Small businesses are the backbone of the American economy. Unfortunately, they’re also one of the worst cybersecurity risks. Small businesses were the target of 43% of cyber attacks in 2015, up from 18% four years earlier. Many small business owners aren’t computer-savvy and can’t afford the time and expense to hire security professionals, but you don’t have to be a techie to take the following measures, many of which can be implemented by trusted employees, freelancers or even a savvy high school student. They’ll prevent the vast majority of breaches.
1. Teach Good Password Security Practices
Weak passwords are the most common cause of cyber breaches, and it’s such a simple problem to cure. One technique is to train employees to use mnemonics, such as the first letter of a memorable phrase, combined with some simple letter substitution (“Chicago Cubs Win the World Series at Last!” becomes “CCWtVVS@L!”). Ask employees to change their passwords about every six months. Too-frequent changes can actually encourage people to take shortcuts that increase risk.
A password manager is a great tool for encouraging good password security, since it creates highly secure passwords on demand and stores them so people don’t have to remember anything other than the password for the manager itself. Another effective technique is Two-Factor Authentication (2FA), which backs up a password with a second medium like a texted code or fingerprint. 2FA takes a little more knowledge to set up, but any experienced system administrator will know how.
2. Buckle Down on Permissions
When setting up a server for a small business, it’s tempting to bypass file- and folder-level security under the assumption that you know and trust everyone in the business. But even if your employees are Boy and Girls Scouts, any hacker who breaches their accounts can run away with your sensitive data. It’s also easy for honest users to mistakenly download or attach privileged information to emails or social media posts.
For your own servers, set all permissions on a “need to know” basis. Use role-based group settings to minimize exceptions. That means senior executives gets one level of access, while accounting clerks get another. After all, there’s no need for all your people to have access to financial documents. Making changes at the group level makes administration simpler and more secure.
3. Secure Wi-Fi Access Points
Setting up a Wi-Fi access point is so simple that it’s easy to forget that it can create gaping holes in your network if not secured properly. Fortunately, adding good security is pretty easy. Most equipment makers give you several security options when setting up their equipment. WPA2-PSK (AES) is considered the best. Choose strong passwords, just as you would with your own login practices, and don’t post passwords in a public place. It’s also a good idea to avoid broadcasting the access point’s name – also called the SSID. Instead, share the name only with people who need to use it.
4. Teach People About Phishing
Ransomware, which is the fastest-growing form of malware, is spread primarily through phishing attacks, in which users are fooled into clicking on malicious links or attachments that are disguised to look legitimate. The rules for preventing these attacks are simple: Never click on a link unless you are absolutely sure who of where it came from. Teach people how to check for the email address in the “sender” field. Remember that it’s easy to spoof the name of the sender, but you can’t change the email address. If the email doesn’t come from @paypal.com, it isn’t from PayPal.
5. Backup to the Cloud
Speaking of ransomware, the most effective antidote to that scourge is frequent backups so you can recover information even after your storage media has been encrypted. Many commercial services offer continual backups at a modest cost, so that you’ll never lose more than a few minutes’ worth of data. They’re easy to install and well worth the price.
6. Consider Virtual Desktop Infrastructure (VDI)
If you want to bypass the risk of viruses or phishing attacks entirely, consider this technology, which stores desktops remotely on a server and downloads them when users log on. VDI used to have the reputation of being slow and inflexible, but today’s technology makes the user experience almost indistinguishable from that of a local desktop. Among the advantages are that updates can be pushed to everyone simultaneously and users can’t save or launch applications on their virtual desktops without permission. This gives IT administrators added control and peace of mind.
7. Use Virtual Private Networks (VPNs) for Remote Access
A lot of small businesses employ people in remote locations or hire contractors to enhance flexibility and cut down on cost. Or they may simply permit their employees to connect from home or a coffee shop via their laptops or smart phones. But did you know that most public Wi-Fi services don’t offer any protection over the data that traverses them? The best way to protect yourself is to use a VPN that establishes encrypted remote connections so sensitive data is never at risk. Many commercial services are now available at modest cost, with easy setup.
That wasn’t so difficult, right? Keep in mind that one of the advantages of being a small business is that attackers are mainly focused on the big fish. That doesn’t mean you should be complacent, but if you follow these seven tips, your likelihood of being compromised is very low.