Many small businesses struggle to keep up with implementation of proper cybersecurity measures. More and more organizations are handling sensitive data: both their internal data can have tremendous financial value and they routinely interact and store customer data. Both of these kinds of data is targeted by thieves, either for direct fiscal gain or for other insidious purposes. With cyber-attacks on the rise, it is now more important than ever to maintain a healthy security posture to protect your enterprise and yourself against virtual threats.
Cyber security tools and applications are often costly and require a dedicated IT staff to implement and operate. Few small businesses have such a staff, and for it don’t consider the large, sophisticated cybersecurity tools like SIEMs realistic. That doesn’t reduce the demand for security, it simply makes creating a healthy cybersecurity profile a more creative solution. There are many basic, low cost methods that can be implemented to improve your organization’s security posture.
Three core methods for obtaining a healthier security posture without expending large amounts of resources are basic anti-virus, strong passwords and educating your users on cyber threats:
Anti-virus is the most fundamental security tool and should be installed and regularly updated on every business computer. Even if the computer is not used to access sensitive information if it is on the network it needs to have anti-virus. If your company has a BYOB policy and those computers connect to your network they too need anti-virus. Even mobile devices and tablets are vulnerable to threat vectors that can be used to compromise your entire network should one infected device get on board. There are many free anti-virus programs available and most modern computers have basic security tools built in. Between the critical demand and the regular availability of the tools at any price point it is negligent to ignore anti-virus for your business.
Basic cybersecurity awareness is another free fundamental that must be observed. There are behaviors that every employee can utilize to better your security as a whole. Many successful cyber-attacks gained entry into a network by leveraging the ignorance or gullibility of a well-meaning employee. Attackers will propagate vast amounts of cleverly disguised, automatically customized emails that are embedded with virulent links. Alternatively a dedicated hacker will leave an infected USB thumb drive in the parking lot, and wait for an employee to unwittingly install the malware by putting the USB stick on their computer to see what’s on it or who it belongs to. We all click on links in our email, especially if they appear to come from someone we know. We all use USB drives, and would likely be eager to learn the contents of a mysterious lost thumb stick.
Getting a grasp of common vectors for a cyber-attack and how human behavior can be used to leverage them is key to a healthy security profile for your business. Sharing this understanding with your employees and keeping them up-to-date on threat methods can remove the human element from the equation.
Passwords are one of the stickiest fundamentals to utilize properly. Passwords have been used since the dawn of computing, and for it we’ve had time to develop many bad habits and preconceptions about them. Some big problems with passwords are:
- We don’t make complex passwords because we don’t want to forget them.
Consider using phrase-based passwords rather than words. “Eatcheese2times@day” is much, much stronger than “cheese2.” The mnemonic of it is much easier and it greatly increases the complexity of the password. Place your numbers and symbols in the body of the password, not on the ends. As juvenile as they are, emoticons and other number-for-letter substitutions are extremely useful in creating strong passwords.
- We reuse the same passwords for many, if not all, of our accounts. Do not recycle your passwords. It’s the security equivalent of putting all your eggs in one basket. Should an intrepid hacker gain access to one account, they likely will be able to access everything. This typically includes your bank accounts, social security numbers, Facebook and email. This can also lead to compromises to business profiles, cloud services, and a wealth of sensitive information.
- We share passwords to grant others access to an account. Every time you share a password you are opening up another avenue, one you do not control, to access your information. All accountability for that access disappears as it is unidentifiable who is responsible should there be a security failure. Every person who has access to that account can do anything they want to it. And you will never truly know exactly who has access and who doesn’t. Every person who accesses a system needs their own account and password. Only true administrators should have anything but the lowest access level.