In this day and age, it is impossible for businesses not to rely on technology. While the reliance remains as critical for small businesses as for the big, the difference is just a matter of scale. With potential customers looking up the business’s website, downloading brochures and spec sheets, communicating via email or forms, and the company itself storing sensitive marketing and customer as well as operational and financial data online, businesses can represent very lucrative targets for hacking and online disruption. Online security breaches are far more common than people assume it to be. According to Forbes, more than half of all small businesses experience security incidents every year.
As may be imagined, the cost of these events can be severe both in the short-term and the long-term. Not only do businesses need to tackle the effort and cost of recovering compromised data but they also deal with its impact on operations, loss of clients, and corporate reputation. This makes it essential for cybersecurity, not just a matter of implementing protocols but a companywide change in security culture. Some guidelines and simple tips for improving cybersecurity without worrying about the impact on profitability:
Robert Trosten Recommendation No. 1: Focus on Creating Alertness about Phishing Attacks
It may come as a surprise to know that as many as 91% of complex cyber attacks have their origins in phishing emails. Businesses need to invest time and effort into educating their employees on identifying and responding to potential phishing emails. Common signs of an email with possible ulterior motives include an incorrect sender address, errors in spelling or grammar, the presence of embedded links, as well as content indicating value propositions that seem too good to be true. Employees need to be also trained on how to respond when they encounter emails that they suspect to be phishing attacks. It is important to never reply to suspicious emails but to delete them immediately from the system and inform the company’s IT department. You can get to know the extent employees know and follow the SOP by simulating phishing email attacks.
Robert Trosten Recommendation No. 2: Enforce Robust Passwords
One of the most critical elements of training on security awareness is stressing the vital importance of using passwords that are very strong by all employees. By using different methods, cybercriminals can very easily crack weak passwords. It will astonish many people to learn that a 2019 report by Ponemon Institute on global cybersecurity observes that as many as 70% of small and medium businesses have reported the theft of their employees’ passwords in just the previous year. It is important to impress on your employees to avoid using common practices like their names, dates of birth, or easily guessable combinations. Passwords should never be reused across different accounts, and changed, as a matter of practice every three months, recommends Robert Trosten.
By using passwords unique to each account, it is possible to limit the damage as hackers will not be able to use a password controlling your email to access your bank account, for example. Introduce employees to the concept of password managers to avoid the reluctance of having to devise and remember multiple passwords. Using password managers not only makes the process of logging in to your accounts easier but also facilitates the use of really complex, random, and strong passwords since you no longer have to memorize them. This makes it far more difficult for cybercriminals to hack accounts. Wherever, possible, use two-factor authentication to sign in to password-locked accounts – the OTP sent to the user’s mobile phone ensures unauthorized people cannot access your accounts even if they know the passwords.
Robert Trosten Recommendation No. 3: Restrict Access to Sensitive Information
Giving access to all information to all employees may be the most convenient thing to do as far as information management goes, however, if you care to think about it, all employees don’t need to have access to your database in its entirety. You should critically review the need of every employee to access information necessary for performing his function and limit the access to information by setting different levels of privileges for every role. Also, monitor closely who is accessing what information, so that you can spot any suspicious activity, if there is a pattern of information access that justifies it.
Lay down information access and dissemination protocols so that you do not create opportunities for employees to beat the system and expose the business to external threats and vulnerabilities. You can also consider blocking of third-party email service providers so that nobody can access information and send it out as an email attachment. Companies dealing in highly sensitive information invariably also take steps to disable the USB ports on the hardware used by the employee so that there is no opportunity for anyone to copy information and take it out of the workplace.
Robert Trosten Recommendation No. 4: Keep Software Updated
One of the most overlooked steps businesses needs to take to ensure the security of their information technology applications is to keep all the software updated. The updates are available from the software makers and typically cover security patches, and fixes on bugs, as well as added functionalities. You should endeavor to keep updated all the operating systems, anti-malware software, network security, firewalls, as well as email programs and other application software.
Ensuring the security of your company database is one thing but the issue gets very complicated in an environment where employees are working out of the home. The company should actively focus on educating employees on how to stay secure and what the consequences can be of not practicing adequate security protocols. A continuous education program on best practices on sending and receiving emails and messages, protecting devices and data encryption, and being alert to phishing and other cybersecurity threats can help a lot. Even though small businesses may lack deep pockets to implement very expensive security audits and cyber threat prevention techniques, the steps discussed above can be very cost-effective and are relatively easily implementable. Cybersecurity should never be taken for granted and it is important to keep all employees alert and sensitive to data breaches and loss of control over their IT system.