- slide 1 of 14
You Need More Than Just Software
As you know, big companies can afford to outsource or hire people to help them with cyber security. You as a small business owner, on the other hand, may just be pre-occupied with running the business at hand, and may not be even thinking much about cyber threats, except when you see them in the news, or when your business is affected by a cyber security incident.
Hackers, viruses, spyware, worms, and run-a-mock malware do not discriminate. It doesn't really matter how big or small a business you have. Regardless, a cyber security incident can cost your company in both tangible (money) and non-tangible (integrity) ways.
To help you, the small business owner, operate on par with the big companies, I've compiled 10 cyber security tips that the you can implement at very minimal cost.
- Do it like the big guys.
- Secure the end point.
- Use a firewall.
- Use web filtering.
- Have a security awareness program for employees.
- Establish a password policy.
- Use encryption.
- Use digital certificates.
- Outsource your spam/junk mail filtering.
- Backup data and have a disaster recovery plan.
I will cover them in detail in the following sections.
- slide 2 of 14
1. Do It Like the Big Guys
Many small businesses don't realize this, but they can cyber secure themselves just like big companies. What do I mean by this? You might think that an anti-virus solution may be all you need; but there really is no single security solution that can secure a company. Big companies know this, and they secure their network and systems using a layered approach. A layered approach is a multi-level set of security solutions implemented across the company's systems and staff. The security solutions can cover the following areas, with each area being vulnerable to cyber threats.
- End points (includes laptops, desktops, and smart phones)
- Network (even small businesses have a network where computers connect and access cyberspace or the Internet)
- Servers (some small businesses have servers for storing files, providing internal print and application services)
- Internet access
- Intellectual property and confidential information
- Online/Web presence
Any security breach in these areas can potentially lead to a business's demise. The rest of the tips, to follow, will show why there is no reason small businesses cannot implement a layered approach, just like the big guys, and in the process cyber secure your business assets.
- slide 3 of 14
2. Secure the End Point
One obvious place where cyber security needs be implemented is on the end point. End points are the user devices--like a laptop, desktop, and even a smart phone.
In general, the end-points are really the entry points for threats that can cause various damage to a small business's cyber infrastructure, data, intellectual property, and reputation. These are some of the things you can do:
- Install anti-virus/anti-malware software, and schedule it to scan on a periodic basis.
- Set up computers so that they are configured to receive critical and security updates for their operating systems; cyber security threats take advantage of operating system and application vulnerabilities.
- Use them for business purposes only as it will minimize exposure to cyber threats.
- Password protect your computers. A computer without a password is like a house with open doors and windows.
Here are some things you should not do:
- Do not use servers as end point devices as you will expose them to end point cyber threats
- Do not open or click links on spam, junk, of phishing email.
- Do not open attachments from sources you aren't expecting.
- slide 4 of 14
3. Use a Firewall
Even small businesses use a network; and with a network comes the need to use a firewall. Oh, you only have one computer? It is still good practice to have a firewall. Most firewalls come in the little Internet gateways (or modems--a misnomer-- as most would call it) provided by your ISP (Internet Service Provider). If you bought your own, that most likely comes with some form of firewall.
Unless you have your own server which serves web pages to the Internet, the only ports that should be allowed into your network should be ports greater than 1024. This is most likely the default setting. Doing this will help keep hackers from seeing your server outside of your busiess network.
For example, if you have an internal web server, that server will be serving web pages to your internal computers via port 80 (the well known port for HTTP or web services). Since this is an internal web server, you don't want port 80 to be accessible from the Internet, because allowing it would put your web server at risk of being hacked. Hackers just need one single beachhead to do damage to your network and assets.
- slide 5 of 14
4. Use Web Filtering
Have you ever been hit with a fake anti-virus program? It is the type that suddenly shows up on your computer telling you it is scanning your computer and then reports that it found some serious infection on your computer? Some of these scare-ware fake anti-virus programs look so real that they could fool a novice computer user.
How can this happen? Some sites are infected with ads that can inject such a program on your computer. Traditional anti-virus programs won't catch them because they typically watch for the access and opening of files on your computer file system. But web traffic is different. It is data captured from the web and sent directly to your computer's memory; there the program runs and installs itself into your computer's registry.
A web filter can help keep you from accidentally landing on a malicious or infected site. Solutions from OpenDNS are available. You simply set the domain name servers from OpenDNS into your computer, and whenever your computer tries to resolve a web site name to its native Internet address, it goes to the OpenDNS server and checks to see if that web site is a safe site. If you wish to find out more about this, go to http://www.opendns.com.
Another solution is called the K9 Web Protection. It is relatively easy to configure and pretty inexpensive. As of this writing it costs no more than $19 per year per license.
- slide 6 of 14
5. Have a Security Awareness Program for Employees
Many small businesses don't have any security awareness program. Don't be like them. A security awareness program for employees should not be too complicated. At the very least is should cover the following things:
- Tell employees that their login credentials are theirs. They need to keep them as secure as their money--i.e. don't leave it lying around, or someone may take it. Some people write their login credentials on a post-it note and put it under the keyboard. This is as good as not having a password at all. If you tell your employees that their job and the survival of the business may rest on their ability to secure their account, they may take it more seriously.
