The Internet in its broadest sense is the Swiss army knife of business tools. All business at the least use email, have some of their functions tied up with the cloud, offer Point of Sale (POS), use social media channels as the primary marketing tools, CRM is where all the customer data is, and many have their whole business built around a digital landscape. As we all become more enmeshed with online as a place for our business operations, whether front or back of house, it is important to be across how to do good business online and how to do safe business online – and protect and mitigate business from being open to cyber attack.
Unfortunately, when there is a global disruption to business like COVID-19, and many businesses and people are in survival mode, this is when businesses become vulnerable to cyber attacks. As Australia and Tasmania head into pre-emptive preparedness with social distancing measures like working from home, and moving bricks and mortar businesses to e-commerce operations, it is worthwhile to audit your cyber security measures and make sure you are able to focus on what is important – keeping you and your family safe and your business trading.
Cyber Security – What are the risks (and remedies) for my business?
Cyber attacks on small business fall under a few different categories. These tend to mimic the same strategies used with big business and government. You may wonder what your small or micro business could possibly have that would be of interest to cyber criminals hanging out in the dark web. The answer is the same thing that motivates all criminal activity: money, data and often just pure malicious disruption. While you may be a little fish, when data is stolen from a number of little businesses, all those small fish add up to a big school. Most small businesses don’t have the security provisions in place like big business does. To mix a metaphor, it’s like stealing candy from a fish bowl. Let’s look at some of the main areas where your business can be at risk:
Phishing - Don’t get caught in the net
Speaking of fish…even though phishing is typically something associated with individual email accounts and home internet security issues, it does have the potential to affect small businesses as well. With a phishing scam, staff in the business or organisation receive emails that include links that urge them to click and respond. As hackers get more sophisticated, so do their scams. In the earlier days of the internet, these emails were clearly bogus. These days, that is often not always the case. In some instances, phishing emails look much like real emails, such as one from a client, a supplier, a business partner like a bank or Telstra or an energy or gas utility. These emails are deceptive and seamless, and for a busy small business owner, are easily clicked on as they work through their inbox at pace. When they see familiar logos and fonts, it is more likely that their guard will be down, and the risk of clicking is high, especially during a crisis like COVID-19.
This is an example of a current scam targeting people about getting tested for the virus. Yep, those scammers will stoop to anything.
To help deal with this type of problem, small business owners and employees should make haste slowly with email. Government agencies such as the Australian Tax Office or your bank will never ask you to provide personal details in an unsecured email, especially passwords or date of birth or other key information. Especially with lots of new financial support measures being created by Government, you should be very wary of emails offering you money or support packages.
Carefully check the email address, as often the key is in very subtle changes to otherwise near identical addresses – yourbank.co rather than yourbank.com.au for example. Never respond to pop-up messages or texts and permanently delete anything that looks remotely like spam. Be alert but not alarmed, as they say. If you feel concerned, check the website (NOT through the link in an email!) of the business it claims to have originated from, or ring them to see if they have sent it.
Beware of invoices for things you haven’t actually purchased. These are a common ploy, and too commonly paid without scrutiny. Routinely check your business accounts and scan them for irregular transactions, if your security has been compromised you want to find out before your account is emptied.
As more businesses are using messaging services such as Whatsapp and Messenger to communicate with and market to their audiences, these are the new frontiers of sneaky phishing or malware which sometimes can be harder to recognise in a message format. Cyber security awareness is not just for you, but also your staff, as it is a team effort to make sure that your business stays safe. By making your employees aware of this type of attack on Internet security, it is generally much easier to reduce the risk for your company. This means training, and staff need to be made aware of how to be part of the vigilance, what they need to look out for, and how to deal with anything suspicious
One of the other big problems small business servers are facing when it comes to Internet security is dangerous or malicious code. This type of problem tends to be a common form of attack. It can cause damage to a computer network by deleting files, stealing passwords and account information, as well as customer and employee information. With this type of reach, it has the potential to be extremely dangerous and often completely invisible. Malicious code sounds nasty, and it is. Basically the code in software you use is (unknowingly to you) programmed to do actions that will harm your business. The problem is twofold in that not only is it doing damage, but traditional antivirus software alone can’t always pick it up.
This doesn’t mean your anti-virus software is redundant, it just means you have to use a combination of tools to combat the threat, like antibiotics for your online health. Installing, patching, updating and regularly using antivirus and anti-spyware programs is your baseline. The updating and patching part is critical, as just like human viruses, computer ones change constantly to avoid detection. In addition, it is a good idea to have firewalls on all computers in the business. The firewalls can help to ensure that both incoming and outgoing traffic is safe. It can also help ensure that the employees are not visiting sites that they shouldn’t be. When moving staff from an office to a home environment, make sure that they have enough security on their home devices and consider using multi factor authentication or a virtual private network while they are remote (more on these below).
