Most small to midsized businesses (SMB) don’t have the IT security resources that large enterprises can afford, yet they still face many of the same threats. Companies that have less than 500 employees make up the majority of companies in the US, making a perfect target for cyber-criminals. The media covers attacks on the big name enterprises, but the reality is that SMB sized companies are attacked by cyber-criminals everyday. A data breach for any sized company can be very costly and damage credibility amongst their clients and staff. It can be daunting for a small business that may not even have an IT department to think about how to tackle network security.
Here are 10 tips to protect your company:
1. Know where your data is. As a manager or executive in your business you should fully understand where your data resides, whether it be on desktops and servers, or hosted in the Cloud. Having this documented will enable you to ensure that correct permissions for data access are implemented. Without taking the first step to document where your data resides, your security measures may not be as effective. This also lays the foundation for what is also needed: a back-up and disaster recovery plan.
2. Backup & recovery is your ultimate safety net. Floods, fires, earthquakes, the outside thief and the insider threat, and of course malware are all factors that can impact the safety of stored data. Automate the back-up process. Since almost all businesses now depends on computer processing, decide how long you could survive a network outage or the amount of data loss. This will help you decide which type of backup solution is best for your business. In the event of a vicious malware attack, your business may depend on the last valid backup you have of your servers, and how quickly you can get everything backup and running again.
3. Physical access. In such a high tech world, sometimes the obvious is the challenge. Ensure that physical access to computers/servers is secured. Locked doors, locked computers / servers, etc. are the basics. Make sure visitors or vendors that have access to your offices to not have access to your secure network.
4. Deploy the security basics. That means business class firewalls for your networks and anti-malware on endpoints and servers. Ensure these technologies are managed and routinely updated to safeguard against the latest threats. Consider technologies such as ‘whitelisting’ to prevent computer software updates that could have adverse effects. Be certain that all operating systems (servers/desktop, firewalls, etc.) are patched and updated quickly. If your business is short-staffed in terms of IT security expertise, seek outside technical support under a managed security services arrangement. If there’s a malware outbreak you will need that expertise from people that are familiar with your network before the attack happens. If your business accepts payment cards, handles personal/health information, you must follow PCI and HIPAA regulations.
5. Proper E-Cycling. When disposing of old computers and other devices that store data be sure to remove the hard disks and destroy them. This goes for other types of media, too. There are many certified e-cycling firms that will come to your office to pick up and dispose of older equipment. They will certify destruction of hard drives as well.
6. Individual access control. This takes time, but determine what access employees or outside business partners really need to have in terms of network and applications to do their jobs. Keep a record of this and consider using more than passwords, perhaps two-factor authentication. This also goes for IT staff, whose jobs give them huge power over all the information systems in use. Most banking organizations have used multi-factor authentication for many years and although you may not be in the financial industry, your data is a valuable asset so take the time to secure access.
7. Verify new hires. Background checks on prospective employees is always a good idea. The reality is some cyber attacks have been traced to inside jobs. Ensure your staff is credible before you hire, after all they will have access to your network. When it comes to technology vendors or cloud service providers make sure whatever they promise is in a signed contract with consequences spelled out for failure to deliver. Full transparency should be provided so that you know where your data is, how it is backed up, and what security measures are in place.
8. Mobile Security. The era of mobile smartphones and tablets is here and it’s disruptive. Ensure you have a policy that applies security measures such as password protection, remote wipe, and even secure access to files from mobile devices. With more staff using their own devices, this can be a challenge for IT to handle so be sure to create a policy that staff understand is a requirement if they want to use their own mobile device.
9. Train employees on cyber security. Companies tend to think that cyber-criminals are going after the really big guys, not them, but that’s simply not true. Cyber-criminals in particular target SMBs to compromise the PCs they use for online banking and payments in order to commit fraud in a big way by emptying out business accounts. A relatively newer angle the cyber-criminals have taken is to encrypt a company’s data making it useless. They will then offer to decrypt the data if a ransom is paid. These types of threats are known as ransomware. In many cases, the victim opens a “phishing” e-mail message with an attachment laden with malware that will let the attacker begin infiltrating the network. In many cases spam filters are in place to try and catch phishing e-mails and other junk. But some of it, especially highly sophisticated and targeted attacks, will get through so it is critical that employees be trained not to open anything that seems even remotely unusual. Because web-based malware is also commonplace, applying content filtering controls on employees’ Internet use is also a good idea. Nonetheless giving your staff the knowledge to recognize a potential threat is a great defense against an attack.
10. IT Management. Technology is ever changing and innovating at a more rapid pace than ever. Making sure you have the resources to manage your company’s IT systems is crucial. The best defense is a proactive offense. Ensuring you have the right team in place to monitor the network, enforce security, and look out for potential threats is the key. Ensuring proper IT management not only mitigates risk from an attack, but should result in a more productive and efficiently run network. After all, computers enable us to produce our products and deliver our services efficiently and effectively so be sure you maintain a secure IT backbone for your company.