Cyber attacks are sky rocketing!
The question that should take top priority on every business owner's mind is "Are We Secure?"....."Is My Business Protected?"
Image from express.co.uk
In this day and time, ignorance is no longer bliss. Not knowing is an open door to disaster. It takes less than a second for everything you've worked hard for to disappear, for your clients and their details, your confidential files, secure data to be in someone else's hands.
According to wiki, Cyber security, which is also known as computer security or IT security is the protection of computer systems from theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
These days, every business (small, medium and large) is at risk of one or more of the above. A lot of companies like Barclays, Talk-Talk and even HMRC have also reported being victims of cyber attack. This makes "cyber attack" and "cyber security" a topic very close to the hearts of every business and business owner.
Unfortunately, a lot of business owners are not aware of these threats, the fact that it has become a huge problem and even more business owners don't know how to protect their business from cyber attacks.
Today, I received an emailed from Kelly Strottman who like me, cares about helping SMBs (Small & Medium Businesses) and wanted me to share an article written by Sarit Newman titled "The Complete Cyber security Guide for Small and Medium Businesses".
Before I do that, I would like to share a snap information about Sarit. She is an experienced internet security writer who believes everyone has the right to online privacy. She is also an editor at Hometalk, has written for many companies and has proofread numerous texts, including 300-page manuscripts.
Image from the hindubusinessline
The cyber protection guidelines for businesses and business owners below are for everyone but written with the non-techy and busy business owners in mind.
According to Sarit, reading through the guide below and working with your team to implement the security measures outlined should help you sleep better at night.
Here are Sarit's complete guide to cyber protection:
Here are Sarit's complete guide to cyber protection:
1: Determine your vulnerabilities:
Identify the most crucial data that your company holds e.g. intellectual property, customer and client details, inventory, financial information etc; where they are stored; the risks to which they are open.
Identify the most crucial data that your company holds e.g. intellectual property, customer and client details, inventory, financial information etc; where they are stored; the risks to which they are open.
Map out all the processes that you and your staff go through to collect, store, and dispose these data. Identify all the transit points along the way at which these data could leak or get stolen.
Consider the consequences of a cybersecurity breach for you, your employees, customer or client and partner relationships.
2: Protect your computers and devices:
As your business computers and other devices are connected to the internet and to a local network, they are vulnerable to attack. The following guidelines should boost the security across your company’s computer systems.
As your business computers and other devices are connected to the internet and to a local network, they are vulnerable to attack. The following guidelines should boost the security across your company’s computer systems.
A. Update your software:
Ensure that all software used by your business is an updated version. This is because hackers spend their time searching for bugs in popular softwares and exploiting loopholes to get into the system, stealing highly confidential data e.g. customer’s credit card numbers or passwords etc from your computer. This kind of intrusion can cause untold damage to your business. As a result, software companies constantly lookout for vulnerabilities in their software. When they find one, they release an update for users to download.
Ensure that all software used by your business is an updated version. This is because hackers spend their time searching for bugs in popular softwares and exploiting loopholes to get into the system, stealing highly confidential data e.g. customer’s credit card numbers or passwords etc from your computer. This kind of intrusion can cause untold damage to your business. As a result, software companies constantly lookout for vulnerabilities in their software. When they find one, they release an update for users to download.
Where do I start?
- If your system is managed by a system administrator, make sure they are aware of software updates as soon as they come out and are on top of updating your system.
- If you have a small business where you manage your computers yourself, simply enable Windows update. Once you update your system, reboot your computers.
- If your system is managed by a system administrator, make sure they are aware of software updates as soon as they come out and are on top of updating your system.
- If you have a small business where you manage your computers yourself, simply enable Windows update. Once you update your system, reboot your computers.
B. Protect against viruses:
Viruses are malicious programs that infect your computer without any warning, gain access to your files and delete or change them. Viruses spread quickly by replicating and sending themselves to the people in your contacts list. If one computer in your network gets a virus, it can quickly spread across your company, causing significant data loss. If you communicate with your clients and customers via email, you run the risk of infecting them as well. Malware and ransomware are the two most dangerous types of virus in circulation today.
