How to protect your business from cyberthreats
Columnist Dean Swanson says smart practices more than firewalls and passwords will keep your business safe.
Cybersecurity for small businesses has become a major concern for small business CEOs and a serious threat to their operation. While digital transformation offers many benefits, it also comes with many challenges.
Some 76% of cyberattacks occur at businesses with fewer than 100 employees. Cybercriminals know small businesses tend to be easy targets, and that accessing a small business’s computer networks often gives them access to client and vendor networks, too.
There are two areas of defense against cyberthreats: your users (you and your employees) and your devices. First, I will suggest some best practices to keep your business safe. It is important to realize that attackers prey upon a combination of human error, IT security complacency and technical deficiencies. Here are some suggestions.
Create policies incorporating the following cybersecurity practices.
Passwords. Use a different password for every account or website. Most of us re-use the same password across multiple accounts, so a hacker who accesses an employee’s Etsy account can try the same password on their business email account with a good chance of success.
Change passwords frequently, preferably every quarter. Use long, complex passwords. A password manager can help by automatically creating and saving passwords. Popular password manager apps include: Trend Micro Password Manager, LastPass, and 1Password.
Don’t store passwords in an obvious place like a Post-it note on your computer monitor or under your keyboard. Don’t share the same password among users or tell others your password.
Email security. Watch for these clues that an email is fraudulent: obvious grammar and spelling mistakes; often hackers are from outside the U.S. and aren’t fluent in English. Hover your mouse over links in the email to see if the link matches the link in the pop-up. For example, a link that shows as www.paypal.com in an email might actually be www.paipal.com when you mouse over it.
Examine the email sender’s address to make sure it’s correct. For example in the preview pane an email might look like it’s from JohnSmith@yourbiz.com, but when you expand the header information, you see the actual email address is JohnSmith@ youbiz.com.
Verify before responding to an email request for sensitive data. In CEO fraud, for example, the hacker may say their phone isn’t working or they’re in a meeting, so you need to answer by email. Don’t. Call the person to double check before sharing sensitive information.
Prohibit employees from opening outside email attachments. Instead: Create a policy that any supplier must use a cloud-based option to share files instead of sending attachments; If this won’t work, require password-protected attachments only. Any others should be viewed as suspicious and deleted. If neither of the above will work, have employees contact the supplier to verify that the attachment is legitimate before opening it.
Conduct regular phishing awareness training. Free or low-cost tools that let you simulate phishing attacks and educate employees about cybersecurity include such resources as: Trend Micro Phish Insight, Cofense, and KnowBe4.
Use email encryption when sending sensitive data. Encryption is built into or can be enabled on most popular email clients, including Outlook, Windows, MacOS, Linux, Android and iOS.
Online safety. When logging onto websites, especially for sensitive purpose, such as accessing bank accounts, use two-factor authentication for an extra layer of security.
Verify links. Be careful of links in texts or emails, even if they seem to be from someone you trust. Hover over the link to see if it matches the link that appears in the email, or manually type in the URL instead of clicking on the link.
Minimize use of cloud file-sharing. Be judicious about what you share with others on sites such as Dropbox and Google Drive.
Never share customer information, intellectual property information or other core business data online. In general, don’t overshare online—with anyone.
Outside the office. Be cautious using public Wi-Fi. Keep work conversations private. Many networks are unsecured, meaning usernames, passwords, or files that you upload or download can be captured by crooks. Bring your own Wi-Fi access device instead; you can get one from any cell phone carrier.
Restrict remote access to your business network to only necessary users.
Close RDP – remote desktop protocol – ports and enforce virtual private network use.
Next week, we'll look at suggested best practices for device security and then end with some suggestions regarding how to recover from a cyberattack.
Dean Swanson is a volunteer Certified SCORE Mentor and former SCORE chapter chairman, district director and regional vice president for the North West Region.