Cyber security for small business - 2019 Update
The Internet in its broadest sense is the Swiss army knife of business tools. All business at the least use email, some of their functions tied up with the cloud, or Point of Sale (POS), social media channels are the primary marketing tools, CRM is where all the customer data is, and many have their whole business built around a digital landscape. As we all become more enmeshed with online as a place for our business operations, whether front or back of house, it is important to be across how to not just do good business online, but how to do safe business on line – and protect and mitigate business from being open to cyberattack.
Cyberattacks have happened to some of Australia’s biggest and most secure organisations. When those organisations don’t succeed at fending off attacks, it can seem overwhelming for a small business to know where to start and what to do. You may think you’re too small to be noticed, but this is exactly what makes you a target, as lots of small attacks add up to a pile of data and plenty of disruption.
Due to their lack of resources and know how, small businesses often have the least-protected websites, accounts and network systems — making cyberattacks a relatively easy job. Scaremongering via the media may make keeping your data and revenue safe seem an impossible task. The good news is managing Internet security is simply a matter of knowing the risks and mitigations for your business, thinking through a strategy and putting suitable measures in place.
Cyber Security – What are the risks (and remedies) for my business?
Cyberattacks on small business fall under a few different categories. These tend to mimic the same strategies used with big business and government. You may wonder what your small or micro business could possibly have that would be of interest to cyber criminals hanging out in the dark web. The answer is the same thing that motivates all criminal activity – money, data and often just pure malicious disruption. While you may be a little fish, when data is stolen from a number of little businesses, all those small fish adds up to a big school. As most small businesses don’t have the security in place like big ones do. To mix a metaphor, it’s like stealing candy from a fish bowl. Let’s look at some of the main areas where your business can be at risk:
Phishing - Don’t get caught in the net
Speaking of fish…even though phishing is typically something associated with individual email accounts and home internet security issues, it does have the potential to affect small businesses as well. With a phishing scam, staff in the business or organisation receive emails that include links that urge them to click and respond. As hackers get more sophisticated, so do their scams. In the earlier days of the internet, these emails were clearly bogus. These days, that is often not always the case. In some instances, phishing emails look much like real emails, such as one from a client, a supplier, a business partner like a bank or Telstra or an energy or gas utility. These emails are deceptive and seamless, and for a busy small business owner, are easily clicked on as they work through their inbox at pace. When they see familiar logos and fonts, it is more likely that their guard will be down, and the risk of clicking is high.
To help deal with this type of problem, small business owners and employees should make haste slowly with email. Your bank will never ask you to provide personal details in an unsecured email, especially passwords or date of birth or other key information.
Carefully check the email address, as often the key is in very subtle changes to otherwise near identical addresses – yourbank.co rather than yourbank.com.au for example. Never respond to pop-up messages and permanently delete anything that looks remotely like spam. Be alert but not alarmed as they say. If you feel concerned, check the website (NOT through the link in an email!) of the business it claims to have originated from, or ring them to see if they have sent it.
Beware of invoices for things you haven’t actually purchased. These are a common ploy, and too commonly paid out without scrutiny. Routinely check your business accounts and scan them for irregular transactions, if your security has been compromised you want to find out before your account is emptied.
As more businesses are using messaging services such as Whatsapp and Messenger to communicate with and market to their audiences, these are the new frontiers of sneaky phishing or malware and are harder to recognize sometimes in a message format. Cyber security awareness is not just for you, but also your staff, as it is a team effort to make sure that you stay safe. By making your employees aware of this type of attack on Internet security, it is generally much easier to reduce the risk for your company. This means training, and staff need to be made aware of how to be part of the vigilance, what they need to look out for, and how to deal with anything suspicious.
One of the other big problems small business servers are facing when it comes to Internet security is dangerous or malicious code. This type of problem tends to be a common form of attack. It can cause damage to a computer network by deleting files, stealing passwords and account information, as well as customer and employee information. With this type of reach, it has the potential to be extremely dangerous and often completely invisible. Malicious code sounds nasty, and it is. Basically the code in software you use is (unknowingly to you) programmed to do actions that will harm your business. The problem is twofold in that not only is it doing damage, but traditional antivirus software alone can’t always pick it up.
This doesn’t mean your anti-virus software is redundant, it just means you have to use a combination of tools to combat the threat, like antibiotics for your online health. Installing, patching, updating and regularly using antivirus and anti-spyware programs is your baseline. The updating and patching part is critical, as like human viruses, computer ones change constantly to avoid detection. In addition, it is a good idea to have firewalls on all computers in the business. The firewalls can help to ensure that both incoming and outgoing traffic are safe. It can also help ensure that the employees are not visiting sites that they shouldn’t be.
