The Internet and connected devices are essential tools for any small business, and it is difficult to impossible in this day and age to conduct business without the Internet. Yet, any business also needs to be mindful of the risks to their information assets and business lifeblood and establish a basic security strategy to protect the business. A security strategy need not be complicated, but it must be comprehensive. Some areas to consider:
Passwords and authentication
Passwords remain a weak spot in any security strategy, even for large companies. How can a small business hope to protect itself? Fortunately, strong passwords are no difficult to implement, and there is really little need to construct them using hard to remember combinations of letters, numbers, symbols, etc. The simplest and most effective way is to use a pass phrase which is easier to remember, unique to the user, and is over 15 characters long. A simple sentence without spaces will suffice. Long pass phrases take extreme computing power and time to crack, and hackers may go elsewhere to lower hanging fruit.
In addition to requiring strong pass phrases, require employees to change their passphrase every 2-3 months. Also, where practicable, and where it makes economic sense to do so, consider two factor authentications.
Two factor authentication combines a token, (something you have), with the pass phrase, (something you know.) Low cost services are now available to manage tokens without the need to invest in infrastructure and labor to run the infrastructure. Better yet, instead of carrying a hard token on a key ring, tokens can now be software which runs on an Internet connected cell phone, to send a one time use code to use in combination with a pass phrase.
Check with critical partners such as your bank, and other sensitive vendors to see if they support token based authentication to further protect your most sensitive and valuable assets.
Train Employees and Create Awareness
Any business needs well established policies and procedures for staff to follow. Along with operational policies, ensure that security policies, including use policies are written down and communicated to staff, along with consequences for violating policy and putting the business at risk.
There are low cost services available to deliver employee awareness training. Often, training can be delivered over the Internet. However, one factor to keep in mind is that most training focuses on the need to protect the business, and it is important to also communicate to employees the risks to them personally. It is a fundamental human instinct to think about “what’s in it for me?”
One of many answers is the sanctity of each employees identity. Identity theft is a billion dollar business and any business with employees has employee names, social security numbers, and birth dates. With those three pieces of information, an identity thief is the employee for all practical purposes. Of course, the business can be liable for loss of employee personal information, but the affected employees will be impacted as well by financial losses, time and aggravation, and more.
Information security affects all, and staff should feel that protecting the information assets are joint responsibilities of everyone.
Protect Your Systems
Face it, if we use software, computers, smart phones, or other Internet connected gadgets, we are exposed to vulnerabilities and there are armies of cheap talent working in some parts of the world to find ways to exploit those flaws and vulnerabilities. However, we can avoid becoming an easy victim by doing things such as keeping our systems and software patched, and running anti-virus and anti-malware software.
Will patching and anti-virus ensure that we are not hacked? No, but it will ensure we don’t fall victim to known vulnerabilities which have already been fixed. As is the case with passwords, avoid being the low hanging fruit for cyber criminals.
Make a Backup Copy
Any information critical to your business requires a backup copy in a safe, alternative location. An alternative location means a different system and location than that which holds the data.
We once had a client send us their failed firewall for rebuild and recovery. The disk had failed and needed replaced, which was easily accomplished by securing a replacement disk from the vendor. When we asked the client for their backup so that we could commence the rebuild, they informed us that the backup was on the failed drive. In other words, it most likely was lost. While we sent the failed drive to a recovery specialist, the cost of recovering the data to rebuild a firewall was much more than the labor to rebuild the configuration from scratch. But what if it was no a firewall but a server holding all kinds of sensitive business information? Recovery from scratch would not be possible.
Does your business use cloud based services? Could you survive a massive Internet outage with no access to your cloud based data and applications? For how long?
The moral of this story is to make backup copies, store them offsite, and occasionally check the backup copies to make sure they contain the date they are expected to contain. Don’t believe your IT person that backups are made; make them prove it.
Limit Employee Access
As a rule of thumb, the principle of “least access” should always apply. This means that the absolute minimum level of access required to perform the job duties should be granted and no more. Sure, it takes a little more effort and thought to limit access vs. blind trust in that valued worker, but is it worth the risk to trust blindly?
Also, segregate duties and the ability to perform sensitive actions. With any small business, this can sometimes be a challenge as with small teams, people wear many hats. However, it is critical in certain circumstances. For example, the same person who approves a payment should not be the same person who issues the check, or makes the electronic transfer.
Physical access is also a concern. Many small businesses have a single server which contains data, or a few laptops. Laptops are easily accessed and easy to steal. Consider locks which prevent laptops from being removed from the premises unless authorized, and encrypt all of the data on them.
Protect your Network
Firewalls are a must. For many small businesses, Internet service is provided by a cable or DSL provider and may include wireless access as well. How is the firewall managed and what access is granted in or out? What about wireless access points?
A firewall is simply a device which limits what can connect inside your network. In some cases, depending on how configured, a firewall will also limit want goes out as well. However, while necessary, a firewall is dated technology which protects the perimeter. In different terms, it is like a guard at a gate which decides who gets in and who gets out. But in today’s Internet of Things, and mobile devices, the data often exists outside of the perimeter on a mobile device, which effectively limits a firewalls ability to protect the perimeter. Nevertheless, firewalls are needed and should include software based firewalls on any device, such as laptops, which leave the premises.
Wireless access can be another weak spot, especially when not configured properly. When setting up a newly purchased wireless access point, consider hiring an expert to come and configure it securely. Too often, user-deployed wireless access points are configured with blatant holes which allow and ijnruder to come right through and use the network. While the numbers are decreasing, no matter where we travel to, we can still find at least one or two wireless networks which are not secured.
Don’t Forget Mobile Devices
These days, mobile devices can hold very sensitive information. Worse yet, these devices are easily lost or stolen, more so than laptops. It is understandable for business to want to allow employees to bring their own mobile devices to work, but care needs to be taken to protect the company data, as well as the privacy of the employee.
At minimum, mobile devices should be password protected (see above on creating strong pass phrases), and encrypted. Additionally, it is recommended that they have software which allows them to be remotely wiped of any sensitive data if reported lost or stolen.
One of the biggest challenges with mobile devices is that employees are sometimes hesitant to report a device as lost or stolen, for fear of repercussion. This leads to a detection gap between the time the device goes missing, and the time it is discovered by the business. Consider a policy which encourages employees to report lost or stolen devices promptly, without fear of reprisal. The cost of replacing the device is minimal compared to the potential cost of the lost or compromised data on that device.