Small business owners and operators often believe they are less of a target for cyber crime than a large multinational company would be. However, this is a fallacy – one that may have severe consequences if the small business chooses to ignore establishing a reasonable security posture.
Small business is a target due to the simple fact that most criminal actors don’t distinguish their targets. Instead, they opt to target as many potential victims as possible, maximizing the number of compromises in their criminal portfolio.
However, this doesn’t mean a small business needs a large budget to improve their security posture – quite the contrary. Organizations of all sizes often neglect to take some the most basic steps toward operating securely. It is possible to address most of today’s common threats with a few basic steps. Though every organization is different, these steps outline a reasonably simple baseline of actions anyone can implement without significantly disrupting their business rhythm and workflow.
Upgrade your authentication
Passwords are going to be around a while. There are many shortfalls with using passwords as the sole means of securing accounts, but a few quick steps can overcome most of them. First, use extremely strong passwords. Eight characters with number/letter/upper/lower/special character doesn’t cut it any more. Use a random string of 30+ characters and don’t reuse those passwords. Obviously, that’s not something you can remember, so the next step is to use password management software. I personally use 1Password, but there are several others including LastPass and KeePass.
Additionally, use two-factor authentication – tokens, mobile apps, or text messages that provide temporary verification codes for each account. These separate, parallel authentication systems including DuoSecurity, Google Authenticator, Norton VIP, RSA tokens, and text messages go a long way toward ensuring your account is safe. This is imperative for your most important resources such as your bank accounts, but should be done wherever it’s available. If your business banking account doesn’t have two-factor authentication for online services, start looking for a new bank.
Use a separate system for sensitive tasks
You shouldn’t manage payroll from the same system you use for email. I recommend using a completely separate system for processing any of your company’s finances. This means nothing else should ever take place on that system except for money matters and you should never manage finances from any other system. This makes it extremely difficult for web-based or email-borne attacks to gain access to finances and other business-critical information.
This could mean a fully separate computer system such as an inexpensive laptop or an> operating system installed to a bootable USB device that gives you segregation between day-to-day business functions and more sensitive tasks. Never cross-contaminate these tasks between their designated platform. This separation is a simple and often inexpensive investment that provides a huge barrier to malicious actors’ attempts to access to your sensitive information.
Know and manage data access
If you don’t know who can access the personnel files on your server or a standalone office computer, assume everyone has access. You wouldn’t leave sensitive paper documents out on the table for everyone to see and their electronic equivalents should be controlled as well. This means implementing and auditing proper access controls on the files and devices that contain sensitive business data such as personnel records, financial documents, customer lists, supplier pricing, customer data records, and more. Any employee’s errant click on a website could cause all of the information they can access to be at risk. Minimize the information an individual can access and you’ll minimize the risk of it being compromised.
This step could be accomplished in several different ways – whether using the dedicated system approach from above, or by implementing user account restrictions on different shares on a file server, for example.
Activate full-disk encryption
Without encryption at rest, a lost or stolen laptop makes all of the information on the system accessible to the thief. The logon password to a system is not designed as a data security barrier and can be trivially bypassed by even an unskilled thief. Social security numbers, credit card data, health care information and more all incur various reporting requirements that can become an extremely expensive headache. The simple step of activating full-device encryption could be the difference between simply buying a new laptop and paying for credit monitoring services for every one of your customers – then dealing with the damage to your company’s reputation.
Systems running Apple’s OS X operating system can use the FileVault 2 feature and Microsoft Windows users can use the Bitlocker utility to accomplish this. There are several Linux options, depending on the specific distribution.
Establish and test backups
The worst time to learn you don’t have viable backups is when you’ve lost data. Be sure to implement a backup solution that covers your most critical data and test it on a regular schedule.
These may be onsite and/or offsite solutions. Onsite backup (such as Apple’s Time Machine, Microsoft Windows’ Backup and Restore feature, or various third party software titles) uses a storage device within your environment to store backups and can provide quick restoral of even large files. Offsite solutions (including CrashPlan, Carbonite, and many others) use Internet-based storage platforms. Offsite solutions mitigate the more serious data risks such as theft, fire, or flood, but require more time to restore.
Regardless, ensure your chosen backups are encrypted to avoid unwanted exposure. Periodically test the restore process for each backup solution to prevent any unpleasant surprises when the process really matters.
Don’t ignore mobile devices
If your smartphone does business using email or applications for CRM, for vendor interactions, handling proprietary information, or finances, your mobile devices should be secured to the same standards as any other computer that processes similar information. This means using strong passcodes (complex alphanumeric and biometric, not simply four numeric digits), full-device encryption, and possibly isolating critical functions to a dedicated device. This is not a trivial step to take – mobile security solutions are rare and immature, and few people actually want to carry two mobile devices. In that vein, it may be advisable to prohibit employees from performing critical business functions via mobile devices.
Prepare to investigate
It is an unfortunate reality that your organization may still be breached whether you are large or small, well-financed or bootstrapped. The cost of investigating a breach is often hundreds of thousands of dollars. This is primarily because most organizations haven’t recorded the account, web server, and email logs needed to piece together what happened. Not having this evidence readily available means that expensive hourly investigators may need to bill for days of data acquisition before they’re able to perform any specialized tasks. Today, network collections such as NetFlow and endpoint details from a system like Carbon Black (included with Red Canary’s service should become the standard. Data breaches currently take an average of 200+ days to discover, so implementing a retention policy for evidence that covers at least that long is important.
These steps will go a long way toward minimizing the cost and business impact of a data breach, and also set the organization on a trajectory to a proper security posture. Small businesses actually enjoy a distinct advantage in this regard. While businesses of every size are targets, small businesses are able to implement these measures far more quickly than large companies.
By undertaking these basic steps, you will greatly improve your odds in the increasingly hostile connected world.