Every small business owner knows about taking out insurance to protect their business. But far too few are taking steps to protect themselves against the one threat that could stop their business dead in its tracks – cybercrime.
There has been a well-documented rise in cyber-attacks recently such as the Wannacry ransomware demands. Data breaches involving companies like Equifax, Uber and Yahoo have also made headlines worldwide.
But it’s not just large corporations that can be affected. Small businesses can easily become the target of online criminal gangs. Cybercrime is now a huge underground business that is predicted to grow over the next few years to cost the world six trillion dollars annually by the year 2021, according to the 2017 Cybercrime Report.
It’s important to realise that the image of the hacker as a lone schoolkid operating out of his bedroom is no longer true. These crimes are perpetrated by highly sophisticated criminal gangs from around the world, that have access to the latest technology. Their aims are clear – to steal your money, or hijack your technology to illegally make money.
In this article we are going to examine what steps you can take to protect your business against some of the major threats.
1) Strong passwords
Do you have a password policy in your business? You should have one, as this is the first line of defence against hackers. It’s particularly important on websites and applications that contain financial or personal data.
Hackers now have sophisticated ‘cracking’ technology that is able to very quickly try to guess passwords. Commonly used passwords that should be avoided like the plague include:
Use any of these and a hacker will be able to access your files in a nanosecond. Even swapping out letters for numbers such as the number ‘1’ for the letter ‘i’ is very easy for criminals to get around.
The most secure type of password is created using a password generator as these are truly random and very difficult to crack. An example would be “VqT4cuOqW*aj”.
The problem of course is that these passwords are very difficult for users to remember. This is where password managers come into their own.
These pieces of software remember all of your different passwords for you, regardless of how long or difficult they are. All you have to do is remember the password to the password manager itself. Leaders in this field include Lastpass and Dashlane.
A further advantage of using a password manager is you can have different passwords for all your different online services and accounts. If hackers manage to get into one account, they can’t use the same access credentials to get into the others. This is particular important considering the recent large scale data breaches that have occurred.
2) Viruses and malware protection
Malware is any form of program or web content that is specifically designed to cause harm to a user’s computer system. An example would be ransomware which locks a user’s computer until a ‘ransom’ is paid to the hackers.
Malware and viruses can get onto your machine in various ways, such as browsing a compromised website, downloading an app, loading a file from a USB stick or clicking on a link in an email.
Installing good quality antivirus software is the main defence against viruses on the Internet. Ensure that all updates are installed as new viruses are being found every day. It’s best if your software is able to do this ‘in the background’ without any intervention form the user.
Staff should be made aware of the danger of downloading apps. Only download apps for mobile devices from a recognised store such as the Apple app store or Google Play.
3) Use a Firewall
You should use a firewall to protect your Internet connected network. This is essentially a protective ‘buffer-zone’ between your company’s computers and the Internet.
If you have a personal computer or laptop, it may well be possible to use a personal firewall that comes with your operating system or is bundled with your antivirus software. For a larger computer network, you may need a more specialised system that you should discuss with your IT network services provider.
4) Keep your computer and devices up to date
Keeping up with cyber criminals is like an arms race. When a new hack is discovered it’s fixed with a patch by software designers. The criminals then look for a new vulnerability that they can exploit and race goes on.
It is essential that you install any updates that become available for your operating system or other software devices. These are often security updates that are designed to protect you from malicious attacks.
The good news is that these updates are often free and don’t take much time to install, so the inconvenience should be minimal.
5) Protection from phishing
In phishing attacks, cyber criminals try to trick users into revealing their banking details or get them to click on infected links. Victims are often sent emails that look like they are from the person’s bank, the government or PayPal.
This type of fraud has been around for a number of years now but has become increasingly sophisticated. The emails look incredibly genuine and hackers are even able to ‘spoof’ the email address so that it looks like it’s come from your bank.
Being aware of the risk is the best form of defence. Do not click on any links that look suspicious and don’t be afraid to phone and confirm with your bank if anything looks amiss.
Signs to look out for include low quality images or logos, obvious typos and poor grammar. But be aware that this is not always the case. If you’re asked to confirm your banking details or password, you should immediately be suspicious because the majority of banks have a policy of never asking for full passwords either by email or by telephone.
If one of your staff does slip up and clicks on a link by mistake, they shouldn’t be disciplined. This could discourage people from coming forward in the future. Instead use it as an opportunity to reinforce your cyber security training.
6) Create back ups
You should be backing up your data and storing it securely offsite, just in case you are hit by cyber thieves or ransomware.
Cloud storage can be a useful solution, with the advantage that they are physically separate to your location. But just having files on Dropbox is not enough. If these are connected to your network, they may still be accessible to hackers. A dedicated, unconnected remote storage solution is required.
The cost of external storage in the cloud has come down in price dramatically over the last 5-10 years, so it really is a low-cost way to insure your business should the worst happen.
One important aspect of backups that is often overlooked is the need to regularly test them. This is to make sure that you are able to effectively and quickly get back up and running should you suffer a ransomware attack or hacking incident.
7) Protecting personal data
There have been serious data breaches at large organisations such as Yahoo and Talk Talk. This has resulted in the personal details of individuals being stolen by hackers and traded amongst criminals.
Small businesses can also be the victim of these crimes. Data such as customer records, email marketing lists and direct mail lists could all be useful to criminals.
To protect yourself, only keep records that you really need. Restrict access only to staff that really need the data to perform their task. Access privileges should be used as a further level of protection, such as using standard access rather than administrator access.
Sometimes third parties need access to your systems for instance, network maintenance engineers, marketing agencies, IT support companies etc. Be sure that when their work has finished their access is terminated.
There is new European wide legislation coming in May 2018 called the General Data Protection Regulations (GDPR). This legislation aims to harmonise and update data privacy laws in European countries. If your business processes personal data, you will need to abide by these new rules.
8) Train staff in cyber security
Many small businesses would love to invest in staff training but find it really difficult to find the time. Cyber security is one area that you really cannot avoid to be complacent with: staff training is essential.
In your training you should outline your IT security plan with details that:
- Identify what risks there are in your business
- Detail what access controls have been put in place
- Explain what software controls are in place
- Explain employees’ responsibility to keep the network and personal data safe
- Explain what steps to take if a security breach is identified
- Identify the person responsible for IT security plan
By following these steps, you’ll give your business the best chance of avoiding the crippling inconvenience of cybercrime. If you do unfortunately become a victim of crime, you’ll have the best chance of bouncing back quickly.
Bio: Ashley Ranwell writes for First Line IT about IT support, cyber security and cloud computing specifically for the small business community