According to a recent publication by the National Small Business Association, 44 percent of small businesses reported being a victim of a cyber attack. In our increasingly online and mobile environment it is no surprise that our daily routines create an abundance of personal and business-related data just waiting to be abducted for criminal use. A single cyber attack can paralyze a business for days on end, destroy customer confidence, and even serve as a catalyst for the ultimate demise of an otherwise successful enterprise. While security and protection against theft, fire, safety, and other physical damage seems to be considered foundational and necessary for most companies, adequate attention to cyber security is not yet widespread. In this issue of Best Practices, we sat down with Devi Momot, CEO of Twinstate Technologies, to help inform the local business community of the risks and preventive measures available to them to fight this growing disruption
Bad News, Good News
First, the bad news: We are all vulnerable. Some small businesses make the mistake of considering cyber security a lower priority because they don’t think they have anything that hackers would want. If you don’t use or store sensitive customer information, it might be tempting to think that you have little to lose. The reality is that the automation of cyber crime makes target identification similar to that of a car thief scanning their environment for a target. They first evaluate their potential targets for ease of entry, regardless of the expectation of what they might find inside. In this way, an unlocked economy car can be a more attractive target than a luxury vehicle. So too, can your unsecured company network. The good news is that there are preventive measures you can start implementing right now, as well as local experts you can tap to help protect your personal and company data from cyber attacks.
Privacy
Momot encourages both individuals and businesses to think first about the concept of privacy before giving out any personal information online. She cautions that in today’s online landscape, there are many ways that we willingly but inadvertently give out personal information, making us vulnerable without even realizing it. Two pervasive examples of this are free apps and social media. “There are many free email services such as Gmail and Hotmail,” Momot explained, “all of those services are gathering information about their users. They have a footprint of what we do—they can see what we like, who our friends are, who we buy from, when we buy, where we shop, and more.” Facebook can be even more problematic. Recent popular posts encourage users to answer quizzes about their lives, their family lineage, and personal preferences, all under the guise of getting to know one another better and discovering commonalities. What many users are not aware of is that these quizzes are often based on the popular security questions for online accounts, and sharing your answers makes it easier for cyber attackers to steal your identity and crack passwords. Sharing cautionary words of wisdom, Momot offered a bit of common knowledge in the IT field, warning, “If something is free, that means YOU are the product.”
In our interconnected world, these and other personal online habits of employees and others using your internal business network are a major source of concern for businesses. Locks on doors and firewalls on networks are great defenses to keep outsiders from coming in, but both rely on the people inside the protected areas to be effective. For these reasons IT professionals identify employees themselves as one of the greatest threats to a company’s cyber security, whether their actions are intentional or unintentional.
Credentials
One of the simplest ways of decreasing your exposure to cyber attacks is one of the most commonly overlooked. Far too many small business owners never change the default “admin” password that comes with various parts of their network such as the wireless router, and even their server. Anyone as close as your parking lot can guess that password, login, and with a little legwork, gain access to your confidential data. Momot offered the following tips regarding password standards for your organization:
• Length: At least 10 characters long
• Complexity: Require the use of numbers and letters, upper- and lowercase, and special characters
• Expiration: Force users to change passwords regularly
• Multi-step log on: Take advantage of multifactor authentication options available today by many applications and providers. Your secret passcode coupled with a onetime passcode received on your cell phone, for instance, can strengthen your security level dramatically.
Additional best practices include avoiding the use of names or words that you affiliate with publicly on Facebook or other social media. These include your children’s names, the street you live on, where you vacation, and the names of your pets. According to Momot, a good password is one that is hard for a computer to guess but easy for you to remember. “There is no person sitting at a keyboard trying to guess your password,” she explained, “Password cracking is usually done by a computer set up with particular programs running the English dictionary, or lists of things like football teams or street names.”
Software Patches
In the simplest explanation, software is programming that makes many things in our world work today. Widespread examples of software in use today include Microsoft, Windows, and proprietary programs that businesses use to carry out work and organize data. These programs commonly serve as two-way doors between internal data and the external web and therefore represent weak spots in network security. Software providers vigilantly monitor these weak spots and provide free software updates frequently. These updates are only effective if users take action to download and implement them. Failure to update the software you use in your business on a consistent and frequent basis is an invitation for a cyber attack. The reality is that many small business owners don’t have time to do this. In recognition of that fact, there are professional services available locally that offer a consistent and an affordable solution to this problem.
When considering network security and vulnerability to cyber attacks, the adage, “an ounce of prevention is worth a pound of cure” makes a lot of sense in both the business and personal arenas. As a matter of basic protection, all businesses would be wise to include regular IT system protection and review with an eye for decreasing vulnerability to data breaches. Momot cautioned even those businesses that are large enough to employ IT professionals about the intricate nature of the work. “Just like you wouldn’t go to your general physician for a heart valve replacement, I don’t recommend that a general IT practitioner take responsibility for the company’s network security,” she explained. “Today’s adversaries are clever and they make it challenging to defeat them.”
A second part of prevention that is easier to implement without special IT training is the on-going education and training of employees and other users of your network. Many of the preventive measures described here are based on simple, common sense. Humans are faulty creatures of habit who will respond well to gentle, frequent reminders about the simple things they can do to protect the best interests of themselves and of the organization.