Having a network that is not secure can be a massive problem as well, and one which is common in small businesses. An insecure network is a wide open door for anyone who wants to enter. When you or your IT provider is setting up a wireless network, it is important to make sure the default password is changed. Humans are the weakest link when it comes to network security, unbelievably, many small business owners or staff set up a network and leave the password as is. They never believe that somebody is going to access their company’s information.
It sounds unbelievably simple, but it is remarkably common, as it leaving the password the same, or making it unforgettable which normally means easy for a hacker to crack (abc123 mypetsname anyone?). Best practice is to use a number of networks, with separate ones for guests, contactors and staff so there is less chance you will be compromised. These networks also need passwords that are regularly changed, and to have limited access.
Changing the default passwords can make a huge difference. Using tools like LastPass to keep your passwords permanently uncrackable is another belt and brace approach. It is also a good idea to have high quality encryption on the network. For the best browser security, you will want to keep your preferred browser updated with the latest patches. Avoid using outdated browsers like the old Internet Explorer and Safari. Firefox and Google Chrome both give automatic updates so that you don’t have to worry about updating security for each browser.
MFA/2FA - Mulit-factor or two-factor authentication
With the increasing use of cloud and accessible anywhere service, this is a surefire path to security. Two-factor authentication is where you use two sources to identify you are who you say you are. If you use services like Xero or MyGov you will be familiar with this. Enable it wherever it is offered to ensure that you and you alone is accessing your sensitive data.
The Australian Cyber Security Centre has created a series of step-by-step guides to turn on 2FA. You can find out more here.
The 2019 fires in Tasmania and floods in Queensland should be a graphic reminder that disasters happen, they happen to us, and when they do there is often not time to do anymore than save the things that matter the most like people and pets. You don’t want to double the devastation of business disruption by not able to access any of your business data.
Likewise if you are the subject of a cyberattack and your business systems get locked down or hijacked, you want business continuity. Maintain and where possible automate backup of locally stored or portable data - phones/laptops etc. This is the fastest and most reliable recovery from attacks such as crypto lockers, blocked access and theft. You must test the arrangements you have in place regularly to ensure they work and think about what the critical documentation is you would need for business continuity. If you use cloud services for storage these too have their outages, and a regular backup makes sure you are covered and in control.
Make regular backup copies of your key business and customer data so that if you ever lose your information, you can retrieve it quickly. Also, avoid keeping your backup in the same physical location. It doesn’t have to be a disaster to be disastrous – what if the internet goes down for a few hours and you have no other means of transacting with your customers, this can severely disrupt, so plan for the worst, and be ready to be your best.
Cyber security is important, so too is actual physical security - it’s not going to help if your backup storage gets stolen right, so be mindful of where your data is stored and who has access to it.
Virtual Private Networks (VPN)
The odds are pretty high that you and some, if not all, of your employees are working remotely, either due to travel, working from home, being on call or simply checking email or doing tasks outside of the normal work hours. Once the future of work, it is the reality of our daily lives as we have become more mobile in our work practices along with our devices – see more about Remote Working here. Traditionally, businesses use private networks that are primarily intended for internal use. These are often protected with firewalls meant to block unauthorized access from outside the company. To better protect the network and the data transmitted and stored on it, security professionals recommend small business use a Virtual Private Network (VPN) when accessing the network remotely.
By using a VPN for remote connections, small businesses build in a layer of security they otherwise may not have. The VPN for remote business networking keeps sensitive information private. This is especially important for those who depend on hotel or other public Wi-Fi hotspots for their work connections. And while VPN connections tend to be secure, they aren't foolproof. Any network can be penetrated, so it is vital to use extra layers of protection, like encryption. Human nature, as in all things, also comes into play. By not using best security practices, like fully logging out of the VPN connection when finished, or having weak or no passwords, leaves the network vulnerable to outsiders.
Inside (with) jobs
While many of the threats to do with Internet security come from outside sources, a disappointing amount of them come from within your business. An upset employee can be a dangerous weapon for your business and brand. In some cases the employee may have access to important data including customer information or information on other employees - they may also have access to information that is critical to your business’s success. When disgruntled, it may be easy for them to steal and then to sell to a competitor. If they don’t steal or sell it, they might decide that they want to delete it causing you a major headache. In a world where brand and social media are inextricably linked, employees that have access to your social media channels passwords can be a significant risk if they leave with an axe to grind and want to make maximum impact in a virally connected world.
