It seems like hacker attacks are rarely out of the headlines these days. But when it comes to cyber security, many small business owners aren’t sure how to start to protect themselves against the myriad of threats that exist today. If large corporations or countries can’t seem to protect their secrets, how can a self-employed marketing consultant or a small web design firm? There is now so much information about the different online threats that it can be overwhelming or even paralysing to firms without in-house IT experts to decide which are the biggest dangers facing their business. But, for most small firms, just doing the basics can go a long way toward protecting your data and your business.
Know your business
First, you need to ask yourself some key questions:
What information do you have, and is it sensitive? For example, do you hold details on either your employees or your clients (or on behalf of them or their customers) that could be used to identify people, such as their dates of birth, or their home or email addresses? Do you hold on file any of their medical details? If so, you are legally obliged to keep this safe. Not doing so could result in censure or a fine from the information watchdog, the ICO.
Where do you store that sensitive data? In many sole-trader or small businesses, that information is likely to be on your computer’s hard drive, stored in a file next to your photos and letters you’ve written to electricity company or your child’s school. If that’s the case, you should consider segregating that data or storing it on a separate drive. It would be even better to keep your business and your personal systems completely separate.
What are your crown jewels? What information can your business not do without? Whether it’s a client list, a recipe, a process, or a formula, this is the data you have to protect the most. You should segregate it from the rest of your company data and ensure that it’s inaccessible from the internet.
Control who has access to your data
- Ensure that your employees and vendors only have the access they need to do their job. They shouldn’t be able to look at all the information on your databases. If you’re a small online retailer then the people who prepare your orders for shipping need to see what your customers have bought and the addresses to which they want their goods to be sent, but they don’t necessarily need to see their billing or credit card information.
- Change an employee’s access privileges immediately if they move jobs or leave. So, for example, someone who moves from your accounts team to your sales team, shouldn’t still be able to see the database of your employees’ or contractors’ bank details. If someone leaves the company then you should make sure their password and login details are stopped immediately.
- Small firms are victims of industrial espionage. Nobody likes to think that one of their employees might steal from them, but it is common, and they don’t just take money: they take ideas too. Among the countless cases I worked on for the FBI there are two that stick in my mind.
Steven Louis Davis was an engineer at Wright Industries, a company Gillette hired to assist it in developing its next generation of shavers. Davis faxed and emailed drawings of Gillette’s new razor to its main rivals. He was soon caught – faxes and emails are not the cleverest ways to divulge trade secrets – and was sentenced to 27 months in prison. His motivation for stealing the information was that he was angry with his boss.
Robert Hanssen is a former FBI agent who spied for Soviet and Russian intelligence services against the United States for 22 years. His reason for spying was simply that he wanted to prove he was too smart to be caught.
The fact is that espionage doesn’t just occur against big government agencies or multinational corporations. It also happens regularly with small and start-up companies. Employees frequently steal companies’ intellectual property and give it to competitors because they’re searching for a job or just to hurt the firm for which they work. But stealing intellectual property can kill a small company, which is why it is worth protecting your firm’s most valuable information.
Do the easy things
There are plenty of simple steps small businesses can take to ensure they are safe:
- Install and run anti-virus software and KEEP IT UPDATED. You should bear in mind, however, that anti-virus programmes only detect known malware and can be defeated by making a minor change to the malware code.
- Patch your system regularly. Your anti-virus software soon becomes obsolete unless it is patched to ensure that it is up to date against all known viruses. In 2012, I worked with a Fortune 500 company that lost hundreds of thousands of records because it had never installed security patches. Its reasoning was that it didn’t want to take its system offline to patch it because it worried that it might lose potential business. But it soon had much bigger worries.
- Use unique and complex passwords. Lots of people simply use the same passwords across multiple accounts, such as personal and office email, online banking and social media accounts. The problem is that the crooks know it, which is why they routinely run stolen or compromised passwords they’ve stolen from one business in what’s known as a “cred attack”, in the hope they’ll get lucky and gain access to another account.
It’s worth considering using two-factor authentication, in which users give a password and username as well as a piece of personal information that only they know to gain access, which makes it much harder for intruders to break into those accounts.
- Backup your data regularly and keep it safe. Ransomware is a booming criminal business. Attacks are taking place on an industrial scale, with tens of thousands of fake emails being sent out in the hope of luring someone to click on them to inadvertently download a file that locks up your data. Your business is at bigger risk if you haven’t encrypted your important files and you haven’t backed them up somewhere off your system. You have little choice but to pay the attackers, and now they know you’re willing to pay, you’re likely to be attacked again.
I received a call from a self-employed person who prepared people’s tax returns. He was frantic: his system had been hit by a ransomware demand, he had not backed up any of his clients’ returns and the tax deadline was only days away. He was forced to pay £1000 to recover his files. Six months later, he called me again because he’d been attacked once more. He still hadn’t backed up his files.
Once you’ve backed up your data then remember to keep it away from your network and the internet, because the new forms of ransomware can also crawl through your network and encrypt any backup files if they’re accessible.
Who’s protecting your network?
- Know who’s looking after your all-important data? If it’s your wife’s nephew is that because he’s good, or because you’re doing him a favour? Your company’s crown jewels are too important to entrust to amateurs, so it’s worth either hiring a skilled IT manager or using a shared service provider you can trust.
- Not all IT personnel are the same. Do your homework before hiring someone to look after your systems: network security involves a lot more than just hooking up your printers and installing wi-fi.
- Customise your software settings. Many software packages are shipped out to clients with security settings that are set to ‘Off’ or “Minimal’. It’s worth making sure they work well. For example, we’re currently seeing a lot of attacks against Microsoft Outlook 365. But its default security setting does not generally capture enough data for us to identify how or when an attack occurred, or what the bad guy was looking for.
Teach your employees to be alert
Teach them to:
- recognise phishing and other scam emails
- be wary of what links they click on
- not fall for click baitnot visit suspicious sites, like gambling and adult sites, using any device that touches your network
- not visit suspicious sites, like gambling and adult sites, using any device that touches your network
Teach them again. And again.
By taking these simple steps you can reduce the chances of your business being the victim of an opportunist cyber criminal.