Cyber Security for Small Businesses

Cyber Security for small businesses is one of those black giants that everyone “knows” is important, but most people don’t know what they really need to do to get it.  Many small businesses leaders think that their businesses are not at risk because they are small, unimportant, and therefore not worth hacking.

This is a dangerously false belief.

Security expert Brian Krebs recently published his Immutable Laws of Data Breaches, and they can shed light on why even SMB owners should be concerned about cyber security:

  • If you connect it to the Internet, someone will try to hack it.
  • If what you put on the Internet has value, someone will invest time and effort to steal it.
  • Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.
  • The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.
  • Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.

Everyone’s network is at risk and has valuable data.  Ask yourself how much it is worth to you, not to the hackers.  What fraction of that value are you willing to invest to ensure it remains safe?

What SMB’s Should Do – 3 Steps

If you are an SMB trying to secure your own network, start with the following three steps:

  1. First, look at what you are wanting to secure ehendro. Think about physical equipment, data in all of its locations and applications, trade secrets, the network as a whole, and any other areas of concern.
  2. Next, for each of these areas, ask yourself: how would a thief gain access or steal it? You don’t have to know specific hacking techniques, general patterns are fine. For instance, data can be stolen when it is in transit (going over the internet) or at rest (stored on the hard drive). Your network can be accessed by nefarious/unwitting employees or remotely over the internet.
  3. Finally, go through each of these areas and each “attack vector” from step 2 and develop a plan for securing against each attack. If you are concerned about physical theft, add “move equipment to locked rooms” to your security plan. If you are worried about social engineering—people tricking employees into divulging information—then develop a training to inform them of the threat and put policies in place to get authorization before giving out sensitive information.

That is a good method for creating a s custom security plan for your unique environment.  You can also use the following general precautions every business should consider if they are concerned about security:

  • Have a business class firewall protecting the network. The cable or DSL modem that your ISP gave you is not sufficient.
  • Antivirus should be on all computers. This should update automatically and scan, in real time, all accessed files or devices (e.g. USB thumb drives).
  • Antimalware should be on all computers. This is similar to antivirus, but it looks for different kinds of malicious software.
  • Have a service scan and filter website traffic. This will help ensure software doesn’t make it to your computers, so AV won’t have to catch it. It can also help you block certain types of traffic, such as pornography or gambling, to keep your employees more productive.
  • Find a good email filtering service. This is not just for spam, though that is a good benefit. Most ransomware these days is transmitted through email, so make sure it is clean before it makes it to your computers.
  • Install encryption on all servers and workstations and make sure your sensitive data is stored there. This way, if something gets lost or stolen, your data is inaccessible to the thief.
  • Install physical locks protecting network equipment, servers, and any sensitive data storage devices.
  • Have Good Backups! As good as your security is, assume the thieves can get away with something.  Make sure they don’t steal the only copy.  See our series on backup and disaster recovery for more info on this.
  • Training and education. New security threats are always coming up and old ones are becoming new again. You and your employees don’t need to become security experts, but if they can be aware of what is out there, they will be in a better position to protect the company.

We would love to help you put together a cyber security strategy for your business.  If you are interested, please contact us for a free consultation!