Reducing the risk of a single employee causing substantial harm to a company is a matter of strategic management, and in a more personal way, being on top of your team and how they are travelling with the business as an employee. Regular performance management, or even regular check-ins, and following up when you instinctively think there is a problem emerging is the best way to avoid a fully blown crisis. A happy employee nearly always tends to be loyal and productive. When staff feel unappreciated, underpaid or unfulfilled, this is a danger zone for more than just passive under productivity. You can protect your business from staff initiated issues by dividing the most critical responsibilities and functions between different employees. This way, it limits the amount of access a single employee has to data. Also, it is a good idea to make sure the passwords change every 90 days.
When an employee leaves the company, it’s essential that you remove their account and passwords right away, if possible prior to them being given notice – there are many salutary lessons from staff who have had the time to clean out their desk and destroy their employers brand on the way out. While it takes a little extra time, you can also take steps to reduce the possibility of dealing with a disgruntled employee before hiring them. By doing background checks, educational checks, employment checks, and most critically social media account checks, you can be sure you are hiring the right people for the job.
With so much of our business being undertaken on mobile devices, these light, liftable and lost assets represent a really significant risk to small business if they aren’t well managed and tracked. If an owner or employee uses his or her smart phone, tablet, or laptop for work, and they lose that device, the company could become compromised. When information is accessed or stored through laptops, tablets, or smart phones, it needs to be encrypted. The encryption has to be strong, as it will be the last means you have if your device is out there in the world unprotected.
Again, having a good firewall in place is essential, as is keeping passwords complex and regularly changed, backing up data in the cloud. Simple actions such as locking the screen with the shortest amount of idle time, having device tracking apps activated where possible, and ensuring that you see your mobile devices as extensions of your business. You wouldn’t leave your cash register unattended, so don’t leave your devices vulnerable to theft. And when it comes to a bricks and mortar business, low-tech physical security is still as important as ever, so be sure your business has secure locks, shredders, and a fire-proof safe in addition to any alarm system you may have installed.
Be your own security guard
Learning about trends in cyber security can help you protect all the hard work and other resources required for running your business. Use VPNs as a cyber security measure, and understand the importance of disaster recovery planning as part of your strategic document set. Employee training is one of the most crucial elements of a strong cyber security strategy, because if your employees aren’t making use of good security practices, you will still be at high risk, even if you use a VPN or can remotely wipe devices. Cloud business applications typically have excellent surveillance for intrusion, controlled access, auditing, and strong perimeters that keep cyber criminals at bay, so utilizing the cloud is a good start and often a smart way to manage various elements of your business in a win-win for safety and efficiency.
Internet security checklist
To recap – here is your critical checklist of do’s and don’ts when it comes to keeping your small business safe from unwanted cyber attacks, hacks and human threats!
- No unknown downloads. Make a rule against downloading files from unknown senders.
- Check your Firewalls. Make sure everything is up-to-date on all machines.
- Use current virus protection on all devices. Keep it current and updated whenever new patches become available.
- Insist upon strong passwords. Weak passwords are like an open door to your business.
- Update your operating system regularly. This is especially important when new security patches come out. Many computers do this automatically, but make sure you have the auto update function turned on so you don't miss out.
- Use a virtual private network (VPN). These connect you to the web with an encrypted connection so data being shared online can't be seen by third parties. VPN providers offer secure data connections between remote workers and your network too, which can be especially helpful if you send workers into the field (for deliveries or repairs, for example).
- MFA/2FA. Enable multi or two factor identification on all devices and accounts where it is offered. Help can be found here.
- Make sure mobile devices used for work are secure. Don't store important passwords on any mobile device. Learn how to use remote wipe capability on your phones and tablets.
- Disaster recovery plan. Not having a plan is a disaster. By thinking through the critical elements of your business that could be compromised, and what the damage may be, you can apply the fixes and antidotes before anything happens - and have a plan of attack when it does.
- NDB (notifiable data breach). Never send sensitive data unencrypted and unsecured, not just end to end via email, but physically controlling who has access to the data/file. A document containing personally identifiable data or medical records for example should be transmitted via a password protected PDF (for example) as a minimum.
- People are flawed. Yes, even you. So don't assume everyone is doing the right thing, and be actively alert and across your staff, their actions and all elements of your business and give them adequate security training.
- Outsource overwhelm. All too hard? There are plenty of companies and consultants who will happily come in, audit your business and provide solutions. Whether it is your time and money or their time and your money, this is a non-negotiable expense that will save you far more than it will cost you in the long run.
The Australian Small Business and Family Enterprise Ombudsman has released a Small Business Cyber Security Best Practice Guide and related Report - 'over a third of small businesses don’t take proactive measures to protect against cyber-attacks, and most are happy that their anti-virus software will do the trick.' to find our more visit the Ombudsman's website