Viruses are malicious programs that infect your computer without any warning, gain access to your files and delete or change them. Viruses spread quickly by replicating and sending themselves to the people in your contacts list. If one computer in your network gets a virus, it can quickly spread across your company, causing significant data loss. If you communicate with your clients and customers via email, you run the risk of infecting them as well. Malware and ransomware are the two most dangerous types of virus in circulation today.
Malware stands for “malicious software”. It works by tricking the victim into downloading certain software, thereby gaining access to that victim’s computer. It can trace what you access on your computer, steal sensitive information, or spread spam via email.
Ransomware is a specific type of malware. It locks your computer and blocks you from accessing important files until you pay the ransom. Ransomware works by encrypting your files using a private key accessible only to its creators. Paying the ransom doesn’t necessarily help: there is no guarantee that the hackers will actually unlock your files.
To avoid infecting your computer with viruses, install antivirus software on all office computers to scans incoming email messages, as well as files currently on your computer, and then delete or quarantine any viruses it finds. Hackers always put out new viruses, update your antivirus software regularly. The best software providers automatically downloads any updates. Ensure your staff do not open suspicious files and deletes any email attachments from sources they do not recognize as trustworthy.
Using a virtual private network (VPN) to access the internet can also give you an extra security boost because VPNs allow you to access the internet anonymously, encrypt all of your data and make tracking your computer very difficult for hackers. Good VPN providers send you a security warning when you try to access suspicious URLs.
C. Set up a firewall:
Hackers randomly probe computer networks and when they find a valid computer address, they exploit any and all vulnerabilities to get access to the network and to individual computers on that network.
Hackers randomly probe computer networks and when they find a valid computer address, they exploit any and all vulnerabilities to get access to the network and to individual computers on that network.
Installing a firewall is the best way to prevent this kind of attack. Firewalls work by separating different parts of the network from each other, allowing only authorized traffic to pass through the protected part of the network. If you run a small business, your firewall will fence off your local private network from the wider Internet. A good firewall examines each packet of data that flows into your network to make sure it is legitimate and filters out packets that it deems suspicious. In order to prevent hackers from targeting individual computers on your network, the firewall obscures the individual identity of each computer.
Installing a firewall is complicated and should only be done by a trained professional so speak to your system administrator and make sure your network is protected.
D. Special precautions for laptops and other mobile devices:
Staff laptops and smartphones, especially those of more senior staff, more than likely contain sensitive information that could be damaging to your business if it falls into the wrong hands. So you and your staff must always make sure laptops are within sight when in public, kept in carry-on luggage and never left in baggage storage areas in hotels or airports.
Staff laptops and smartphones, especially those of more senior staff, more than likely contain sensitive information that could be damaging to your business if it falls into the wrong hands. So you and your staff must always make sure laptops are within sight when in public, kept in carry-on luggage and never left in baggage storage areas in hotels or airports.
As hackers can easily access data on a laptop or mobile device if the connection is not on a secure network, we recommend you use a strong password, backup all the work you’ve done on your laptop before a trip and encrypt your data.
If you use a cloud solution for any of your software needs, look into your provider’s mobile device management features. The major cloud computing providers allow you to wipe an account from any device that goes missing.
One of the best ways to protect devices – whether laptops, smartphones, Amazon’s Alexa device, or even your office PS4 is by installing a VPN directly on your office router to encrypt all of the data moving through these devices. That way, all of the devices that use the office internet connection will be protected.
Include in your company policy which devices you allow staff members to bring with them to work.
Include in your company policy which devices you allow staff members to bring with them to work.
If your staff bring their own laptops and other devices to the office because doing so is far cheaper than providing each employee with company equipment, ensure that all personal devices that are used for any work purpose has antivirus software installed and are updated regularly.
*** This guide specifically for iPhones will take you through the steps to secure company smartphones.
3: Protect your data:
As your data (customer contact information, your inventory, your proprietary data, etc) is at the very core of what you do, insure yourself against data loss by taking precautions against its worst effects e.g. hardware damaged or break down, hackers taking data in your system, or being hit by a natural disaster.