- Teach employees how to handle emails, especially unexpected emails. Your employees just need to know not to click links or open attachments from emails they aren't expecting. The danger in clicking a link or opening an attachment from an unexpected source is that, respectively, you may be sent to a website that is infected with some fakeware or malware ad, or the attachment may install a trojan horse, some of which are known to hog the computing power of the infected computer in order to spread itself via email or other network means. Other malware are simply designed to wreck havoc on a computer's file system, rendering the computer useless.
- slide 7 of 14
Even if you don't have a dedicated IT staff, there are several things you can do to shore up your defenses against cyber threats.
- slide 8 of 14
6. Establish a Password Policy
Most small businesses can improve their cyber security stance by making it difficult for hackers to break into their account by simply adopting a password policy.
Here is an example:
- Passwords shall be at least 8 characters in length.
- It must contain at least one capital letter and at least one number.
- Change passwords every 3 months.
- Do not write login information on a sticky note and put under keyboard.
This doesn't cost any money, it just needs to be implemented and followed.
- slide 9 of 14
7. Use Encryption
As another layer of security, small businesses can employ encryption to protect their confidential information or intellectual property that may be stored on a laptop, desktop or server.
A solution like PGP (pretty good privacy) is a very mature and effective product for encrypting files and even disk volumes. There are even open source solutions like TrueCrypt for encrypting volumes on a computer system; it is free, and works very effectively.
Should your computer be broken into or your laptop lost, your intellectual property and confidential information would be protected from any prying eyes because they cannot open the files or volumes without knowing the passphrase to access it.
- slide 10 of 14
8. Use Digital Certificates
There are at least two purposes for using digital certificates. The most obvious is their use on web sites. If your business has an online presence and is able to take payment, then customers will have a higher tendency to trust your online presence when it is using a digital certificate signed by a certification authority (CA).
Verisign is one such well known CA. Browsers know of CAs and will typically indicate that the site is a trusted site and if your site is secure (i.e uses SSL, indicated by HTTPS:// in the URL), it will indicate so with a locked padlock. If your site is self signed, your customers will see an error pop up on their browser, indicating that the site may not be a trustworthy one and to be cautious. You really don't want that popping up in front of your customers as that is a surefire way to shoo them away.
The bottom line is you need an SSL certificate that is signed by a known CA.
The other use of a digital certificate is to digitally sign your electronic document or data so that people receiving it know that it is authentic and not some fake that may not contain what they expect--i.e. corrupted information or worse, made up data.
- slide 11 of 14
9. Outsource Your Spam/Junk Mail Filtering
It is true that money is at the root of anything evil. Money is at the root of spam and junk mail. Spammers send millions of email, and even if only 1% of receivers click one of their spam links, they can make significant money! Spammers also send emails to infect people that receive them with a program that will turn the computer into a spam zombie--i.e. a spam email sender.
As a business, when you acquire your domain, you likely also acquired basic email services which allows for receipt of email into your domain, like email@example.com. Most of these email services are pretty basic--i.e. your mail boxes receive all emails, regardless of whether it is legitimate or plain junk mail.
With the magnitude of junk email floating out there, you will definitely need a spam/junk filter for inbound and outbound email. In general inbound junk/spam email constitutes around 80% of all emails received by a typical organization. Without any kind of filter, a business would be overly burdened by unnecessary email. This can impact productivity, as well as use up space.
If any of your computers become a zombie for spammers, your organization could also become a source of spam. When that happens, your domain will quickly get shut down by major ISPs. As such, none of your emails will reach their intended recipients. The only fix for this kind of damage is to contact each ISP and let them know what happened and promise them that you've removed the offending computer from your network.
There is one easy solution for this (and it is with minimal headache)--outsource email filtering for both inbound and outbound traffic. Google provides such a service--called Postini. Pricing is very competitive, with basic message security costing only $12/yr per user.
- slide 12 of 14
10. Backup Data and Have a Disaster Recovery Plan
As a final line of defense, you have your backup data and disaster recovery plan.
Some of the more destructive malware out there can render your computer's drive useless. A business can lose precious time if mission critical data is lost. To mitigate the effect of data loss due to malicious events, your small business should invest in high capacity external USB drives. In today's market, one can acquire such a device with up to 2TB of storage space for less than $200. Most of these devices come preconfigured to run backups on your computer. In most cases, a simple push of a button on such a unit could initiate the backup process.
What if that backup drive is infected as well and is rendered useless? This is where you fall back to your disaster recovery plan. The plan includes subscribing to "in the cloud" backup. There are at least two very well known solutions out there--1) carbonite.com, and 2) mozy.com. This kind of service only costs around $5 per month, and there is no limitation on how much you store there. Recovery is as fast as connecting to their service and restoring the files you wish to recover. What could be easier than that?
- slide 13 of 14
The Short Version
In today's cyber-dependent business environment, you need all the help you can get to enhance your business' cyber security stance. In summary they are:
- Take a layered approach to cyber security, just like the big companies.
- Protect your end points; keep viruses and malware away.
- Keep unintended traffic away from your business computers with a firewall.
- Use web filtering to keep your business away from infected, inappropriate, or malicious sites.
- Provide some cyber security training to your employees.
- Establish a password policy to keep the bad guys guessing.
- To keep your data confidential, encrypt your files and volumes.
- Use digital certificates to let your online customers know you can be trusted and to prove authenticity.
- Outsource email filtering to keep junk and spam out and to keep your business emails flowing.
- Back up your data and have a recovery plan; when all else fails, your business can depend on this.
- slide 14 of 14
ReferenceThe tips provided here are based on the author's professional and personal experience.