Information Security (infosec) is a topic which has received a large and growing amount of attention in the past few years, and with good reason: not only have data breaches cost companies billions of dollars, but they have resulted in significant embarrassment and loss of reputation. However, for every Target or Sony Pictures that garners national attention, there are hundreds, if not thousands of successful attacks carried out on companies of all sizes that result in capture of sensitive data or financial loss, in some cases irreparably damaging those companies.
Indeed, while many small businesses would not consider themselves as targets because of their size, the data would not bear this out, with reports showing that as much as 43% of cyberattacks are targeted at small businesses – indirectly because of their small size, rather than in spite of it. Small businesses, lacking resources to hire information security personnel are often poorly protected, and automation allows advanced attackers to target them by the hundreds.
Founders and those considering jumping into entrepreneurship may be groaning at the idea that there is yet another hat they should be wearing. For non-tech startups this is an especially tall order, because the business may not even have IT staff, much less anyone in a position to train IT security. However, like the old joke about running from the bear goes, you don’t have to outwit the hackers, just be more secure than the other companies around you, which is a much more manageable task. No matter the kind of business or the complexity of the IT infrastructure, here are some simple ideas for becoming a harder target which require neither lots of money nor extensive technical knowledge to implement, but if used company wide can greatly improve the outcome when you are attacked:
1. Password security – Passwords need to not just be long, they need to be complex as well. Make sure that passwords are at least 12 characters, and use numbers and special characters as well. Never use the names of your kids, pets, or any other personal information – in the age of social media (and of large companies losing your private information), attackers have access to a lot of data to help them guess your password. If you provide computers for employees, or if you use Active Directory or something similar, make sure complexity requirements are enabled (your IT pro can easily set this up for you). Also talk to employees about why this is important and require that passwords are changed regularly – at least twice a year. If the prospect of having a bunch of complex and random passwords which change regularly seems overwhelming, consider using a program like LastPass, which helps you generate complex passwords, stores them in an encrypted state, and then fills them in for you automatically via browser extension.
2. Two-factor authentication – In addition to your new complex passwords, two-factor authentication adds another level of protection by requiring that the user also enter a numerical code, which is typically either sent as a text to the user’s registered phone, or generated by an app like Google Authenticator which the user downloads and then syncs to the app or website in question. After a one-time set up, the user is required to enter the code which is constantly changing, so it cannot be guessed by an attacker. While this adds a few seconds to your login time, it also provides a lot of protection, because even if an attacker manages to guess or obtain a password, they would still need physical possession of the user’s phone in order to have both factors necessary to gain access. Enable this feature on every website and application that has it as an option, and require employees to do so as well.
3. Backups – One of the attacks most rapidly growing in frequency is Ransomware, where the attacker implants a piece of malicious software (malware) onto your system (more on how later). This software then encrypts all the files on your machine, and you must pay the attacker for the code to unlock them. Once the files are encrypted, deleting the software (if you can locate it) will not help, as all of your data will be useless in its encrypted form. The only way to get up and running again without paying is to wipe the hard drives and reinstall everything. If you are backing up all your files regularly (daily if possible, at least weekly), then this will be a minor problem. If not, you may end up paying, and then hoping the attacker gives his word and gives you the unlock code. Backup important files and folders daily (both Windows and MacOS have tools to help automate this). If you have any hosted services, make sure your provider does daily backups as part of your service agreement. If nothing else, use a service like DropBox, which can sync files automatically in real-time for your working files, and then run a backup at the end of the week to an external hard drive or flash drive (password protected and encrypted, of course), or to a company server if you have one.
4. Email security – This is a topic on which whole books have been written, so we will not cover it exhaustively. However, there are a couple behaviors that can add a lot of security. By far, the way most malware gets introduced into a target’s system is through phishing – a simple yet effective attack where an email is sent out with a malicious link or attachment – often written to either look like an email from a senior member of the company, or designed to entice the user (fill out this quick survey for a chance to win a gift card, etc.). This is the typical method, or attack vector, by which Ransomware gets onto target systems. Insist that employees never send each other links to anything – so if an email arrives with one in it, suspicions should immediately be raised. Let everyone know that you will not be communicating any kind of requests for money to be transferred or new accounts to be opened via email, and that if they receive one, they should call you immediately, before clicking a link and giving away company information into a fake account screen, and definitely before sending any money, period. Consider using an application like Google Messenger as the primary form of intra-office communication instead of email, which is free and has two-factor authentication.
5. Software patching – After new software has come out, vulnerabilities are inevitably found – many companies even pay users who locate such vulnerabilities before they turn into attacks on customers. Fixes then become security patches which roll out to all users. If you ignore those requests to update (we are all tempted), then your system remains vulnerable to the attack – plus since the vulnerability is now public knowledge, an attacker has a cheat sheet of things to try if he gains access. Most software (including operating systems) give you the ability to configure automatic updates – make sure that option is always selected, and configure checks for updates to run daily. Operating systems usually allow this process to be scheduled for a particular time – try setting it for first thing in the morning, so it can do its checks and updates while you are still getting settled in and pouring the first cup of coffee.
This is only the surface of information security, but these tips will make a real difference – they prevent or hinder the most common attack vectors for the most frequent attacks on smaller companies. They work for one user or twenty, whether you have company servers or just a team with laptops working remotely. Nevertheless, implementing them can make you a hard enough target that attackers decide to move on to the next one, and then you and your company can go back to business.