What Your Small Business can do to Protect Against Cyber Threats
This is the third column in a series about cyber security for small businesses. It has become a major concern for small business CEOs and a serious threat to their operation. While digital transformation offers many benefits, it also comes with many challenges. I have stated that some 76% of cyberattacks occur at businesses with under 100 employees. Cybercriminals know small businesses tend to be easy targets, and that accessing a small business’s computer networks often gives them entrée to client and vendor networks, too.
In my last column I shared the most common threats. The next step is what can you do about these to protect your business? In this column I will give some suggestions on this topic and share some information from a resource that SCORE and one of its content partners, Trend MICRO, created on this topic. You have two areas of defense against cyberthreats: your users (you and your employees) and your devices. First, I will suggest some best practices to keep your business safe. It is important to realize that attackers prey upon: human error, IT security complacency, and technical deficiencies. Here are some suggestions.
Create policies incorporating the following cybersecurity practices
- Passwords. Use a different password for every account or website. Most of us re-use the same password across multiple accounts, so a hacker who accesses an employee’s Etsy account can try the same password on their business email account with a good chance of success.
- Change passwords frequently—every quarter. Use long, complex passwords. A password manager can help by automatically creating and saving passwords. Popular password manager apps include:Trend Micro Password Manager, LastPass, and 1Password.
- Don’t store passwords in an obvious place like a Post-it note on your computer monitor or under your keyboard.
- Don’t share the same password among users or tell others your password.
- Email security. Watch for these clues that an email is fraudulent:
- Look for obvious grammar and spelling mistakes; often hackers are from outside the U.S. and aren’t fluent in English. Hover your mouse over links in the email to see if the link matches the link in the pop-up. For example, a link that shows as www.paypal.com in an email might actually be www.paipal.com when you mouse over it.
- Examine the email sender’s address to make sure it’s correct. For example, in the preview pane an email might look like it’s from JohnSmith@yourbiz.com, but when you expand the header information, you see the actual email address is JohnSmith@ youbiz.com.
- Verify before responding to an email request for sensitive data. In CEO fraud, for example, the hacker may say their phone isn’t working or they’re in a meeting, so you need to answer by email. Don’t! Call the person to double check before sharing sensitive information.
- Prohibit employees from opening outside email attachments. Instead: Create a policy that any supplier must use a cloud-based option to share files instead of sending attachments; If this won’t work, require password-protected attachments only. Any others should be viewed as suspicious and deleted; If neither of the above will work, have employees contact the supplier to verify that the attachment is legitimate before opening it.
- Conduct regular phishing awareness training. Free or low-cost tools that let you simulate phishing attacks and educate employees about cybersecurity include such resources as: Trend Micro Phish Insight, Cofense, and KnowBe4.
- Use email encryption when sending sensitive data. Encryption is built into or can be enabled on most popular email clients, including Outlook, Windows, MacOS, Linux, Android and iOS.
- Online safety. When logging onto websites, especially for sensitive purpose, such as accessing bank accounts, use two-factor authentication for an extra layer of security.
- Verify links. Be careful of links in texts or emails, even if they seem to be from someone you trust. Hover over the link to see if it matches the link that appears in the email, or manually type in the URL instead of clicking on the link.
- Minimize use of cloud file-sharing. Be judicious about what you share with others on sites such as Dropbox and Google Drive.
- Never share customer information, intellectual property information or other core business data online. In general, don’t overshare online—with anyone.
- Outside the office. Be cautious using public Wi-Fi. Keep work conversations private. Many networks are unsecured, meaning usernames, passwords, or files that you upload or download can be captured by crooks. Bring your own Wi-Fi access device instead; you can get one from any cell phone carrier.
- Restrict remote access to your business network to only necessary users.
- Close RDP ports and enforce VPN use.
In my next column in this series about cyber security for small businesses, I will give some suggestions about best practices for device security and then end with some suggestions regarding how to recover from a cyber-attack.