In an increasingly connected and digital world, cyber security is vital for protecting sensitive business information. TERRY HEARN discusses its importance for small businesses and provides a guide to data security.
In 2017 more than half a million Australian small to medium businesses (SMBs) were victims of cyber crime but, unlike larger companies, SMBs don’t always have the resources required to recover from the downtime and expense of dealing with a cyber attack. In a business with only a handful of employees there aren’t always the resources to hire a dedicated IT specialist, meaning that security becomes a secondary role for somebody else.
In these situations, it can be difficult to juggle the responsibilities of a job alongside establishing and sustaining a data security system and keeping up-to-date with the latest risks. By looking at the key elements SMBs should be aware of, this guide should help as a starting point to effectively protect your business and reduce the risk of a cyber attack.
The golden rule of cyber security is that you are only as ever as strong as your weakest link. In most cases, this will mean the awareness of the people you work with. Ordinarily, providing regular training will help to reduce the risk of accidental breaches; however, the insider threat is a very real risk and protecting against it should be a high priority.
The insider could be a disgruntled former worker or a third party who was provided with access to your data. For this reason, it is important to maintain close control of your network and pay attention to who has access to your most secure information. Access should be issued only to those who require it and should be removed from those who leave the company. Contractors and other third parties should not be given admin access unless it is essential, and this access should be removed as soon as their work is complete.
By making this a company policy, the rule will apply to everyone who no longer requires access and so does not indicate a lack of trust in those who have left on good terms.
One of the simplest ways hackers can gain access to your network is by using a brute force attack to guess weak passwords. Worryingly, in 2017, ‘password’ and ‘123456’ were still some of the most common choices, and retained their positions as the worst passwords of the year. Simply by creating strong passwords, you and your staff will be able to rest a little easier knowing that you have taken a big step towards improved security.
It is vital that every device on your network is assigned a strong password and nothing is left with a simple or default password. This extends to devices you may not think of, such as printers, phones or smart devices. Without strong passwords, even the most innocuous items have the potential to become a backdoor to access your network.
While regular password changes are good practice, it is far more important that the strength of passwords is maintained. If passwords are changed too frequently, staff may choose simple variants, like the name of the month, in order to help remember. While the password will be different, they will also be easier to guess. For this reason, it is far better to use stronger passwords that are changed less frequently. Alternatively, password management software is a great way to keep a track of multiple strong passwords.
Investing in expensive security systems will be utterly ineffectual if those working at the company are not trained in the basics of cyber security.
Understanding cyber security jargon and how the terms affect you is key to building confidence. One example is a phishing attack. While this may sound complicated, it is simply where a malicious email or attachment presents itself as legitimate to trick the user into opening it. This is one of the most common forms of attack. Through training, all the members of your team will be able to better identify and flag suspicious emails, reducing the risk of becoming the victim of a common attack.
If employers do not know enough to provide the training themselves, it is even more important that training for staff at all levels is arranged. The greater a company’s collective cyber security knowledge, the lower your chances of becoming the victim of a hack.
It’s important to make sure that training is not forgotten in the weeks after completion. This means regular refreshers and update sessions are key. Not only will they help to reinforce good habits, but they also ensure that training can be updated to account for the development of new types of threats.
By building a security culture around your business you can ensure that everybody takes responsibility – not only for their own online safety, but for that of the wider company too.
Criminals are constantly looking to find exploits that will allow them access through different types of software. By releasing regular patches, software manufacturers can prevent these attacks. However, if you are using older software or operating systems, it is likely that they are no longer receiving security updates, meaning that any vulnerabilities will remain unchecked.
WannaCry, one of the largest cyber attacks of recent years, succeeded by targeting organisations like the UK’s NHS, which was still running old operating systems including Windows XP – support for which ended in April 2014. While patching and updates can be complicated to implement for large organisations, patching for small business is a necessity. If your software is no longer supported, it’s time for an upgrade. And if your software is still receiving patches and updates, be sure to update every device that is connected on your network.
While these may seem like simple steps, they are some of the most effective and inexpensive ways to protect your sensitive data. However, to make sure your business is as protected as possible, these processes should be used in conjunction with effective antivirus software. These tools can help to prevent malicious software such as malware or viruses from infecting your devices. It is also good practice to set up a firewall to help prevent threats from reaching your network.
Combining security software with education and a culture of security will help you to achieve a holistic solution for keeping your company’s data security as secure as possible.
Terry Hearn is a researcher and copywriter, working for a number of international cyber security brands. His professional work covers topics from consumer tech to business data protection.
This was originally published in the Dec/Jan 2019 issue of FM magazine.
Image: 123RF’s kantver © 123RF