As your data (customer contact information, your inventory, your proprietary data, etc) is at the very core of what you do, insure yourself against data loss by taking precautions against its worst effects e.g. hardware damaged or break down, hackers taking data in your system, or being hit by a natural disaster.
A. Implement a procedure to backup critical data:
There are two different types of backups -
1: a full backup where you make a copy of the entire data you selected and put it on another device or transfer it to a different medium
2: an incremental backup where you simply add the data that has been created since the last time you backed up your system.
There are two different types of backups -
1: a full backup where you make a copy of the entire data you selected and put it on another device or transfer it to a different medium
2: an incremental backup where you simply add the data that has been created since the last time you backed up your system.
The most efficient method is to perform a full backup periodically and an incremental backup every day in between or, perform a full backup every night after work hours. As losing all of your data and finding that your backup systems do not work would be a tragedy, it’s crucial to actually test that your backups are working by restoring a test portion of your data to a new location.
Backup your data by putting it on a physical device like a USB stick or a second hard drive, or in a shared folder on your network. Keep backups at a secure offsite location. However, it is strongly recommend that you invest in a cloud-based backup system as backing up your data to one specific physical location won’t help you if natural disaster or theft strikes.
Where do I start?
- Evaluate your company’s data retention policy. Is all your crucial data backed up? If so, where do you keep that data?
- Work with your system administrator or IT staff to implement a weekly backup plan.
Test your backup system to ensure that it’s working
- Evaluate your company’s data retention policy. Is all your crucial data backed up? If so, where do you keep that data?
- Work with your system administrator or IT staff to implement a weekly backup plan.
Test your backup system to ensure that it’s working
B. Encrypt sensitive company data kept in the cloud:
Many companies keep some or all their data on a cloud-based platform e.g. Dropbox or a SaaS (software as a service) platform like Salesforce. Because of the term “cloud”, we tend to imagine that our data is kept safe in some abstract, virtual space. In reality, all it means is that your data is stored on a remote computing facilities provided by your cloud-based service.
It is therefore essential to carefully look into what kinds of security measures your cloud provider has put in place and whether your data is protected at an appropriate level.
There are more and more providers on the market, and some of the smaller and less-known ones actually have more robust security features than the big names. Some of these services will automatically encrypt your files before they are uploaded to the cloud.
Many companies keep some or all their data on a cloud-based platform e.g. Dropbox or a SaaS (software as a service) platform like Salesforce. Because of the term “cloud”, we tend to imagine that our data is kept safe in some abstract, virtual space. In reality, all it means is that your data is stored on a remote computing facilities provided by your cloud-based service.
It is therefore essential to carefully look into what kinds of security measures your cloud provider has put in place and whether your data is protected at an appropriate level.
There are more and more providers on the market, and some of the smaller and less-known ones actually have more robust security features than the big names. Some of these services will automatically encrypt your files before they are uploaded to the cloud.
You can ensure your files in the cloud are secure by encrypting your files manually, and there are a number of programs that can help you do so. This means you don’t have to rely on your cloud provider’s security, and you can use it without worry. Just make sure not to upload your encryption keys.
Another option entirely is to use BitTorrent Sync, which is a totally free service. BitTorrent Sync was designed as a replacement for cloud-based systems but does not actually store files in the cloud. Instead, it enables you to collaborate on documents through a peer-to-peer (P2P) file-sharing platform. These services tend to use the highest-grade AES-256 encryption and enable two-factor authentication, which adds an extra layer of security.
C. Protect your passwords:
Unlike other high-tech authentication systems like smart cards and fingerprint or iris scans, passwords are useful because they do not cost anything and are easy to use. However, passwords are also open to attack. Hackers have developed sophisticated, automated tools that enable them to crack simple passwords in just a few minutes. They can also use various fraudulent methods to access your company passwords, like a phishing attack, in which they disguise themselves as an official entity (like Google) and trick people into providing their passwords.
