High speed internet and improved technology resources are powerful tools for all small businesses in reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.
The following tips will help you think about your business, and question if you have these types of controls and processes in place.
Train employees in security principles
Establish basic security practices and policies for employees, such as demanding strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Do your employees know how to detect a cleverly crafted phishing e-mail? Do they know the common red-flags that give away a phishing e-mail?
Protect information, computers, and networks from cyber attacks
Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
When was the last time your computers were checked to ensure each of them has up-to-date malware protection software? When is the last time your PCs were confirmed to have the most up to date Windows security patches?
Provide firewall security for your Internet connection
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
Providing a website browsing guideline for your users is not enough. Most firewalls also provide “web content filtering” which allows you to control the types of websites you allow your users to browse including social media, personal e-mail, and music/video streaming.
Create a mobile device action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Do you allow your employees to access their e-mail or files from their mobile phone? If so, what controls do you require to be in place? Are their devices on the latest software release which contains up-to-date security patches? Do you require them to secure their devices with an unlock pass code?
Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
Do you have an off-site backup of your data? How often do you confirm that the backup process is completing successfully? How often do you test or confirm that you can restore data from your backup if it were lost?
Control physical access to your computers and create user accounts for each employee
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Did you know that removing administrator rights from your computer user accounts can stop most common malware attacks? Do you separate login accounts on each computer from daily use and administrator tasks such as installing software?
Secure your Wi-Fi networks
If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Do you still have a default password on your wireless router? Who knows the password to connect to Wi-Fi and the passwords to login to the administrator web page on the wireless router?
Employ best practices on payment cards
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
Do you allow other day-to-day tasks such as e-mailing and web browsing on the same PC that you submit ACH requests and perform other Online Banking tasks?
Limit employee access to data and information, limit authority to install software
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
Are your network folders and applications locked down to only the users that require the access? Do you apply password protection on sensitive files?
Passwords and authentication
Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
Did you know that an estimated 92% of all cybersecurity incidents are caused by e-mail links, attachments, or e-mail account compromise? Do you utilize dual-authentication for logging into web-based e-mail services such as Gmail? Do you utilize a reputable anti-phishing and ant-malware filtering service to inspect all incoming e-mail?