News of security breaches is becoming commonplace these days, with attacks hitting high-profile corporations like Home Depot, eBay and Yahoo. But while high-profile targets make the news, it’s actually small businesses that are favored among cybercriminals. In fact, about 43 percent of all cyberattacks target small businesses, a number that has been steadily increasing. In light of this worrying trend, it is paramount that small businesses develop a plan to safeguard themselves against such attacks. So, what can you do to protect your business? I’ve put together a list of some essential components that will help you mitigate cybersecurity threats.
Start with a clear-cut set of policies and guidelines to which your employees need to adhere. These should define everything from password creation to acceptable internet usage (i.e. passwords need to be strong, never shared and changed regularly). Other potential elements of your security plan may include:
- External software installed or approved by an administrator.
- Clearly defined personal device usage policies for tablets and smartphones.
- Clearly defined company email usage policies, including a statement indicating that the company reserves the right to monitor employee communications.
- Proper handling of company data.
- A list of forbidden sites such as social media platforms, which can not only serve as a distraction that hinders productivity but may also contain harmful links that employees negligently click.
There will always be that rogue rules-don’t-apply-to-me employee, but if you clearly define a set of policies, most of your employees will comply. This will go a long way toward mitigating attacks.
I can’t stress this one enough, as the No. 1 cause of viruses/malware can be summarized as “clicking on things that shouldn’t be clicked.” Did you get an intriguing email with an attachment? Don’t touch that file! Did you search for something on Google and click the top result (the one that said “Ad” next to it)? You shouldn’t have. Education is a vital component of all businesses’ safeguards, so you must take the time to teach your employees how to avoid dangerous pitfalls.
Here’s a quick little test for you:
Click this link: www.google.com
This looks like a quick link that takes you to Google, but before you click, hover over the URL. Does it still say www.google.com, like this one? It doesn’t. You were (hypothetically) just infected! Do not click a link unless you know for sure where it’ll take you.
Educating your employees about tricks like these will go a long way toward preserving your network’s integrity and protecting valuable company resources. If you want to go a step further, you can hire a company to send fake phishing emails that will test your employees’ ability to spot a potential threat, thereby helping you identify people in your company who are at risk of falling for harmful scams (MyITpros partners with KnowBe4 to bring this service to our clients). The idea here is not to publicly shame your employees, but to train them. Willful negligence rarely takes someone from a phishing email to a malicious site; lack of knowledge is a much more common cause. So, be diligent, stay current, know what kind of threats are out there and what to watch for, and pass along this knowledge to your employees.
Although IT support may be my area of expertise, this is not a shameful plug for managed services. Too often, the “IT guy” at a small business ends up being the most tech-savvy staff member, who is ultimately required to juggle IT issues with other duties. Needless to say, this isn’t exactly an ideal model for success. For optimal IT support, it’s important to have people on your side who are dedicated to IT, committed to ensuring your network is structurally sound and prepared to quickly get you back up and running if disaster strikes.
Serving as your most important frontline defense, a physical firewall sits at the edge of your network and protects your internal network at the perimeter. I always recommend a physical firewall over software firewalls because the latter are much more easily compromised. Although Windows has a built-in firewall that sits on each user’s workstation, what happens when end users turn it off to access things they shouldn’t?
I’m about to tell you something that’s going to change your entire outlook on life: An external hard drive attached to your server IS NOT a valid backup solution. As one of the more heinous threats out there today, ransomware will essentially encrypt your files until you pay to have them released – and if you don’t have offsite backups, this can become very costly. What’s more, having an external hard drive handling backups in the same building as the rest of your equipment will do nothing to help you if something should physically happen within that building.
I use a plethora of different programs to monitor my machine and scan for existing threats. While a lot of free programs work very well, I have a paid version of Webroot that allows me to install the program on multiple computers and monitor all computers from one central management console. I recommend having one paid service like this running constantly in the background that provides real-time monitoring and protection, and also using a few different non-live programs to manually scan your computer for threats from time to time. Malwarebytes and Hitman both make excellent portable tools that will do a one-time powerful scan of your machine without needing to be fully installed on your computer. These programs frequently update their databases as new threats arise, thereby decreasing your chances of falling prey to cybercriminals’ latest tactics.
Encryption can be an indispensable deterrent to cybercriminals, which is why I recommend encryption solutions for both your hard drive and your email. With portability becoming increasingly common in today’s work environments, you should seriously consider hard drive encryption to protect a laptop if it falls into the wrong hands. There are also services that will encrypt mobile devices and can wipe a smartphone containing sensitive information if it ends up lost.
Email encryption is similarly essential, but is often overlooked. Simply put, if your company regularly sends corporate data over the internet, you need to think about email encryption – and if you’re unsure where to start, Microsoft offers add-ons that encrypt your communications. You may find encryption to be a bit of a headache, but it’s an important factor in ensuring your company’s sensitive information stays private.
Although many employees access their personal email accounts at work, these accounts – such as Gmail – are not covered by the security measures you have in place for your internal company email. Thus, a hacker looking for a gateway into company resources will look to infiltrate someone’s personal email account. With this in mind, I recommend strongly encouraging your employees to establish two-factor authentication on their personal accounts. This will add a second level of security that makes hacking into personal email accounts extremely difficult.
This list encompasses just some of the myriad options for creating an airtight network, but however you choose to safeguard your small business, I can’t stress enough how important it is to secure your assets. One major attack can cripple or even shut down a small business, but this can be prevented if you have a solid security plan. Do some research, discuss your options with whoever handles your IT and fend off cybercriminals before they have the chance to compromise your company.
The purpose of this blog is to answer the questions you ask! For more information about MyITpros' security solutions, contact us today! Check out our resources section for more information about security, managed services and cloud computing!