Having a network that is not secure can be a massive problem as well, and one which is common in small businesses. An insecure network is a wide open door for anyone who wants to enter. When you or your IT provider is setting up a wireless network, it is important to make sure the default password is changed. Humans are the weakest link when it comes to network security and, unbelievably, many small business owners or staff set up a network and leave the password as is. They never believe that somebody is going to access their company’s information.
It sounds unbelievably simple but it is remarkably common: leaving the password the same or making it unforgettable (abc123 mypetsname anyone?) normally means it will be easy for a hacker to crack. Best practice is to use a number of networks, with separate ones for guests, contractors and staff so there is less chance you will be compromised. These networks also need passwords that are regularly changed, and to have limited access.
Changing the default passwords can make a huge difference. Using tools like LastPass to keep your passwords permanently uncrackable is another belt and brace approach. It is also a good idea to have high quality encryption on the network. For the best browser security, you will want to keep your preferred browser updated with the latest patches. Avoid using outdated browsers like the old Internet Explorer and Safari. Firefox and Google Chrome both give automatic updates so that you don’t have to worry about updating security for each browser.
MFA/2FA - Multi-factor or two-factor authentication
With the increasing use of cloud and accessible anywhere service this is a surefire path to security. Two factor authentication is where you use two sources to identify you are who you say you are. If you use services like Xero or MyGov you will be familiar with this. Enable it wherever it is offered to ensure that you and you alone are accessing your sensitive data.
The COVID-19 pandemic is a graphic reminder that disasters happen and they happen to us. You don’t want to double the devastation of business continuity and disruption by not being able to access any of your business data.
Likewise if you are the subject of a cyber attack and your business systems get locked down or hijacked, you want business continuity. Maintain and where possible automate backup of locally stored or portable data - phones/laptops etc. This is the fastest and most reliable recovery from attacks such as crypto lockers, blocked access and theft. You must test the arrangements you have in place regularly to ensure they work and think about what the critical documentation is you would need for business continuity. If you use cloud services for storage these too have their outages, and a regular backup makes sure you are covered and in control.
Make regular backup copies of your key business and customer data so that if you ever lose your information, you can retrieve it quickly. Also, avoid keeping your backup in the same physical location. It doesn’t have to be a disaster to be disasterous – what if the internet goes down for a few hours and you have no other means of transacting with your customers, this can severely disrupt, so plan for the worst, and be ready to be your best.
Cyber security is important, so too is actual physical security - it’s not going to help if your backup storage gets stolen so be mindful of where your data is stored and who has access to it.
Virtual Private Networks (VPN)
During COVID-19 the odds are pretty high that you and some, if not all, of your employees are working remotely. Once the future of work, it is the reality of our daily lives in a pandemic. Traditionally, businesses use private networks that are primarily intended for internal use. These are often protected with firewalls meant to block unauthorized access from outside the company. To better protect the network and the data transmitted and stored on it, security professionals recommend small business use a Virtual Private Network (VPN) when accessing the network remotely.
By using a VPN for remote connections, small businesses build in a layer of security they otherwise may not have. The VPN for remote business networking keeps sensitive information private. This is especially important for those who depend on hotel or other public Wi-Fi hotspots for their work connections. And while VPN connections tend to be secure, they aren't foolproof. Any network can be penetrated, so it is vital to use extra layers of protection, like encryption. Human nature, as in all things, also comes into play. Not using best security practices, like fully logging out of the VPN connection when finished, or having weak or no passwords, leaves the network vulnerable to outsiders.
Inside (with) jobs
While many of the threats to do with Internet security come from outside sources, a significant amount of them come from within your business. An upset or recently 'let go' employee can be a dangerous weapon for your business and brand – even if it is because of a clear crisis. During a pandemic, key staff may be hospitalised or quarantined. In some cases the employee may have access to important data including customer information or information on other employees - they may also have access to information that is critical to your business’s success and ongoing operation.
Reducing the risk of a single employee causing continuity disruption to a company is a matter of strategic management, and in a more personal way, being on top of your team and how they are coping and feeling in a time of crisis. Regular check-ins, and following up when you instinctively think there is a problem emerging is the best way to avoid a fully blown crisis. A happy employee nearly always tends to be loyal and productive. When staff feel unappreciated, underpaid, or at risk of losing their jobs is a danger zone. You can protect your business from staff initiated issues by dividing the most critical responsibilities and functions between different employees. This limits the amount of access a single employee has to data. It is also a good idea to make sure the passwords are changed every 90 days.
