Often times, as a security professional, I speak about enterprise-related issues and tend to ignore the small guy. Since small business is the backbone of the USA and most other countries, I think it’s time I gave a nod to them and told them a bit about security for small businesses and why it’s so important.
First off, you might ask, what’s all the hubbub about security and why is it important to my business? After all, I really have nothing steal. Well, that couldn’t be further from the truth. What you have, that any criminal might want, is what I like to call digital assets. And these assets can be a treasure trove of information for those who steal them.
Do you have any employees? Then their personally identifiable information or (PII) is available for the taking from your HR department. This can be a hassle. You’ll be required to offer your employees one year of credit monitoring service and could be subject to fines depending upon your industry. You may also lose the goodwill of your clients and trust of your employees. Some of the PII that can be lost are social security numbers, addresses, spouses and children’s names, and medical information. This could lead to fraud such as medical insurance fraud, identity theft, and loss of funds from checking accounts.
Do you have competitors? The data may be sold to them by a third party that anonymizes it and then is packaged and sold as industry information.
Making physical security your first priority
So let’s get started on the ways you can protect yourself from the loss of your digital assets and your employees from the loss of personally identifiable information. Most importantly, physical security. If you have a cleaning staff, be sure they are bonded. Don’t let people wander around your office. Train your employees to recognize people who don’t belong – even if they are wearing a uniform – and to notify management immediately. Open and unlocked doors are a great way for someone to walk in and walk out with no questions asked.
This actually happened to a company I know. There was a temporary employee working in the IT department, and when his assignment was over, the IT Department did not lockout his access code. One night someone with his temp employee’s card key walked in the door and stole the HR laptop with all employees’ personally identifiable information on it. Therefore, lock down all your computers to desks or other immovable objects. Use high quality cable locks. Even NASA has been known to have a laptop or two walk out a door because it hadn’t been locked down.
Battling attacks with the right protection
Virus protection is extremely important for anyone who has a computer. Since I’m talking about small businesses, you probably don’t have a full-fledged network. But you might have a server and a few computers. You need virus protection for every one of the devices you have. You also need a firewall. Most small office routers are equipped with a built-in firewall. Read the documentation from your router manufacturer on the best way to set it up.
Always keep your anti-malware and anti-virus protection software up-to-date and enable automatic updates. Keep subscriptions paid up. Although there are some good freeware versions of virus protection out there, it is always best to use paid versions because they have better features. To make a decision on which package is best for you, check out trade websites such as PC World and ComputerWorld who rate anti-virus software on a regular basis. It doesn’t happen all the time, but each year, different software packages rise to the top of the list, so it’s best to go with one-year subscriptions because you may change the software at the end of 12 months.
For added protection for individual files or images, Malwarebytes’ Anti-Malware is excellent. But don’t rely on “Free” for everything. Only use it as a supplement to your paid subscription software suite.
Be sure to add tracking and remote wiping software to your laptops, smart phones, tablets, and desktops. This way, if your equipment is stolen, you can tell the police where it is when it’s turned on, and wipe your data off it to remove sensitive information.
Locking down your network and WIFI
Now let’s talk about wireless access. While it is true that wireless access can eliminate most cabling issues, it also adds its own set of complications. A lot of people leave the security settings on default. These settings usually are: admin =admin; password = password. Obviously, this is very simple to crack, so change them immediately with the other passwords we are about to discuss. Do not use opened authentication. Open authentication means anybody within range of your network can access it. This is what coffee shops offer. An authentication scheme called WEP, which stands for “wireless equivalent protocol”, has now become almost as easy to crack as password=password and is almost as bad as no encryption at all. There’s software available that allows anybody to grab important information moving back and forth between computers and wireless access points that are either open or encrypted with WEP. At the moment, the securest form of Wi-Fi is WPA2-PSK. Who’s to say what the future might hold, but for right now, it’s the best available.
When creating a password, be sure it’s no less than 10 characters: letters, numbers, and special characters such as @< > * should be used. Some devices do not allow the use of special characters and if not, try using made up words with both lower and upper case letters.
Encryption: not as time consuming as you think
The hardest part of encryption is that people don’t want to take that extra step to unlock the device. Using a password takes time, can be hard to remember, and people tend to leave them on sticky notes by their computers. While not foolproof, a thumb print, face scan, and voice-recognition are simpler. There are other ways to unlock, but the four I just mentioned are the most attainable for small businesses and can usually be found on the majority of laptops/tablets or added to desktops. Even some smart phones now come with facial recognition. An encrypted hard drive is a worthless hard drive to any criminal.
Is this the full list of security measures one should take for their business? No. But these are excellent first steps. Most are free. Some are relatively inexpensive, and it only takes a little time and effort to keep your company safe from data thieves. Only you know the value of your data, but you might find out how much you undervalued your data if someone steals it and it’s gone for good.