The Internet in its broadest sense is the Swiss army knife of business tools. All business at the least use email, some of their functions tied up with the cloud, or Point of Sale (POS), and many have their whole business built around a digital landscape. As we all become more enmeshed with online as a place for our business operations, whether front or back of house, it is important to be across how to not just do good business online, but how to do safe business on line.
Cyberattacks have happened to some of Australia’s biggest and most secure organisations. When those organisations don’t succeed at fending off attacks, it can seem overwhelming for a small business to know where to start and what to do. Due to their lack of resources and know how, small businesses often have the least-protected websites, accounts and network systems — making cyberattacks a relatively easy job. Scaremongering via the media may make keeping your data and revenue safe seem an impossible task. The good news is managing Internet security is simply a matter of knowing the risks and mitigations for your business, thinking through a strategy and putting suitable measures in place.
Internet Security – What are the risks (and remedies) for my business?
Cyber attacks on small business fall under a few different categories. These tend to mimic the same strategies used with big business and government. You may wonder what your small or micro business could possibly have that would be of interest to cyber criminals hanging out in the dark web. The answer is the same thing that motivates all criminal activity – money. While you may be a little fish, when data is stolen from a number of little businesses, all those small fish adds up to a big school. As most small businesses don’t have the security in place like big ones do. To mix a metaphor, it’s like stealing candy from a fish bowl. Let’s look at some of the main areas where your business can be at risk:
Phishing - Don’t get caught in the net
Speaking of fish…even though phishing is typically something associated with individual email accounts and home internet security issues, it does have the potential to affect small businesses as well. With a phishing scam, staff in the business or organisation receive emails that include links that urge them to click and respond. As hackers get more sophisticated, so do their scams. In the earlier days of the internet, these emails were clearly bogus. These days, that is not always the case. In some instances, phishing emails look much like real emails, such as one from a client, a supplier, a business partner like a bank or Telstra or an energy or gas utility. These emails are deceptive and for a busy small business owner, are easily clicked on as they work through their inbox at pace. When they see familiar logos and fonts, it is more likely that their guard will be down, and the risk of clicking is high.
To help deal with this type of problem, small business owners and employees should make haste slowly with email. Your bank will never ask you to provide personal details in an unsecured email, especially passwords or date of birth or other key information. Carefully check the email address, as often the key is in very subtle changes to otherwise near identical addresses – yourbank.co rather than yourbank.com.au for example. Never respond to pop-up messages and permanently delete anything that looks remotely like spam. Be alert but not alarmed as they say. If you feel concerned, check the website (NOT through the link in an email!) of the business it claims to have originated from, or ring them to see if they have sent it. Cyber security awareness is not just for you, but also your staff, as it is a team effort to make sure that you stay safe. By making your employees aware of this type of attack on Internet security, it is generally much easier to reduce the risk for your company.
And beware of invoices for things you haven’t actually purchased. These are a common ploy, and too commonly paid out without scrutiny. Routinely check your business accounts and scan them for irregular transactions, if your security has been compromised you want to find out before your account is emptied.
One of the other big problems small business servers are facing when it comes to Internet security is dangerous or malicious code. This type of problem tends to be a common form of attack. It can cause damage to a computer network by deleting files, stealing passwords and account information, as well as customer and employee information. With this type of reach, it has the potential to be extremely dangerous and often completely invisible. Malicious code sounds nasty, and it is. Basically the code in software you use is (unknowingly to you) programmed to do actions that will harm your business. The problem is twofold in that not only is it doing damage, but traditional antivirus software alone can’t always pick it up.
This doesn’t mean your anti-virus software is redundant, it just means you have to use a combination of tools to combat the threat, like antibiotics for your online health. Installing, updating and regularly using antivirus and anti-spyware programs is your baseline. The updating part is critical, as like human viruses, computer ones change constantly to avoid detection. In addition, it is a good idea to have firewalls on all computers in the business. The firewalls can help to ensure that both incoming and outgoing traffic are safe. It can also help ensure that the employees are not visiting sites that they shouldn’t be.
Having a network that is not secure can be a massive problem as well, and one which is common in small businesses. An insecure network is a wide open door for anyone who wants to enter. When you or your IT provider is setting up a wireless network, it is important to make sure the default password is changed. Humans are the weakest link when it comes to network security, unbelievably, many small business owners or staff set up a network and leave the password as is. They never believe that somebody is going to access their company’s information. It sounds unbelievably simple, but it is remarkably common, as it leaving the password the same, or making it unforgettable which normally means easy for a hacker to crack (abc123 anyone?).
Changing the default passwords can make a huge difference. Using tools like LastPass to keep your passwords permanently uncrackable is another belt and brace approach. It is also a good idea to have high quality encryption on the network. For the best browser security, you will want to keep your preferred browser updated with the latest patches. Avoid using outdated browsers like the old Internet Explorer and Safari. Firefox and Google Chrome both give automatic updates so that you don’t have to worry about updating security for each browser. Make regular backup copies of your key business and customer data so that if you ever lose your information, you can retrieve it quickly. Also, avoid keeping your backup in the same location.
You can find online vendors for cloud storage, which offers you automatic redundancy to protect your data. The events that can cause data loss include theft, fire and human error. Making sure you have trustworthy network security tools will save you from facing serious threats later, and they don’t cost much compared to the peace of mind they offer.
Virtual Private Networks (VPN)
The odds are pretty high that you and some, if not all, of your employees are working remotely, either due to travel, working from home, being on call or simply checking email or doing tasks outside of the normal work hours. Once the future of work, it is the reality of our daily lives as we have become more mobile in our work practices along with our devices – see more about Remote Working here. Traditionally, businesses use private networks that are primarily intended for internal use. These are often protected with firewalls meant to block unauthorized access from outside the company. To better protect the network and the data transmitted and stored on it, security professionals recommend small business use a Virtual Private Network (VPN) when accessing the network remotely.