When an employee leaves the company, it’s essential that you remove their account and passwords right away, if possible prior to them being given notice – there are many salutary lessons from staff who have had the time to clean out their desk and destroy their employers brand on the way out. While it takes a little extra time, you can also take steps to reduce the possibility of dealing with a disgruntled employee before hiring them. By doing background checks, educational checks, employment checks, and most critically social media account checks, you can be sure you are hiring the right people for the job. As your team moves into social distancing measures, make sure there is a central repository of all critical information that is kept securely and you have protocols in place in business with the senior team, partners or external family members who are able to access it if there is a key person issue through illness or quarantine.
With so much of our business being undertaken on mobile devices, these light, liftable and easily lost assets represent a really significant risk to small business if they aren’t well managed and tracked. If an owner or employee uses his or her smart phone, tablet, or laptop for work, and they lose that device, the company could become compromised. When information is accessed or stored through laptops, tablets, or smart phones, it needs to be encrypted. The encryption has to be strong, as it will be the last means you have if your device is out there in the world unprotected.
Again, having a good firewall in place is essential, as is keeping passwords complex and regularly changed, backing up data in the cloud. Simple actions such as locking the screen with the shortest amount of idle time, having device tracking apps activated where possible, and ensuring that you see your mobile devices as extensions of your business are best practice device security for business. You wouldn’t leave your cash register unattended, so don’t leave your devices vulnerable to theft. And when it comes to a bricks and mortar business, low-tech physical security is still as important as ever, so be sure your business has secure locks, shredders, and a fire-proof safe in addition to any alarm system you may have installed. If you are going to shut down your physical office during the pandemic, it is worth being hyper vigilant in a time where essential services like police and security may be stretched to their limits with reduced numbers.
Be your own security guard
Learning about trends in cyber security can help you protect all the hard work and other resources required for running your business. Use VPNs as a cyber security measure, and understand the importance of disaster recovery planning as part of your strategic document set. Employee training is one of the most crucial elements of a strong cyber security strategy, because if your employees aren’t making use of good security practices, you will still be at high risk, even if you use a VPN or can remotely wipe devices. Cloud business applications typically have excellent surveillance for intrusion, controlled access, auditing, and strong perimeters that keep cyber criminals at bay, so utilizing the cloud is a good start and often a smart way to manage various elements of your business in a win-win for safety and efficiency.
Internet security checklist
To recap – here is your critical checklist of do’s and don’ts when it comes to keeping your small business safe from unwanted cyber attacks, hacks and human threats!
- No unknown downloads. Make a rule against downloading files from unknown senders.
- Check your Firewalls. Make sure everything is up-to-date on all machines.
- Use current virus protection on all devices. Keep it current and updated whenever new patches become available.
- Insist upon strong passwords. Weak passwords are like an open door to your business.
- Update your operating system regularly. This is especially important when new security patches come out. Many computers do this automatically, but make sure you have the auto update function turned on so you don't miss out.
- Use a virtual private network (VPN). These connect you to the web with an encrypted connection so data being shared online can't be seen by third parties. VPN providers offer secure data connections between remote workers and your network too, which can be especially helpful if you send workers into the field (for deliveries or repairs, for example).
- MFA/2FA. Enable multi or two factor identification on all devices and accounts where it is offered.
- Make sure mobile devices used for work are secure. Don't store important passwords on any mobile device. Learn how to use remote wipe capability on your phones and tablets.
- Disaster recovery plan. Not having a plan is a disaster. By thinking through the critical elements of your business that could be compromised, and what the damage may be, you can apply the fixes and antidotes before anything happens - and have a plan of attack when it does.
- NDB (notifiable data breach). Never send sensitive data unencrypted and unsecured, not just end to end via email, but physically controlling who has access to the data/file. A document containing personally identifiable data or medical records for example should be transmitted via a password protected PDF (for example) as a minimum.
- People are flawed. Yes, even you. So don't assume everyone is doing the right thing, and be actively alert and across your staff, their actions and all elements of your business and give them adequate security training.
- Outsource overwhelm. All too hard? There are plenty of companies and consultants who will happily come in, audit your business and provide solutions. Whether it is your time and money or their time and your money, this is a non-negotiable expense that will save you far more than it will cost you in the long run.
The good news is managing Internet security, even in a global pandemic, is simply a matter of knowing the risks and mitigations for your business, thinking through a strategy and putting suitable measures in place. Read through this fact sheet and check off what applies to your business, keep up to date with what is happening nationally through the Australian Cyber Security Centre and their extensive online resources, and be wary of any unsolicited attempts to ask for sensitive personal or business information, even if they seem to come from a reputable organisation.
Stay healthy, stay trading, stay alert (but not alarmed).