Unlike other high-tech authentication systems like smart cards and fingerprint or iris scans, passwords are useful because they do not cost anything and are easy to use. However, passwords are also open to attack. Hackers have developed sophisticated, automated tools that enable them to crack simple passwords in just a few minutes. They can also use various fraudulent methods to access your company passwords, like a phishing attack, in which they disguise themselves as an official entity (like Google) and trick people into providing their passwords.
Passwords can become ineffective for a variety of reasons. Often, we neglect to password-protect our sensitive documents, meaning anyone sitting at one of your office’s computers can gain access to that document. In order to avoid forgetting their passwords, many employees write them down in plain sight. And, most crucially, people tend to use weak passwords that are easy to remember, use the same password over and over again, and never change their passwords. All of these mistakes leave the door open for hackers.
These seven steps to creating a strong password will help prevent hack attacks:
- Create different passwords for different services
- Change your passwords regularly
- Choose a strong password
- Opt for two-step verification
- Disable autocomplete for usernames and passwords
- Use a password manager, an app or program that securely stores all of a user’s passwords
- Don’t send your password out via email or give it out over the phone
- Change your passwords regularly
- Choose a strong password
- Opt for two-step verification
- Disable autocomplete for usernames and passwords
- Use a password manager, an app or program that securely stores all of a user’s passwords
- Don’t send your password out via email or give it out over the phone
Use a password tool, like this one, which tells you how good your password is and how long it would take for a hacker to crack it. You can also use a secure random password generator that will create a completely randomized password.
Educating your staff about the importance of strong passwords is crucial if you want to make passwords a key tool in your cybersecurity arsenal, rather than a backdoor that hackers can walk through.
Where do I start?
- Have all employees check their passwords with a Password Meter tool.
- If their passwords are crackable within a few minutes or even hours, require them to change their password to something more secure.
- Enable two-step verification for all employee accounts wherever possible.
D. Establish permissions:
Restrict access to your system so that only those staff who are authorized to manage your system and to install software have administrator accounts.
Allowing multiple staff to share one login and password makes it impossible to determine how or when a breach in your system occurred. Give each user his or her own account, enabled with permissions specific to his or her job. If you’re using Windows, you can assign users different permission levels based on their roles within your company. If a staff is absent for a long period or has left your company, revoke their access and permissions as soon as possible.
Where do I start?
- Work with your system administrator to assess the level of access each staff member has.
- Change your permissions so that each staff member only has access to the software and settings required for his or her job.
- Work with your system administrator to assess the level of access each staff member has.
- Change your permissions so that each staff member only has access to the software and settings required for his or her job.
E. Protect your wireless networks:
As Wi-Fi networks use a radio link rather than cables to connect computers to the internet, all it takes is moving within radio range of your network plus a few free software tools for hackers to break in.
Intruders who can gain access to your network can steal your files and damage your systems. While Wi-Fi devices are enabled with security features to prevent this from happening, most have these features switched off by default in order to make the setup process easier.
If you’re using a Wi-Fi network, make sure you have these security features switched on. You can also restrict wireless access to office hours so that hackers can’t get into your system overnight. And you can prevent passers-by from accessing your connection by restricting Wi-Fi access to specific computers by setting access points.
Where do I start?
- Ask your IT person to make sure that your Wi-Fi has the highest-level security features switched on and that WiFi access is restricted to office hours.
F. Browse the internet safely:
Your activities are being tracked in a multiplicity of small, subtle, and unnoticeable ways as you and your staff browse the internet. These activities can then be aggregated by third-party agents without your consent. Your employees could inadvertently browse to dangerous websites that steal your company’s data.
And your personal or business information could be compromised if it is entered into websites over a non-encrypted connection.
The best way to encrypt your connection and ensure both your businesses’ privacy and the personal privacy of your individual employees is to install a VPN (virtual private network) which masks your company’s IP address and encrypts your browsing data. They also anonymize your browsing, which could be important if your business frequently does research on your competitors, or if your aggregated browsing history could reveal proprietary information to your competitors.
