I recently sat in on a cybersecurity seminar my client in Tulsa held for his employees and it really opened my eyes to the risks small businesses face today to cyberattacks. Cyberattacks are being reported in significant numbers by small businesses and these attacks are becoming more sophisticated and more severe. Consider the following statistics:
– 18.5 million websites are infected in any given week, and 80% of these websites are small business web sites.
– 400,000 new pieces of malware (which is usually delivered via e-mail and can steal, alter and delete data) pop up on the Internet every day, and 58% of malware attacks are against small businesses.
– 54% of all organizations were hit with ransome ware in 2017 at a cost of over $5 billion dollars.
The most common problems highlighted during this seminar were: (i) weak password policies, (ii) unprotected mobile devices, (iii) not performing software updates in a timely manner, (iv) non-existent employee training, and (v) a lack of investment in cybersecurity.
Hackers can break into most passwords in less than 10 minutes. Small businesses can strengthen their password policies by having their employees change their passwords quarterly, and by following “The 8+4 rule.” “The 8+4 rule” strengthens passwords by mixing eight characters with four different types of characters — upper case, lower case, symbols and numbers. If you add one additional character, (8+4+1) that password will take a hacker 44,000 years to crack.
Because most hackers break into a network through one’s e-mail and many employees today access their employers network through their smart devices, it is also important that businesses create a mobile device policy, which, at minimum, should include the above “8+4+1” password policy. Information about creating a mobile device policy can be found on the Internet.
There is no excuse for not performing regular software updates as they can be automatically programmed when setting up most software today, albeit performing regular software updates still needs to be part of an employee training program on cybersecurity.
The Small Business Administration (SBA) offers a free cybersecurity training module that can be downloaded from the Internet to train your employees. The SBA also promotes the following ten-(10) cybersecurity best practices:
1. Protect your business against viruses, spyware, and other malicious code.
Make sure each of your computers and mobile devices are equipped with antivirus and antispyware and configure all your software to install updates automatically. These updated provide patches that protect against problems and maximize the functionality of your electronic devices.
2. Secure your networks by using a firewall and encrypting information.
If you have a Wi-Fi network, make sure it is secure, hidden and password protect access to your Wi-Fi network or router. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, which is known as the Service Set Identifier or SSID.
3. Establish security practices and policies to protect sensitive information.
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and enforce these policies.
4. Educate employees about cyberthreats and hold them accountable.
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. And hold your employees accountable to the business’s Internet security policies and procedures.
5. Require employees to use strong passwords and to change them often.
Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
6. Employ best practices on payment cards.
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Also, shift from magnetic-strip payment cards to safer, more secure chip card technology, also known as “EMV.” (Visit SBA.gov/EMV for more information and resources.)
7. Make backup copies of important business data and information.
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
8. Control physical access to computers and network components
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
9. Create a mobile device action plan.
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages.
Cybersecurity is one of the most serious economic and national security challenges we face as a nation today. The good news about protecting your business from cybersecurity attacks is that it isn’t expensive, and smart business owners are quickly making the necessary investments to protect their businesses from cyberattacks; however, if you think that your small business not likely to be hacked in the future, it’s time to change your thinking and take action to protect your business from the risk of a costly, future cyberattack.