Small businesses are the new big target for cyberattacks. While the large corporations generate a lot of news when their security is breached, cyberattacks can — and do — happen against small and medium businesses (SMBs). While the payoff may not be as great, the growing use of automation by cybercriminals allows them to attack thousands of smaller organizations daily.
Cybercriminals are typically looking for customer contact information, which includes emails, credit cards, valuable intellectual or proprietary information or health data. That makes any company with such data a potential target, regardless of its size. Add in the growing trend of using remote devices with apps, commonly referred to as the Internet of Things (IoT), to improve business processes, and there are multiple points of entry for the entrepreneurial cybercriminal.
Means of attack
Cybercriminals can attack in a variety of ways. In a blog post for the National Cybersecurity Institute, Carolyn Schrader, founder of Cyber Security Group Inc., listed the following as the top threats for small businesses in 2016:
- Growth of mobile malware.
- Data theft from IoT devices.
- More cybercriminals due to expansion and creativity of Internet underground.
- Extortion attacks from stolen data.
- Ransomware on the IoT.
- Hacker mercenaries.
- Stolen data aggregation.
While it's unlikely that all eight of these attacks would happen to any single company, a small business's best defense is to be prepared for any of them. Knowing the potential threat is the first, and most significant, step to implementing security measures.
Most small businesses can't afford their own IT departments, but they can minimize their risk with the right training and technologies. The first step is to teach employees best practices for digital security. Here are seven simple ways to make your small business safer.
Keep personal Web browsing at home
Your lunch hour may seem like a great time to catch up online with friends and family, but your casual Web browsing can introduce all sorts of problems into the company equipment.
"Viruses run rampant through social network posts, so stick to your own computers for personal information," Brandon Saumier, a Virginia-based IT specialist, said in a 2013 Business News Daily interview.
Use proper data management systems
Printing passwords, using sticky notes as reminders and improperly storing company data are fast ways to get the company fined or to get employees fired, Saumier said.
"This goes double for companies that require compliance with regulations like HIPAA and FISMA," he said, referring to the Health Insurance Portability and Accountability Act of 1996 and the Federal Information Security Management Act of 2002. "An audit can come at any time, so only use company-approved document- and data-management processes."
Always use secure connections
With the increased use of cloud computing, mobile devices and Wi-Fi hotspots, employees are connecting with the company network outside the office more than ever. However, public Internet connections at locations such as cafes, parks, restaurants and airports are anything but secure. Instead, use collaboration and Web-conferencing technology that works only over secure connections such as a virtual private network (VPN).
"It's a smart, simple security practice," Eric Geier, founder of NoWiresSecurity, wrote in a PCWorld article. "Because the VPN encrypts your Internet traffic, it helps to stymie other people who may be trying to snoop on your browsing via Wi-Fi to capture your passwords."
Require passwords for everything
Passwords should be used for more than just the company email server — use them wherever confidential data is accessed, such as when you're sharing documents during Web-conferencing sessions. Change the passwords frequently, too, to ensure that only those employees who should have access do have it. Consider investing in password management software, which requires employees to remember only one password, but still automatically generates strong passwords and changes them every 30 to 60 days.
Always lock your computer screen
Leaving your computer unlocked is like leaving your Social Security card or driver's license on your desk when you go to lunch, said Michael Fimin, CEO of IT auditing software company Netwrix Corp. Unintended disclosure is a serious issue.
"More than 38,000 records were exposed in 26 incidents due to employees' errors, such as misdirected emails and confidential information accidentally posted on companies' websites," Fimin said in a recent Netwrix blog post.
Speak up if something is wrong
Malware that's infected one computer can quickly spread to others, so it's best to catch it early.
"By reporting issues as soon as possible, it's easier to contain and mitigate the problem before it can spread throughout the organization," said Vann Abernethy, field CTO at NSFOCUS, an anti-DDoS firm.
Teach and enforce your security policy
For a security policy of any type to work, it must be managed.Employees should understand the repercussions of violating security policy, including the tools and processes that have been put in place to protect company assets, Abernethy said.
This is especially true of bring-your-own-device (BYOD) policies. In a blog post on NowSecure, author Erica Lucas suggested two methods for enforcing your policies. First, have the employee sign the terms of a BYOD after teaching them the details of the policy as well as some best mobile security practices. Secondly, monitor the access to your networks to ensure compliance.
By instituting best practices for computer security, you can build better awareness among employees. This protects not only your data, but that of your customers and clients, building trust and enhancing working relationships.
This article was originally published in 2013 and was updated Jan. 26, 2016. Sue Marquette Poremba also contributed to this article.