Small business owners wear a lot of hats each day. Most probably never thought that “information technology professional” would be one of them. However, criminals are targeting businesses of all sizes, meaning that the cyber threat cannot be ignored.
According to Cybersecurity Magazine, small and medium-sized businesses are involved in 43% of all data breaches, and 61% of small businesses surveyed reported at least one attack within the previous 12 months.
What Is at Risk?
What’s at risk if your systems are breached? Consider the possibilities:
- Your financial information
- Your business plans
- Your intellectual property
- Your social media accounts
- Your employees’ personal information
- Your customers’ payment information
- Any information that you attached to an email or received as an attachment
- Any links or passwords you shared with anyone
- The security of cyber systems belonging to people and organizations with whom you do business
- Your reputation
In other words, your very business is at stake.
However, every business can strengthen its defenses. Some of the following five best practices are easier than others to implement, depending on whether you have IT professionals on staff or retainer. If outside expertise is needed, services such as OneIT or UTEC can help.
Here are five best practices to consider now.
1. Update your software regularly.
Threat actors are constantly searching for ways to exploit weaknesses in software, like the one that was found in Java’s Apache Log4 logging library late last year. Threat actors began taking advantage and installing ransomware and cryptocurrency-mining software almost immediately.
Software companies regularly provide updates to combat these sorts of issues when discovered and to make other improvements. Watch for and install the updates for operating systems, web browsers and applications as soon as they become available.
2. Require strong passwords. Are you or any of your employees using “123456” as a password? If so, you should know that according to Nord Security, a developer of cybersecurity products, more than one million other people are also using it. It takes bad actors literally less than a second to crack weak passwords like this.
Strong passwords are one easy-to-implement defense against would-be attackers. According to the Small Business Administration, strong passwords share the following characteristics:
- Have 10 or more characters
- Are a combination of uppercase and lowercase letters
- Have at least one number and one special character
Another approach that some businesses are taking is to use passphrases or sentences. Generally, the longer the passphrase is, the more difficult it becomes to crack. Sentences are also easier for end-users to remember than long strings of upper and lowercase letters and special characters.
How do you know how secure your password or phrase is? Try a tool like How Secure Is My Password.
Here are some samples:
- Password used: 123456 – This password would be cracked instantly.
- Password used: Sam23!Smith – It would take a computer about 400,000 years to crack this password.
- Password used: It was a lovely summer day. – It would take a computer about 5 decillion years (that’s 33 zeroes!) to crack this password.
Of course, even the strongest password or passphrase is useless if it is written on a sticky note and stuck to a computer screen, left near a laptop or taped to a point-of-sale terminal where a bad actor can see it. Using a password manager—a software application that safely stores and manages your online credentials—could be helpful. It’s like writing all your passwords down on a piece of paper and then placing that paper in a safe. All you need to remember is how to open the safe (e.g., your password manager password).
3. Implement multifactor authentication.
If you have tried to digitally access your bank account lately, you likely received an email, text or call asking you to confirm your identity first. You might have been asked to answer a security question or to submit a special code within a few minutes of receiving the message. This additional security process is known as two-factor or multi-factor authentication, and it’s one more way to protect your small business, especially if some of your employees work remotely.
Consider implementing this technology to protect especially sensitive data on your network. Many insurance companies are now making this a mandatory protection to receive a cyber liability insurance quote or to keep existing cyber insurance coverage. Learn more about multifactor authentication here.
4. Train employees to identify and report phishing emails.
Today, one of the most common methods cybercriminals use to steal credentials or infect information technology systems is by sending “phishing” emails to unsuspecting employees. These emails look like they have been sent from a trusted individual or legitimate organization. They encourage the recipient to share sensitive information or to click a link, download a document or visit a website that then deposits malicious software onto the computer or network.
How can someone identify a phishing email? Start by asking these questions:
- Is the sender unknown?
- Are email addresses, domain names or URLs within the email inconsistent or incorrect?
- Does the email contain typos and/or grammatical errors?
- Is the email written in a way that makes you think this isn’t the writer’s native language?
- Does the sender ask for login credentials or other sensitive information?
- Does the email seem intimidating in any way or contain an urgent request?
- Does the email contain a suspicious attachment?
Phishing Email Sample
+ Click Here
Employees should report suspicious emails to IT staff for validation before taking any action. If your business doesn’t have IT staff and employees receive an email, they should contact the sender via another means (e.g., phone, text) to confirm the email’s authenticity.
Services such as KnowBe4 can help staff improve their information security knowledge and practices.
5. Create a plan.
Every business, no matter how small, should have a cyber security plan. The more complex your business, the more likely you will be to benefit from hiring cybersecurity experts to plan for and address cyber threats.
The Federal Communications Commission has developed a site on which small businesses can create a free customized cybersecurity plan. Select the topics that apply to your business, such as payment cards, employees, email, data security, etc., and then let the tool generate your guide.
Besides implementing a sound cybersecurity plan for your business, obtaining a cyber liability insurance policy is another way to manage risk. Be aware that policies are becoming more difficult to obtain. Demonstrating that you have implemented an effective cybersecurity plan is a good first step. Speak with a trusted advisor to learn more about the availability, requirements and cost of a cyber liability policy.
A Final Word
This list of cybersecurity best practices isn’t exhaustive, but it does highlight some relatively simple but important actions you can take now to strengthen your business’s cyber defenses.
Finally, it’s no secret that identity theft also has been on the rise for years. Hylant clients and associates have access to IDTheft Assist, a comprehensive, affordable credit monitoring and restoration service for individuals. A monthly subscription provides access to 24/7 response services, including a designated U.S.-based advocate who does all the work necessary so that you can get back to your normal routine. We invite you to learn more about IDTheft Assist.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.