Cyber security remains a growing concern for small businesses. It’s a good idea for business owners to conduct periodic reviews of their data security program.
Security Check-Up Suggestions
The Small Business Administration, the Federal Trade Commission and the American Bankers Association offer a number of suggestions aimed at helping businesses protect their files and devices and their company and customer information from cyberattacks.
Start with a Plan
Begin by understanding your business risk profile. What are you trying to protect and where are you most vulnerable? Identify devices, servers and vendors that store company date and customer credit card and other information. Know what vendors supply the software you use, and how secure their practices are. Also, take a broader look at protecting your financial and bank data, personnel information and intellectual property.
Review Policies and Procedures
Re-evaluate your security policies and procedures that determine access controls to acceptable use. Have you added new products and services or entered new markets that altered the operations of your business? Who has access to information in your company and the log-in credentials to conduct transactions?
The weakest link in a security plan is employees. From day one, explain the importance of your organization’s data security practices to employees. Conduct regular training that outlines your company’s practices and how to spot new risks, security vulnerabilities and identify theft. Create a culture of security by demonstrating what you expect and making security an essential part of employees’ duties. When employees leave, terminate access immediately.
Warn about Phishing
Educate employees on the dangers of spear phishing – emails containing information that makes them look legitimate. Require independent verification of emails requesting sensitive information. Train employees not to reply to email when they do not recognize the sender, and not to use links, phone numbers or websites contained in the suspect email.
Cover the Basics
Implementing the basic steps of cyber hygiene will protect your business and reduce the risk of a cyberattack.
- Update Software. Update and apply the latest patches to your operating systems and software, including anti-virus software and antispyware, apps and web browsers. Set updates to take place automatically.
- Secure your Network and Files. Safeguard your Internet connection by using a firewall. Back up files offline, on an external hard drive or in the cloud. Control physical access, too. Make sure you also store your paper files securely.
- Encrypt Devices. Encrypt devices and other media that contain confidential, sensitive and proprietary information. This includes laptops, smartphones, inventory scanners, digital scanners, removable devices, backup tapes and cloud storage solutions.
- Use Multi-Factor Authentication. Enable multi-factor authentication to access areas of your network and sensitive information. This requires additional steps beyond logging in with a password.
- Require Strong Passwords. Use passwords for all computer hardware, including routers, laptops, tablets and smartphones. Require strong passwords of 8-12 characters that are a mix of UPPER and lower case letters, numbers and symbols. Passwords must not contain personal information, like part of a TIN, or be easily cracked, like “password,” “qwerty” or “12345678.” Never leave devices unattended in public places and avoid pubic WiFi.
Secure Payment Processing
Work with your bank or credit card processor to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Develop an Incident Response Plan
Know what to do and who to call when a cyber incident occurs.
Report scams against a small business at FTC.gov/complaint.
These websites and publications also have information on securing sensitive data:
- Small Business Administration – sba.gov/cybersecurity
- Start with Security – ftc.gov/startwithsecurity
- National Institute of Standards and Technology (NIST) Computer Security Resource Center – https://csrc.nist.gov/