Cyberattacks have been increasing for years, and theft of digital information has surpassed physical theft as the most commonly reported fraud, according to the Federal Communications Commission (FCC). These attacks can cause considerable damage. In addition to potential direct monetary theft and the expense of system repair, victims can suffer significant business disruption, intellectual property loss, reputational harm and other costs.
Small businesses, which have fewer cybersecurity resources than large corporations, are often tempting targets for hackers. In recognition of National Cybersecurity Awareness Month, we’d like to provide the following tips to small businesses looking to strengthen their defenses against cyberthreats.
Protect your workplace systems from attack
Cybercriminals are often able to exploit known vulnerabilities in software programs because users don’t always install updates and security patches promptly. Make sure you’re using the latest versions of your operating system, web browser and software.
You should install a firewall to protect your network from intruders and malicious software. If virus scanning is not incorporated into your firewall, use antivirus software as an additional layer of protection. You’ll want to secure your Wi-Fi network as well: be sure to change the default password on your router and hide your network name (you can set up a guest account with a different password to keep outsiders off your main network).
Be vigilant with mobile devices
In today’s tech environment, you also need to look beyond the systems you use in the office. If you or your employees access the company network (or work with confidential data) using smartphones or other devices, make sure these devices are password protected and encrypted, and that the operating system and security apps are always up to date.
Older devices that are out of support and no longer receiving security patches are particularly risky and should not be used to connect to your network.
Be cautious about downloading apps, as malicious apps can contain viruses or ask for unnecessary permissions; only download reputable apps from safe sources. Public Wi-Fi connections are another security risk, so consider using the mobile network instead if you need to perform financial transactions or access sensitive information on the go.
Finally, make sure you have a plan for dealing with lost or stolen devices—you may be able to wipe them remotely to keep sensitive information from falling into the wrong hands. If you use mobile banking, notify your financial institution immediately when a device is lost or stolen.
Train your employees in security best practices
Humans are often the weak link in even the best-laid cybersecurity plans, so be sure to educate your employees on your company’s security policies and frequently reinforce this training. You should establish guidelines addressing passwords, internet use and the handling of sensitive information, for example, and ensure that all employees are on the alert for phishing and other cyberthreats.
Phishing—when a fraudster poses as a legitimate organization in an attempt to trick someone into handing over personal information—can take place via phone or text message, but email is particularly common, so be sure to emphasize email safety in your training.
Phishing emails are often badly written or implausible enough to immediately set off alarm bells (asking you to confirm account details with a bank you don’t use, for example), but many are quite sophisticated and can trick inattentive readers into either clicking on a link that redirects to a fake website, which then harvests the details entered, or opening an attachment that downloads malware such as key loggers or ransomware.
Never open an attachment or click on a link unless you know it’s legitimate. If you do receive an unsolicited email or phone call asking you to confirm personal information (such as your account number, Social Security number, etc.), do not reply; contact the supposed company via a known phone number instead.
Control access carefully
Make sure employees have access only to the information and systems they actually need to do their jobs. Access to sensitive customer data, for example, should be limited, as should administrative privileges on IT systems and the ability to install software. Access to payment systems should also be closely controlled. Ensure every employee has a separate user account, with strong (and regularly changed) passwords required.
You may trust all your employees fully, and limiting access is not just about containing the damage that could be done by a potentially disgruntled or dishonest employee—it also helps protect you if fraudsters manage to obtain someone’s credentials, either through social engineering or outright theft.
Secure your payment systems
Payment data is obviously among the most sensitive and highly targeted data, so you’ll want to take extra care to secure your payment systems, including point-of-sale terminals or commerce payment systems. Your payment system needs to be isolated from your general office programs, and you shouldn’t use the same computer to process payments (or access online banking) that you use to surf the internet. Work with your payment processor and financial institution to make sure you’re always following the latest recommended security measures for your specific system.
These basic steps are important, but as you look ahead to 2021, you should also consider creating a comprehensive cybersecurity plan—incorporating components such as regular employee training, a technology inventory and related security best practices as well as incident response steps such as whom to contact and how to retrieve data backups—to help you identify your specific areas of vulnerability and reinforce your defenses.
You can create a custom planning guide using the FCC’s Small Biz Cyber Planner tool at www.fcc.gov/cyberplanner. The better prepared you are, the better you’ll be able to protect your business and the more quickly and effectively you’ll be able to respond if you are the victim of a cyberattack.