In 2015, the IRS, State Department, and White House all faced hacks. How safe are you? You might believe you’re not at risk since you aren’t a major target and hackers go after “bigger fish.” You may think that only large companies or government agencies get hacked, not smaller businesses.
Not so fast. Hackers find it much easier to break into the systems of smaller companies – particularly small businesses and medical offices, as these organizations don’t invest as much in security software or practices. The main reason is that smaller businesses often overlook security, believing they are too small to attract attention. This mindset, along with a lack of security measures, makes it easy for cybercriminals to access smaller systems. It’s likely that at some point, your organization will face a hack – the big question is when.
The good news is this, however. When targeting smaller enterprises, hackers’ activities are not as sophisticated. And, when businesses face unsophisticated attacks, it can be easier to spot them and take quick action.
Basic Layers of Security For Business
Every business owner should know where his/her vulnerabilities are and put protections in place. Here they are.
Social Media
You and/or your employees may be sharing far too much information on social media profiles and in messaging with others. Hackers often try to manipulate unwary people into disclosing additional information that will get them into the company’s system. One of the most important things for businesses owner to do is to establish security protocols, so that employees know how to keep themselves and the company safe from social media hacking touchpoints.
Securing/Sanitizing Your Hardware
Employees who go off to lunch with their computers on and exposed are inviting hacking, especially if those computers are in more “open” spaces of a business, such as a floor full of cubicles. Users who don’t think simple steps like locking their computers when away from their desktops, can invite an easy outlet for their information to be stolen. It only takes a few seconds for someone to use a memory card and steal your personal information.
Another issue is in the disposal of old computers. Sanitizing and wiping procedures of old hard drives are at time not sufficient, and can allow hackers to retrieve information from those drives. There are a number of tools available to allow you to securely erase hard drives, or you can choose to get it done professionally. Physical security is one of the most overlooked aspects of security. If you cannot ensure that your hardware is physically secure, then there are steps you can take to improve security. Those include encrypting your harddrive, storing backups in the cloud with encryption enabled. Encrypt all of your drives; use cloud backups, put theft recovery software on all stationary or mobile devices.
Wireless Connections
Wi-Fi signal can travel far and wide. While you cannot easily prevent that, there are steps you can take to secure your internal network.
- How are you storing customer information? It should all be encrypted, especially if information is going to be transmitted outside your internal network.
- How simple is your router password? It must be complex – you can take a phrase you know well, abbreviate it with capital and lowercase letters, symbols and other punctuation, and develop one that you will probably always remember.
- Use complex router passwords. Most Wifi routers come with default passwords that are easily found on the internet via a simple Google search. Make sure to change that immediately after installing the hardware. Also make sure to use a complex password that includes lower and upper case letters, symbols and other punctuations.
- Employees who are using your computers for personal reasons during work, and perhaps download malicious code unknowingly can create huge amounts of vulnerability. Perhaps a better approach might be to create separate guest style wifi network for them to connect using their personal devices. With these controls in place you reduce the likelihood of virus or malicious code infecting your corporate network.
- If passwords are complex, you can always store them securely with a service. Then, you only have to remember one.
Use Two-Factor Authentication
2FA, as it is called, is in use by a large number of businesses and other organizations (e.g. health care). The idea is that there will be more than just a password required to get into an account. Banks have security questions; even gas stations require a zip code entry along with the card. A lot of larger companies that house confidential personal and/or financial data, have multi-factor authentications.
It doesn’t take much to acquire this. There are a number of third party services that offer 2-factor authentication.A good developer can set up two-factor authentication quickly.
Technology is continuing to evolve around authentication mechanisms with such things as fingerprints, facial recognition.. As these forms of authentication become more common, both their cost and the level of implementation difficulty will reduce. Don’t hesitate to adopt these new measures as they come along.
Email/Phishing
Emails are an easy entry point for any hackers, they are essentially the front door to your business. Hackers can send malicious code via a simple email attachment that can gain entry into your system. A number of organizations have been attacked using a simple email hack. This makes protecting emails as critical.
As a company you should have a strict email policy and perform regular training for your employees. That training should include ways and method by which employees can handle phishing attacks, and how to identify potentially hacker emails. It’s very easy for hackers to impersonate major company websites – it has happened to Bank of America and to Amazon, just to name a few. A phishing website looks amazingly like the real thing. Rather than link to a site imbedded in an email, close out and type the site’s URL in.
NOTE: Gmail with two-factor authentication is about as safe as you can get right now.
Virus Protection/Whitelisting
It is critical to have the latest anti-virus software on all the computers. However, that alone is not foolproof since viruses are created much faster than security companies can update their virus definitions.
One of the preventive measures that business owners can take is to create a “whitelist” – a list of approved sites to which those using company devices can connect too. Otherwise, special permission will have to be obtained.
Ransomware
In a new twist on cyber-crime, criminals are using malware to hack into business systems and “kidnap” files and data. One of the more recent methods employed by hackers is to gain access to your systems and encrypt the entire content, which can include all your files, essentially locking you out of your own system. This is commonly referred to in the business as ransomware. Once the hacker has encrypted your data, they then demand a monetary “ransom” to get the key to decrypt the content on the server. This type of attack is common, yet underreported, since most businesses agree to pay the ransom rather than admit the hack. They pay rather than face disaster-recovery services.
An Attack is Inevitable
Cyber-criminals are becoming more and more sophisticated.
Business owners must understand that they will be attacked at some point, so everything they can do must be done to prevent and to minimize.
- It begins with employees – strict rules about internet use on company devices
- It moves into firewalls and authentication procedures
- It also moves into supply chain and client companies – what are their security measures? You must find out.
- Another important measure is to segment data and who has access to it. When you do this, hackers may breach one set of data but others remain secure.
- Put in analytics tools that will provide alerts when unusual activity takes place. Banks do this by denying card use if they suspect the owner is not where the card is being used. They then have time to verify.
It’s probably time to do a security audit and find out where you are vulnerable. Do not ever think you are too small to be attacked. Getting into your system can lead hackers to bigger fish. And an audit should be conducted on a regular basis, along with a long hard look at the newest threats and the technology that is out there or prevent them.