In 2015, the IRS, the State Department, and the White House were all hacked. How vulnerable are you? You might think not so much because, after all, you are not a “big boy,” and hackers have “bigger fish to fry.” You might think that getting hacked is on something experienced by larger companies or government agencies, not necessarily small companies.
Not so fast. Hackers have a much easier time getting into systems of smaller enterprises – especially smaller businesses and medical practices, since those companies don’t spend as much time and resources on security software or practices. The obvious reason is that smaller enterprises tend to be lax about security, thinking that they are too small to be targets. Due to this line of thinking, and the lack of security protocols and systems, Cyber-criminals, love the ease with which they can get in to smaller systems. Chances are that some point your organization will be a target of a hack – the big question is when.
The good news is this, however. When targeting smaller enterprises, hackers’ activities are not as sophisticated. And, when businesses face unsophisticated attacks, it can be easier to spot them and take quick action.
Basic Layers of Security For Business
Every business owner should know where his/her vulnerabilities are and put protections in place. Here they are.
You and/or your employees may be sharing far too much information on social media profiles and in messaging with others. Hackers often try to manipulate unwary people into disclosing additional information that will get them into the company’s system. One of the most important things for businesses owner to do is to establish security protocols, so that employees know how to keep themselves and the company safe from social media hacking touchpoints.
Securing/Sanitizing Your Hardware
Employees who go off to lunch with their computers on and exposed are inviting hacking, especially if those computers are in more “open” spaces of a business, such as a floor full of cubicles. Users who don’t think simple steps like locking their computers when away from their desktops, can invite an easy outlet for their information to be stolen. It only takes a few seconds for someone to use a memory card and steal your personal information.
Another issue is in the disposal of old computers. Sanitizing and wiping procedures of old hard drives are at time not sufficient, and can allow hackers to retrieve information from those drives. There are a number of tools available to allow you to securely erase hard drives, or you can choose to get it done professionally. Physical security is one of the most overlooked aspects of security. If you cannot ensure that your hardware is physically secure, then there are steps you can take to improve security. Those include encrypting your harddrive, storing backups in the cloud with encryption enabled. Encrypt all of your drives; use cloud backups, put theft recovery software on all stationary or mobile devices.
Wi-Fi signal can travel far and wide. While you cannot easily prevent that, there are steps you can take to secure your internal network.
How are you storing customer information? It should all be encrypted, especially if information is going to be transmitted outside your internal network.
How simple is your router password? It must be complex – you can take a phrase you know well, abbreviate it with capital and lowercase letters, symbols and other punctuation, and develop one that you will probably always remember.
Use complex router passwords. Most Wifi routers come with default passwords that are easily found on the internet via a simple Google search. Make sure to change that immediately after installing the hardware. Also make sure to use a complex password that includes lower and upper case letters, symbols and other punctuations.
Employees who are using your computers for personal reasons during work, and perhaps download malicious code unknowingly can create huge amounts of vulnerability. Perhaps a better approach might be to create separate guest style wifi network for them to connect using their personal devices. With these controls in place you reduce the likelihood of virus or malicious code infecting your corporate network.
If passwords are complex, you can always store them securely with a service. Then, you only have to remember one.
Use Two-Factor Authentication
2FA, as it is called, is in use by a large number of businesses and other organizations (e.g. health care). The idea is that there will be more than just a password required to get into an account. Banks have security questions; even gas stations require a zip code entry along with the card. A lot of larger companies that house confidential personal and/or financial data, have multi-factor authentications.
It doesn’t take much to acquire this. There are a number of third party services that offer 2-factor authentication.A good developer can set up two-factor authentication quickly.
Technology is continuing to evolve around authentication mechanisms with such things as fingerprints, facial recognition.. As these forms of authentication become more common, both their cost and the level of implementation difficulty will reduce. Don’t hesitate to adopt these new measures as they come along.
Emails are an easy entry point for any hackers, they are essentially the front door to your business. Hackers can send malicious code via a simple email attachment that can gain entry into your system. A number of organizations have been attacked using a simple email hack. This makes protecting emails as critical.
As a company you should have a strict email policy and perform regular training for your employees. That training should include ways and method by which employees can handle phishing attacks, and how to identify potentially hacker emails. It’s very easy for hackers to impersonate major company websites – it has happened to Bank of America and to Amazon, just to name a few. A phishing website looks amazingly like the real thing. Rather than link to a site imbedded in an email, close out and type the site’s URL in.
NOTE: Gmail with two-factor authentication is about as safe as you can get right now.
It is critical to have the latest anti-virus software on all the computers. However, that alone is not foolproof since viruses are created much faster than security companies can update their virus definitions.
One of the preventive measures that business owners can take is to create a “whitelist” – a list of approved sites to which those using company devices can connect too. Otherwise, special permission will have to be obtained.
In a new twist on cyber-crime, criminals are using malware to hack into business systems and “kidnap” files and data. One of the more recent methods employed by hackers is to gain access to your systems and encrypt the entire content, which can include all your files, essentially locking you out of your own system. This is commonly referred to in the business as ransomware. Once the hacker has encrypted your data, they then demand a monetary “ransom” to get the key to decrypt the content on the server. This type of attack is common, yet underreported, since most businesses agree to pay the ransom rather than admit the hack. They pay rather than face disaster-recovery services.
An Attack is Inevitable
Cyber-criminals are becoming more and more sophisticated.
Business owners must understand that they will be attacked at some point, so everything they can do must be done to prevent and to minimize.
It begins with employees – strict rules about internet use on company devices
It moves into firewalls and authentication procedures
It also moves into supply chain and client companies – what are their security measures? You must find out.
Another important measure is to segment data and who has access to it. When you do this, hackers may breach one set of data but others remain secure.
Put in analytics tools that will provide alerts when unusual activity takes place. Banks do this by denying card use if they suspect the owner is not where the card is being used. They then have time to verify.
It’s probably time to do a security audit and find out where you are vulnerable. Do not ever think you are too small to be attacked. Getting into your system can lead hackers to bigger fish. And an audit should be conducted on a regular basis, along with a long hard look at the newest threats and the technology that is out there or prevent them.