.
With the new dynamics at play it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves.
While it is proper to perform formal risk assessments before determining security strategy and techniques, the reality is that many small businesses won’t expend the resources to do so, and following some sound general advice is far better than doing nothing.
So, how can small businesses and individuals greatly improve their cybersecurity without spending a lot of money? Here are some suggestions:
1. Ensure awareness. Understand that you are a target. Keep in mind that even a single, short conversation can help employees understand that they are targets, and that thinking about cybersecurity is, therefore, important. People who believe that criminals want to breach their computers and phones act differently than people who don’t understand this reality. Also, when it comes to awareness, keep in mind that it is difficult to secure systems and data when potential users are not fully clear about to which systems they have access, and/or are not fully aware as to what data is in their possession; complexity can easily lead to confusion, and, remains, therefore, an enemy of cybersecurity.
2. Offer basic information-security training. It is imperative to understand certain basics, and to train others as well. People should know to avoid cyber-risky behavior–such as opening attachments and clicking on links found in unexpected email messages, downloading music or videos from rogue websites, inappropriately using public Wi-Fi for sensitive tasks, or buying products from unknown stores with “too good to be true” prices and no physical-contact information. Information security training materials can be found online–and many are free. Never, however, rely on training as a sole line of defense against any substantial risk.
3. Don’t give everyone the keys to the castle. If an individual worker goes rogue–or if a hacker breaches the security of a single person–you want to contain the damage. Give people access to the computer systems and data that they need in order to do their jobs, but not to everything else. The same goes for family members and home computers.
4. Backup often. Backup often enough that if something went wrong you will not panic about lost data if you need to restore from a backup. If you are not sure if you are backing up often enough, you probably aren’t. Do not keep backups attached to production networks–if malware (e.g., ransomware) gets into the network it could corrupt the backups as well. It is best to have offsite backups as well as onsite. And, regularly make sure to test that your backups actually work – having backups is meaningless if you cannot restore from them.
5. Encrypt. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, it probably does, so, err on the side of caution and encrypt. Encryption is built in to many versions of Windows, and there are plenty of free encryption tools available as well.
6. Do not share credentials. Every person accessing a system should have his or her own login credentials. Implementing such a scheme not only improves the ability to audit people’s activities in case of a problem, but it encourages people to better protect their passwords.
7. Use a proper password policy. Conventional wisdom is to require complex passwords for all systems–but that leads to people writing down passwords or reusing them; instead consider other strategies such as asking people to select combinations of words, numbers, and proper names (e.g., “investing9goats2Starbucks”). For extremely sensitive systems, consider stronger forms of authentication such as biometrics or multi-factor authentication. For more on password policies, please see my article from last year entitled “Why You Should Ignore Everything You Have Been Told About Choosing Passwords”
8. Devise, implement, and enforce social media policies. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks. Implement technology to ensure social media does not become a nightmare (of course, I recommend SecureMySocial); do not rely on simply telling people not to make particular types of posts on Facebook or Twitter–history tells us that many people simply do not realize when they are making such posts, and even those who do, may inadvertently leak data when posting from a smartphone that “auto-corrects” a misspelled word to a sensitive, internal term.
9. Use security software. All computer devices (laptops, tablets, phones etc.) that house sensitive information (or that will be attached to network with other devices that do) need security software. There are several popular, inexpensive packages that include anti-virus, firewall, anti-spam, and other beneficial technologies. Portable devices should have software optimized for mobile systems, and should have remote wipe capabilities (and do not forget to enable the remote wipe!).
10. Segregate Internet access. If you provide Internet access for workers’ personal smartphones and tablets, or for visitors to your office or home, implement it on a separate network; most modern routers offer such a capability.
11. Address personal device risks. If people are allowed to use personal devices for work-related activities, make sure there is adequate security on those devices. As with social media, do not rely on policies–enforce them with technology.
12. Comply with regulations. Make sure that you be sure to comply with all regulations that may apply to your business. If you process credit cards, for example, make sure you are in compliance with current PCI standards. In any case, never store credit card security codes or debit card PIN numbers.
13. Hire a pro. If possible, hire an information-security professional to assist with designing and implementing your approach to cybersecurity. The cost of a small amount of professional advice may pay for itself many times over in terms of time, money, and aggravation saved down the road. Hackers and other criminals leverage technical expertise–don’t be at a disadvantage against them. Keep in mind that if you were being sued you would hire a lawyer, and if you were being audited you would hire an accountant. There is a near certainty that you are, or will be, cyber-attacked. Make sure you are properly defended.
There are, of course, far more than just 13 possible items in a checklist of techniques to enhance cybersecurity; the aforementioned specifics, however, deliver significant value at relatively low costs, and are a good starting point. Also, keep in mind that no amount of investment in cybersecurity can ensure with certainty that you will never suffer a data breach or other form of cyber-compromise; we have all seen news reports of organizations that consistently spend hundreds of millions of dollars per year, or even over $1 Billion dollars per year, suffering from serious and costly breaches. As such, in addition to beefing up cybersecurity, you may wish to also mitigate against at least the most catastrophic of cyber-risks by purchasing cyber-liability insurance.
An earlier version of this article originally appeared in Inc.