Your company is a target for hackers.
They want valuable data. You’ve got it.
A lot of it.
And it’s nicely organized and, usually, poorly protected.
And just in case you weren’t paying attention, if they do get it, you’re probably going to have to answer to more than just your customers (as if that wasn’t bad enough). Regulatory intervention and civil penalties are just two of the fabulous prizes you could earn thanks to your poor security.
How can you protect yourself? Unfortunately, there’s no magic bullet. No system is perfect, no security is absolute. Yet, there are rays of hope! The biggest gains that you can make in improving your small business cybersecurity involve making small improvements in your approach to security.
Here are 8 Small Business Cybersecurity Tips You Need to Know:
1) Educate Yourself
There are a lot of places you can go to get the basic information to keep yourself updated on cybersecurity. Regardless which one (or more) you choose, you have to choose one. Securing your company’s data in a high-tech world probably wasn’t a course you took in school – and if it was, what you learned is probably outdated by now.
You can’t be in a position to lead if you haven’t educated yourself. Worse than a situation of “the blind leading the blind,” your lack of knowledge and experience will be obvious to your employees. If you claim to lead without knowing what you’re talking about, everyone will be able to see it clearly.
So get – and stay – educated! It’s not easy, but it sure beats looking like an idiot and being the victim of a preventable cyber attack.
2) Create an inclusive culture of cybersecurity
The greatest threat to your company’s data security is your employees.
Obviously, if you’re in an industry that frequently gets the attention of China’s weapons developers or you run a health insurance or consumer credit rating company, other external or foreign hackers might be a bigger threat. For the rest of us, the most likely culprit is an employee, whether as an active participant or through carelessness or bad luck.
Hackers regularly seek out access to computer systems via the login credentials of your employees. Frequently, this takes the form of “social engineering,” which ranges from extremely clandestine maneuvers all the way down to simply asking people for their passwords.
Essentially, hackers take advantage of people without ever having to “hack” into a system like you’d imagine. And boy does it ever work!
Why spend hours trying to crack passwords when they can call someone in your firm and convince them that your kid really needs your password to get onto the home WiFi. It works. Way too well.
3) Every rule you bend is another weak spot in your small business cybersecurity
A senior executive doesn’t want to update to a newer phone or never updates the software because they read somewhere that it makes their games work poorly. So, in violation of the company’s rules, they keep their less secure device, or use outdated, unpatched software.
Executives and managers are already going to be considered high-level targets due to the fact that their credentials likely provide greater access to your company’s systems. However, they tend to be responsible for a lot of the business, make a lot more money, and are usually the business’s key decision makers. For that reason, IT frequently bends the rules for them. Don’t. It’s a recipe for disaster.
4) Encourage open communication and reporting of suspicious behavior
If you properly train your employees about the significance of cyber security, they’ll be able to spot suspicious activity. Unfortunately, the ability to detect a problem is insufficient on its own – your employees need to be empowered to report what they see.
Guess what? There will be false alarms, mistakes, and some potentially embarrassingly bad calls by your employees. If there isn’t, then they either don’t care about the risk, or they’re afraid of being called out.
Nobody should be afraid of accidentally crying wolf. The alternative to a system that accepts the occasional false alarm is a system that frequently misses the real ones.
5) Where practical, encourage the use of multi-factor authentication
Most companies still only require multi-factor authentication for certain functions: The IT department, or the guy who handles the diamonds. However, that’s changing, and you should be ahead of the curve.
More traditional forms of security are, overall, offering less and less protection. You need something more secure than you did 10 years ago. Fortunately, most of the tools and software we use today allow implementation of multi-factor authentication for little or no cost.
6) Require strong passwords, because they really are better
So much security and protection in this world seems illusory. So many things are designed to make you feel safer without actually providing real security. Just think about how effective airline security has been when tested. In case you don’t: not effective.
Now, also remember that you need to have cyber security systems that get used. Don’t require a 15-digit password to be changed every week, or people will find shortcuts. There are plenty of password managers that can help, take advantage! (But make sure they’re properly secured as well – hackers may be starting to target poorly protected password managers!)
7) Encryption is mandatory. Period.
Do you encrypt your data? If the answer is no, then I’m really curious how you even found your way to this blog. If you’re reading this, you probably have some encryption in place. Increase it.
You might have encryption in your storage, but is it encrypted when you send it to the cloud? Why would you encrypt it on your computer but not in the cloud?
How about in transit? If you’re not encrypting your data in transit, using your laptop at a Starbucks could be the start of a really good day for a local hacker, and a really bad year for you!
Cybersecurity is incomplete at best, completely damned ineffective at worst, without encryption.
8) Backup your data, in more than one place!
All the work on protecting your firm from cyber threats can only limit your vulnerability. There’s always a risk. Make sure that if the rug gets pulled out from underneath you, you’ve got a system set up to get you back on your feet quickly.
There are numerous ways to save your data, from local servers to cloud backup. Just remember, your data has to be safe from hackers, but also from more boring things. If your only backup is plugged into the same outlet as your server, will a power surge or a lightning strike kill them both? If your primary storage and your backup storage would be impacted if any one building burned down or flooded, you don’t have sufficient backups.
In the end…
As I said at the beginning, there is no perfect system. Interestingly, it’s sometimes the chase for that perfect system that creates the most serious vulnerabilities. Password requirements too strict? Employees will feel overly burdened and work around it. Information kept only to a select, elite group? Your people won’t feel included, won’t feel important, and won’t understand how important they really are.
So follow these tips, keep yourself up-to-date on major cybersecurity concerns, and make sure your employees feel valued and important.