In today’s world, businesses large and small must have a strong system in place to protect their data from the threat of hackers and cyber-criminals. This may seem like a daunting task, especially if you are a small business owner; but when it comes to cyber security, the best defense is truly a good offense.
To help you determine where to focus your efforts, we’ve asked Chris Leonard, Systems Administrator with Summit Financial Resources, to share some best practices for protecting your small business from both external and internal threats.
Your business will always be vulnerable.
When it comes to cyber security, the number one rule of thumb for any business is to understand that you cannot make your workplace 100 percent secure. That said, it’s important to stay ahead of the curve. Hackers are invaders of opportunity who look for low hanging fruit. Unless your company has extremely valuable information, the more secure your business is, the more likely they will pass you by in favor of an easier target.
The best place to start is to identify your company’s sensitive information and determine its value. Ask yourself what data you would not want anyone but yourself or a small group of employees to be able to access, such as information that is proprietary, private, or sensitive for your customers.
Once you’ve identified this data, consider the cost to your business if it was exposed to the public. Assigning a dollar amount helps companies determine what they are wiling to pay to protect their most valuable information.
Fear of external threats can lead to costly mistakes.
While there are numerous external threats to your company’s security, the one you must be most wary of is fear mongering. Unfortunately, the rise in cyber crime brings with it an increase in the number of companies and individuals who are looking to prey on business owners with a lot of sensitive data and little technical background. Their goal is to scare you into believing your data is not secure and convince you to spend money to mitigate it.
The reality is there is no single “fix” that is ideal for every business, so chances are you will end up wasting money on a solution that doesn’t work. My advice is to never work with anyone you don’t know or cannot thoroughly vet, and talk with an IT professional you trust before taking any action.
One surefire way to assess your vulnerabilities is through penetration testing. This is something many large companies have been doing, and I recommend that small business owners invest in it as well. Essentially it is the practice of authorizing an outside firm to test a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. This ties back to identifying the data you most need to protect. If the testers are able to access critical systems, you will know exactly what you need to focus on shoring up.
Common external hacks to watch out for.
One of the more common forms of cyber hacking is what’s known as DDos. This is typically a technique aimed at big firms rather than small businesses. Hackers who have access to large resources will install viruses on computers that they then use as drones to do their bidding anywhere in the world. The aim is to overload a system with so much data it shuts down.
If this is a concern for your business and you have not taken preventative steps, the result can be costly. There is hardware designed to fend off such attacks, and we have installed a version of it here at Summit Financial Resources. Speak with your IT professional about which solutions can best help mitigate this type of threat to your business.
Spear phishing is a newer form of hacking that we’ve seen increasing over the past few years. These targeted attacks are well researched and designed to instill an environment of fear and panic in the workplace. If you or your employees have received emails that appear to be from a colleague within your organization and contain information or requests that seem relevant to your business, then you have been a victim of this type of hack. This leads us to what may be the greatest vulnerability in your organization.
Your employees are your biggest threat.
Ask any cyber security specialist what the biggest security threat is and they’ll tell you it is a company’s employees. For example, we need look no further than the massive data breaches that have occurred in companies such as Target and Home Depot.
A recent survey released by Haystax Technology found that 74 percent of organizations feel vulnerable to insider threats despite increased investments in deterrence tactics and detection tools.
One of the key reasons for this is, as human beings, we have a natural inclination to trust others, and this behavior is difficult to change. It’s also hard to educate every employee about the seriousness and types of threats they need to be aware of. Hackers take advantage of this by devising malicious ways to trick your people into providing access to your data.
Social engineering is currently the most common threat to your internal security. This can range from people impersonating a group or company in order to gain access to your physical or virtual location to data stolen by the tech firm you hire to fix an issue with a computer. An example is the bogus call your employee gets from an individual claiming they work for Microsoft IT and need access to your computer to remove compromised software.
Lately we’ve seen an increase in attackers distributing opportunistic data installed on flash drives. The intention is for you or your employees to plug it into a company computer, thereby unleashing malware or ransomware designed to compromise your data. The hackers may leave hundreds of these flash drives in parking lots at big box stores or boldly mail them directly to your office packaged as a promotional premium.
Take steps to protect your staff and your business.
The underlying theme for limiting internal threats is the principle of least access. When you have identified your sensitive information and the people you want to have it, you want to give these people the least amount of access possible in order to do their job.
For instance, many small businesses limit their employees’ ability to insert a USB drive or download anything on their computer without authorization. Small companies with only a few employees can easily manage this themselves, while larger firms with IT departments may make it a practice to lock down access for all but essential staff.
Here are just a few of the steps you can take to help prevent internal cyber breaches.
- Two-factor authentication: One of the best things you can do to ensure your accounts and devices don’t get hacked is to require two forms of validation of a user’s identity. This will become the standard in the near future and small businesses need to start adopting it as a best practice.
- Software updates: Failing to implement regular software updates is one of the biggest vulnerabilities we see in small businesses. Staying on top of these updates will go a long way towards preventing hackers from accessing your systems. Many business owners are taking control of these updates in addition to preventing end-users from downloading harmful software.
- Employee education: Often the largest obstacle to prevention is creating concern amongst your staff. Educate your employees about the potential risks to the company and raise awareness by communicating specific threats on an ongoing basis.
- Secure outsourcing: If you outsource your IT, opt for professionals you can rely on over a service that is popular or has a recognizable name. Ask for recommendations from colleagues you trust. Carefully vet the service and determine what protocols they have in place to protect you from theft or malpractice by their employees.
Mitigate malicious internal threats.
The Haystax survey indicated that 71 percent of companies are most concerned about an inadvertent or accidental data breach compared to 61 percent who most fear a malicious or willful breach. While most small business owners want to believe their employees are honest and loyal, the fact is it only takes one disgruntled employee to wreak havoc with your data.
Put yourself in the shoes of an unhappy employee in each department and determine what information they might be most likely to use to inflict damage or extort your business. Someone in sales might consider your customer list extremely valuable while an underwriter would look at risk ratings and analytics. Again, control employee access to your critical data and systems to help mitigate this type of risk.
It is also important to manage or avoid actions that can result in alienating your staff. When making major changes or altering policies that can have a negative impact, work closely with your human resources department or top managers to get a feel for how people will react. Invest time in managing the change in ways that will support your staff and safeguard morale.
Work to establish and maintain a company culture where your employees feel valued and appreciated. Limiting access to information may telegraph the message that your team can’t be trusted. Be sure to communicate the reasons for your actions in order to prevent the kind of unhappiness that can lead to revengeful behavior.
Data breaches are becoming so commonplace that it is no longer a question of if your company will be attacked, but when. Now more than ever, upping your game requires you and your IT staff to take a proactive approach to cyber security and think like an attacker in order to protect your assets.
Working Capital Financing is a few clicks away.
Summit Financial Resources specializes in working capital financing for small to medium-sized businesses that need increased cash flow. We provide working capital financing through invoice factoring, asset-based lending, inventory lending, and equipment financing.