The downside to using a VPN is that trustworthy and feature-rich VPN services cost money for a monthly subscription. Many individuals and companies have opted to use a free web proxy as an alternative. The problem is, we don’t know who exactly is operating the proxies available for free online; they could very well be hackers themselves, or they could be used for intelligence gathering by various public or private entities. While a proxy hides your identity and activity from the sites you visit, it can potentially see everything you are doing online. That’s one of the reasons that we recommend investing in a VPN rather than a proxy, for truly secure browsing.
You can also bolster your security by adding a number of security features to your browser. Because the Firefox browser is open-source, a robust group of security add-ons have been created for it over time. These include multipurpose ad blockers, encryption extensions, browser data protection, cookie and cache managers, and more. For more information, check out the full list of 20 Firefox security add-on recommendations.
Where do I start?
- Consider subscribing to a VPN service that offers business solutions.
- Start using the Firefox browser with security add-ons as appropriate to your company.
G. Protect sensitive data created by remote workers and workers-on-the-go:
Many small businesses employ remote workers to perform a wide range of tasks. However, it comes with some cybersecurity pitfalls. You may have implemented all of the protections that we have outlined above, but many of them are rendered ineffective if your sensitive data is accessed by remote workers operating outside of your protected company network, especially if they are using a public WiFi hotspot.
A mobile device management solution, as we described in section 2.D., could help you manage your remote workers, as well as your employees who travel for business. Most importantly, you should ensure that if remote workers are accessing sensitive company data, they do via your protected company network with a secure connection.
Windows offers a remote desktop connection feature, but this in itself is not enough to secure your data. If you rely on remote workers, and if you cannot afford for the data to be leaked or stolen, it is wise to implement a specialized VPN which allows the remote users to first get into the office network, after which they can connect to their machines using the remote desktop connection feature. This can get complicated, so talk to your IT person to see if he or she can arrange to configure a VPN especially for your office network.
Where do I start?
- Assess your remote worker policy. How do your remote workers access company data, and is that company data sensitive?
- Speak to your IT administrator to set up a safe and secure way for remote workers to connect to your office’s private network.
H. Protect your customers’ data:
There are serious legal consequences involved if your clients’ or customers’ data is compromised, so it pays to treat your customer’s sensitive information with the utmost care.
Typically, customer data is in transit through multiple points. If you run an ecommerce site or otherwise process payments through your website, the first transit of sensitive information (including names and credit card details) is from the customer’s web browser to the ecommerce web server. The best way to protect this data is to make sure that your website uses an SSL certificate and the HTTPS protocol, at the very least on pages that collect sensitive data. This will ensure that your client’s data is encrypted as it moves from their server to yours. If you are transferring client data within the company, you should apply all of the security features we have described above, especially those relating to cloud storage and transfer.
Where do I start?
- Speak to your ecommerce provider or in-house developers to make sure that credit card and other sensitive information is collected in the safest way possible.
4: Instill a cyber security culture in your workplace:
The measures outlined in this guide are comprehensive, and if you follow all of the guidelines that are relevant to your business, you will significantly lower your risk of a cyber attack. All it takes is one employee to send client data on an unsecured connection or click on an unsafe link and download malware, causing all of your security systems and all of your well-meaning efforts to come crashing down. That’s why the single most important measure you can take is to educate your staff on the importance of cyber security.
On the flipside, if you instill a cybersecurity culture in your workplace, explain your cybersecurity policies and why they are there, train staff to manage company hardware and data safely, your employees will become your first and most effective line of defense against cyberattacks.
The best way to get your employees to buy-in to your cybersecurity plan is to design it collaboratively with them. Involving them in the plan will increase their motivation in implementing it. Your staff members are also the experts in your business, in its weaknesses as well as its strengths. They are the ones who work with your sensitive company data all day long, so they are best placed to tell you where vulnerabilities lie and which systems need to be strengthened or improved.
