Small Business IT Security: Six Steps to Getting Your Head Out of the Sand
March 27, 2017
We have all read about major security events such as the breaches that occurred at Sony, Target, and Yahoo (and Anthem Healthcare and U.S Office of Personnel Management too). Heck, the United States has even reported to have penetrated Iran’s nuclear enrichment facilities to cause the physical equipment within to spin out of control and self-destruct.
If you own a small business (SMB), you likely view these fated tales as interesting topics for dinner-party discussion, while assuming your own business is too small to target.
You are wrong.
And that isn’t your fault. There are a bunch of reasons why you carry around this perception.
First off, nobody runs a leading story about “Cost Crusher CPA and Associates,” the five-person accounting firm in Anytown, USA whose network has just been hacked. It’s a pretty traumatic event for the team at Cost Crusher since it’s the middle of tax season and nobody could get their work done for an entire day. Plus they had to notify all of their customers that the breach may have led to the loss of sensitive personal identification information. Customers may leave, reputation may flounder, but you don’t never hear about it because the company is too small to command headlines.
Second, you may have never actually seen one shred of evidence that your IT is under attack other than the occasional antivirus warnings that show up on employees’ laptops from time to time. You clean up the virus, and everything starts humming along again; no big deal.
But viruses and corrupt attachments are sort of like the 10% of the iceberg you see. Most small businesses never see the other 90%.
Antivirus software is not 100% effective at detecting malware, so you are removing the detected malware only. New and harder-to-detect malware is constantly being created, so there’s a good chance that new attack can sneak through unnoticed. And all the hacker needs is a day to steal passwords, customer or employee data, or other sensitive info. Also, many SMBs don’t keep their antivirus software current on all computers, and there’s no way to run on printers, barcode scanners, or Nest thermostats.
“But I have a firewall in place,” you may say, and that’s very likely true.
Often it’s built into your gateway and it has been dutifully enabled to block malware. This is definitely a good step, but it still doesn’t prevent certain issues. Consider, for example, what happens when you visit a legitimate website such as yahoo.com. Not only do you get content from the publisher’s server, you also get the ads that are served to that same web page from all over the world. This traffic is perfectly acceptable to the firewall, yet may well contain malware. After all, the malware that your antivirus detected had to come from somewhere.
Last but not least is the issue of rogue behavior. An employee decides the office needs more WI-FI coverage, so he goes to Best Buy, buys the latest Wi-Fi router and plugs it right in. Your full network may now be exposed to anyone who can reach your Wi-Fi: employees, guests, and even people in adjacent offices.
Is security enabled? (Yep!)
Are you sure? (Uh – no, not really.)
How secure is that anyway? Do you have a firewall in place now for Wi-Fi? (What do you mean by that?)
Is your guest traffic separated from your employee traffic throughout the entire network?
So maybe you agree that SMBs are a bit exposed, but it still doesn’t seem like a big deal. But consider…
- 20% of SMBs have been targeted
- The average cost per security event increased to $158 per lost record in 2016
- Ransomware attacks, which primarily target small businesses, were up 259% in 2016
That’s a pretty big deal, and likely to get bigger because being less vigilant about defenses makes smaller companies easier if less profitable to attack without being detected. Lacking the personnel and resources of large organizations, it’s tempting to do nothing and hope nothing bad happens. Eventually, that won’t work.
So what is a small business to do? Do what big companies do: Become proactive.
Make sure you’re taking these 6 vital precautions:
- Back up your vital systems regularly. Don’t just intend to do it; really, do it! Backing up data protects against all manners of attacks, failures and blunders.
- Keep system software up-to-date. Make sure your antivirus system is installed and current on all machines. Check that the latest patches, particularly the security patches, are in place on all your systems. Upgrade networked devices such as printers and routers from or connected to service providers.
- Train your team. Take a couple of hours and train your team in recognizing potential threats and knowing how to handle them. Teach them about passwords, transporting files on flash drives, and what to do if a device gets infected. If nothing else, this can be “contact me right away” so you can call in expert help. Have a plan.
- Encrypt your sensitive data. This makes it harder to access data and renders it less valuable to thieves. Since it can be difficult to determine what is sensitive data and what is not, take the step of encrypting all data if you’re not sure. Store sensitive data in encrypted drives.
- Use an alarm system in addition to your door locks. After you have “locked up” your IT systems, use the network or other security tools to monitor for unusual activity. Using your network resources to watch for unusual occurrences such as unauthorized devices being added to the network or seeing unusual changes in traffic patterns can make the difference in spotting a potential breach in progress. Just as your home uses locks and a monitored alarm system, your network should utilize methods to discourage entry as well as monitoring to detect unexpected activity.
- Ask an expert. If you aren’t sure if you are doing enough, or doing it all right, invite an IT consultant in to help you. You are the expert at running your business; these guys are experts are keeping it safe. At $158 per stolen record, the cost of a few hours in consulting time is a small price to pay.
Of all the steps described above, this last one may have the greatest impact. While the first five will dramatically reduce a business’s exposure, it can never be fully eliminated. Security experts can spot vulnerabilities inherent in equipment, configurations, usage, and more. Regular health-checks, or services that equip consultants to monitor networks remotely can be worth their weight in gold.
Small companies, whether they know it or not, are just as likely to be targeted—and devastated—by security exploits. Don’t wait to shore up defenses.