By using a VPN for remote connections, small businesses build in a layer of security they otherwise may not have. The VPN for remote business networking keeps sensitive information private. This is especially important for those who depend on hotel or other public Wi-Fi hotspots for their work connections. And while VPN connections tend to be secure, they aren't foolproof. Any network can be penetrated, so it is vital to use extra layers of protection, like encryption. Human nature, as in all things, also comes into play. By not using best security practices, like fully logging out of the VPN connection when finished, or having weak or no passwords, leaves the network vulnerable to outsiders.
Inside (with) jobs
While many of the threats to do with Internet security come from outside sources, some of them come from within your business. An upset employee can be a dangerous weapon for your business and brand. In some cases the employee may have access to important data including customer information or information on other employees - they may also have access to information that is critical to your business’s success. When disgruntled, it may be easy for them to steal and then to sell to a competitor. If they don’t steal or sell it, they might decide that they want to delete it causing you a major headache. In a world where brand and social media are inextricably linked, employees that have access to your social media channels passwords can be a significant risk if they leave with an axe to grind and want to make maximum impact in a virally connected world.
Reducing the risk of a single employee causing substantial harm to a company is a matter of strategic management, and in a more personal way, being on top of your team and how they are travelling with the business as an employee. Regular performance management, or even regular check-ins, and following up when you instinctively think there is a problem emerging is the best way to avoid a fully blown crisis. A happy employee nearly always tends to be loyal and productive. When staff feel unappreciated, underpaid or unfulfilled, this is a danger zone for more than just passive under productivity. You can protect your business from staff initiated issues by dividing the most critical responsibilities and functions between different employees. This way, it limits the amount of access a single employee has to data. Also, it is a good idea to make sure the passwords change every 90 days.
When an employee leaves the company, it’s essential that you remove their account and passwords right away, if possible prior to them being given notice – there are many salutary lessons from staff who have had the time to clean out their desk and destroy their employers brand on the way out. While it takes a little extra time, you can also take steps to reduce the possibility of dealing with a disgruntled employee before hiring them. By doing background checks, educational checks, employment checks, and most critically social media account checks, you can be sure you are hiring the right people for the job.
With so much of our business being undertaken on mobile devices, these light, liftable and lost assets represent a really significant risk to small business if they aren’t well managed and tracked. If an owner or employee uses his or her smart phone, tablet, or laptop for work, and they lose that device, the company could become compromised. When information is accessed or stored through laptops, tablets, or smart phones, it needs to be encrypted. The encryption has to be strong, as it will be the last means you have if your device is out there in the world unprotected.
Again, having a good firewall in place is essential, as is keeping passwords complex and regularly changed, backing up data in the cloud, having device tracking apps activated where possible, and ensuring that you see your mobile devices as extensions of your business. You wouldn’t leave your cash register unattended, so don’t leave your devices vulnerable to theft. And when it comes to a bricks and mortar business, low-tech physical security is still as important as ever, so be sure your business has secure locks, shredders, and a fire-proof safe in addition to any alarm system you may have installed.
Be your own security guard
Learning about trends in cyber security can help you protect all the hard work and other resources required for running your business. Use VPNs as a cyber security measure, and understand the importance of disaster recovery planning as part of your strategic document set. Employee training is one of the most crucial elements of a strong cyber security strategy, because if your employees aren’t making use of good security practices, you will still be at high risk, even if you use a VPN or can remotely wipe devices. Cloud business applications typically have excellent surveillance for intrusion, controlled access, auditing, and strong perimeters that keep cyber criminals at bay, so utilizing the cloud is a good start and often a smart way to manage various elements of your business in a win-win for safety and efficiency.
Internet security checklist
To recap – here is your critical checklist of do’s and don’ts when it comes to keeping your small business safe from unwanted cyber attacks, hacks and human threats!
- No unknown downloads. Make a rule against downloading files from unknown senders.
- Check your Firewalls. Make sure everything is up-to-date on all machines.
- Use current virus protection on all devices. Keep it current and updated whenever new patches become available.
- Insist upon strong passwords. Weak passwords are like an open door to your business.
- Update your operating system regularly. This is especially important when new security patches come out. Many computers do this automatically, but make sure you have the auto update function turned on so you don't miss out.
- Use a virtual private network (VPN). These connect you to the web with an encrypted connection so data being shared online can't be seen by third parties. VPN providers offer secure data connections between remote workers and your network too, which can be especially helpful if you send workers into the field (for deliveries or repairs, for example).
- Make sure mobile devices used for work are secure. Don't store important passwords on any mobile device. Learn how to use remote wipe capability on your phones and tablets.
- Disaster recovery plan. Not having a plan is a disaster. By thinking through the critical elements of your business that could be compromised, and what the damage may be, you can apply the fixes and antidotes before anything happens - and have a plan of attack when it does.
- People are flawed. Yes, even you. So don't assume everyone is doing the right thing, and be actively alert and across your staff, their actions and all elements of your business and give them adequate security training.
- Outsource overwhelm. All too hard? There are plenty of companies and consultants who will happily come in, audit your business and provide solutions. Whether it is your time and money or their time and your money, this is a non-negotiable expense that will save you far more than it will cost you in the long run.
The Australian Small Business and Family Enterprise Ombudsman has released a Small Business Cyber Security Best Practice Guide and related Report - 'over a third of small businesses don’t take proactive measures to protect against cyber-attacks, and most are happy that their anti-virus software will do the trick.' to find our more visit the Ombudsman's website