The internet has brought huge advantages to small- and medium-sized businesses. But it also brings the risk of cyber attacks, attempts to steal information or money, or to disrupt your operations. While a multinational corporation typically has the organisational resilience to deal with the devastating effects of a breach, your business may not have the resources to respond and recover.
So, it's vital to manage these risks and prevent or detect online attacks with basic security practices for your people, processes and IT systems. The following simple steps, plus a liberal helping of common sense, can make a real difference.
In addition to anti-malware, using up-to-date versions of operating systems, applications, firmware and browser plug-ins helps protect against the latest threats by patching security vulnerabilities. The sooner these are patched, the lower the risk of your systems being compromised. Most software updates run automatically so you don't even need to do anything, but double check to be sure.
Weak, easy-to-guess or shared passwords are a classic vulnerability. Use a password manager tool such a kyepass, lastpass or 1password to generate unique passwords and securely store your log-ins, so you never have to worry about writing them down or forgetting them.
Mobile devices should be locked to prevent a would-be thief from gaining immediate access. Encryption should also be used to protect sensitive data from falling into the wrong hands, and built-in tracking (standard with Android and iOS) can be used to locate and remotely lock or wipe lost devices.
If you manage your own computer, be ultra-cautious when downloading and installing software or browser plug-ins. If it's free, or not from a recognised, trusted software vendor, it may well include features that spy on your activity or install harmful programs. Ideally, your security policy and settings should permit users to install only those programs enabled by your system administrator.
Ransomware – when hackers use a virus to encrypt files and hold them "hostage" until you pay up – is a growing concern for small businesses. Frequently back up your data using the 3-2-1 rule: keep three copies of any important file on two types of storage devices, one of which must be in a different location and not connected to other back-ups. The cloud is a great way to provide instant off-site back-up and fundamental security protection.
If you have remote, mobile or field workers, you need to provide them with a secure data connection to your network. Invest in a virtual private network (VPN) that enables employees to securely access company files, applications, printers or other resources via an encrypted connection. It will also keep them off a hacker's radar while using public Wi-Fi hotspots, which can otherwise be an all-you-can-eat buffet of personal information to the tech-savvy criminal.
Don't log in to your computer using an account with administrative privileges for day-to-day work and web browsing. Ever. An account with lesser privileges will notify you if a program tries to install software or modify your computer's settings, so you can actively decide whether it's safe before clicking. You can also use tiered administration or role-based access control to define permissions, to ensure users can only perform functions or access systems appropriate to their jobs.
Sending an attachment by email effectively means you lose control over that file – the recipient could forward it or store it on an unprotected device, increasing the risk of it falling into unauthorised hands. Use a reputable file-sharing app or cloud storage service which allows you to limit who can access shared files and for how long, and send a link to the file instead.
A password doesn't confirm who you are – it just demonstrates you know the user name and password. Biometric authentication technology – such as fingerprint readers – are becoming more widespread, and offer an inexpensive and simple way to secure a device, software application, folder or file without relying on PINs and passwords.
If your company hasn't carried out penetration testing, now might be the ideal time. Discovering your vulnerabilities can be an eye-opening experience, but it pays to gain feedback on the most at-risk routes into your company or applications, and uncover aspects of your security policy that may be lacking.