Cyber Security for a Small or Solo Business

What do you have to do to prevent being hacked?

Best practice for cyber security is more than just locking the front door

For many small businesses and consulting groups, and solo practitioners, the need to secure the computer systems they use presents both a conceptual barrier as well as a technical one. They think they may need an expensive specialist and often feel that “it can’t happen to them.”

Both of these assumptions are wrong. Most steps that organizations need to take in order to protect their online assets do not require a lot of technical skill. What is needed is attention to detail, persistence, and knowing when to get help.

In digital publishing, the files on your computers are your most imp0rtant business assets.  Protect them at all times.

Here’s a list of some of the more common sense moves even a small consulting group can make that have good payoffs in terms of protecting digital assets.

A lot of these actions can be taken relatively quickly and without special expertise. This isn’t a complete list, but there is a resource at the end with more tips.

Location – Do not put key business information, including personnel, financial, and client or member records, on the same computer system as the web site.

Have a contractor host the website separately so that the public face of the organization on the Internet isn’t a doorway to that organization’s internal operations. Your website is the first thing that will be attacked, so make sure who ever hosts it has a verifiable track record of protecting their clients from efforts to upend your online presence.

Don’t think your business will be a target. Think again.  So called “script kiddies” are looking for any open system to use for online scams or to hijack personal information.  Organized gangs don’t care where they get credit card information so long as they get it.

Check with your accountant about the firm’s security measures since tax information will include things like social security numbers, payroll, checking accounts, investments, credit card accounts and health care benefits.

Passwords – Don’t use proper names, place names, or birthday dates for passwords. Use strong passwords that combine upper and lower case, numbers, and special characters. Do not allow staff to use the same password for all systems. Do not store passwords online.

Protection – Use a firewall and virus checker for all computers. Set them to automatically update and budget to renew subscriptions for security software. You cannot allow it to get out of date.

Permission – Define who is authorized to access what data. For instance, how many employees or contractors need access beyond email, calendar, and time cards in addition to personal productivity software like word processing and spreadsheets? Keep a list of who has access to sensitive information such as payroll, taxes, personnel, and other information that needs to remain private.

Many groups rely on external suppliers to get work done. Do you know which ones have access, or had access at one time, to your most important data? Do they still need it?

When an employee leaves the organization, delete their passwords as part of the checkout process. Immediately revoke all passwords for any employee who is fired for cause or for any employee or any contractor who quits as part of a dispute.

Backup – Hire a service to backup software and data on a daily basis and store it in encrypted form offsite. This can be done over the Internet with a subscription service for desktops and laptops, and with a commercial service for larger systems like finance, personnel, membership, etc.

Travel – Do not allow sensitive electronic information to leave the premises on laptops or USB sticks. Instead, use commercial VPN software to support telecommuting. If employees use laptops on travel, buy a whole disk encryption software license to install it on all of them.

WiFi – Have two networks at your facility. The first is open, and insecure, for visitors. The second is secure and only for use by employees, contractors, consultants, etc. Make sure the security features of the WiFi equipment are fully implemented and get help if you need it. Do not use the public WiFi for the organization’s business operations.

Beware of strangers who want to talk to your critical digital assets in public places!

Public WiFi in coffee shops, airports, and hotels are not secure and should not be used to access important sites like online banking, credit cards, etc. Hackers haunt these networks with sophisticated electronic “sniffing” tools to snatch online IDs and passwords for the purpose of identity theft. This means your online time should be used cautiously in these places.

Don’t attempt to connect to “free” networks in airports that require a fee to use their WiFi. Chances are it isn’t a legitimate operation.

Free WiFi networks in coffee shops are OK for email, reading sports news, or other third party content.  Never conduct sensitive business transactions on a public WiFi network.

If you are traveling alone, do not walk away from your laptop for even a few seconds as that’s all it takes for a thief to grab it and disappear into the crowd. When going through airport security, keep an eye on your laptop at all times.

Phones –Today’s smart phones often have access to your computer files in the cloud and some “apps,” such as music services, have access to your credit cards.  All cell phones need to have “lock” features and an “app” (application) that allows them to be tracked down if lost, and wiped remotely if stolen. Most cell carriers offer a free backup service for contacts and there are plenty of “apps” to backup other data.

Check online reviews of apps before downloading them.  Some so-called testimonials come from unscrupulous vendors.  The best and most reliable apps will have reviews by major online web sites that cover smartphone services, e.g., the Android and Apple markets.

Social media – If your firm has a Facebook page, do not wander away from managing it to play with links, even from “friends,” that pique your curiosity but have nothing to do with the business of running the site. Don’t click on links in Twitter messages sent to you from people you do not know. Educate your employees how to recognize online scams that seek to get someone to send them login information.  Make sure your Facebook page is set up to use https with your browser.

Are you secure on Facebook? Don’t let your account get hacked or worse.  Look at the address bar at the top of your screen. If the URL that you are logged into is ‘http’ or ‘www’ instead of ‘https’, your connection is vulnerable to hacking.   To fix it: Got to Account > Account Settings > Security (top left of the screen) > Secure Browsing > Edit > Enable Secure Browsing.

Get physical – Employ a reputable security firm to install intrusion, fire, and water alarms connected to a monitoring center. Physical theft of computers is also a threat. Water or fire damage can destroy your organizations ability to conduct business which is why you need backups.

Insurance – Cyber risks are not covered by standard liability, property, or casualty insurance. You can buy coverage that deals with privacy violations, business interruption, and other forms of cyber threats. Make sure you are covered.

For more information check the United States government Computer Emergency Readiness Team http://www.us-cert.gov/cas/tips/ for comprehensive guidance.

Posted 2011 08 14 by:  blog@cdpug.org

Leave a Reply