Start holding regular training sessions with your staff on cybersecurity issues. This is the place to methodically work through important security techniques, like the ones outlined above. Ensure that their passwords and permissions are up to date and that they use passwords that are impossible to crack. Make sure that they do not leave passwords lying around on physical sticky notes or sitting on their desktop. Show them how to avoid getting tricked by phishing attacks via email and the risks of malware from dangerous websites. Teach your employees the many and nefarious ways in which hackers may try to get information out of them. Encourage them not to discuss any confidential company information in public – you never know who you could talk to, and who could be listening.
Make these guidelines easy to understand and follow. We’ve created a printout that includes simple steps your employees can take to stay secure. You can hang this on the office bulletin board or fridge, or customize it to suit your specific needs.
Enshrine cyber security principles in a written policy and have your employees sign a copy of this policy, making sure they understand that cyber security is a serious issue. You can even have cyber security elements written into staff contracts.
Above all, remember that cyber security threats are constantly morphing and changing. Hackers are constantly coming up with more creative and more sophisticated ways of breaking into computer systems and stealing your data. Keep up to date with developments in cyber security and make sure to educate your staff on these developments too.
Where do I start?
- Hang our cyber security guideline printout on your office bulletin board, and send out this email template to all employees.
- Start to formulate a cyber security training program for all of your employees.
This is a slightly condensed version of Sarit's original article, to read more from Sarit Newman, click here. I hope you found this article as useful as I did, to add more to it, put in comment box below. Finally, a big thanks to Kelly Strottman who brought this to my attention and made it possible for you to read and benefit from this article. If you want to contribute to this blog, please email your article to me. Thanks and happy reading.
The measures outlined in this guide are comprehensive, and if you follow all of the guidelines that are relevant to your business, you will significantly lower your risk of a cyber attack. All it takes is one employee to send client data on an unsecured connection or click on an unsafe link and download malware, causing all of your security systems and all of your well-meaning efforts to come crashing down. That’s why the single most important measure you can take is to educate your staff on the importance of cyber security.
On the flipside, if you instill a cybersecurity culture in your workplace, explain your cybersecurity policies and why they are there, train staff to manage company hardware and data safely, your employees will become your first and most effective line of defense against cyberattacks.
The best way to get your employees to buy-in to your cybersecurity plan is to design it collaboratively with them. Involving them in the plan will increase their motivation in implementing it. Your staff members are also the experts in your business, in its weaknesses as well as its strengths. They are the ones who work with your sensitive company data all day long, so they are best placed to tell you where vulnerabilities lie and which systems need to be strengthened or improved.
Start holding regular training sessions with your staff on cybersecurity issues. This is the place to methodically work through important security techniques, like the ones outlined above. Ensure that their passwords and permissions are up to date and that they use passwords that are impossible to crack. Make sure that they do not leave passwords lying around on physical sticky notes or sitting on their desktop. Show them how to avoid getting tricked by phishing attacks via email and the risks of malware from dangerous websites. Teach your employees the many and nefarious ways in which hackers may try to get information out of them. Encourage them not to discuss any confidential company information in public – you never know who you could talk to, and who could be listening.
Make these guidelines easy to understand and follow. We’ve created a printout that includes simple steps your employees can take to stay secure. You can hang this on the office bulletin board or fridge, or customize it to suit your specific needs.
Enshrine cyber security principles in a written policy and have your employees sign a copy of this policy, making sure they understand that cyber security is a serious issue. You can even have cyber security elements written into staff contracts.
Above all, remember that cyber security threats are constantly morphing and changing. Hackers are constantly coming up with more creative and more sophisticated ways of breaking into computer systems and stealing your data. Keep up to date with developments in cyber security and make sure to educate your staff on these developments too.
Where do I start?
- Hang our cyber security guideline printout on your office bulletin board, and send out this email template to all employees.
- Start to formulate a cyber security training program for all of your employees.
This is a slightly condensed version of Sarit's original article, to read more from Sarit Newman, click here. I hope you found this article as useful as I did, to add more to it, put in comment box below. Finally, a big thanks to Kelly Strottman who brought this to my attention and made it possible for you to read and benefit from this article. If you want to contribute to this blog, please email your article to me. Thanks and happy reading.
No comments:
Post a Comment