So, you own and operate your own small business? Good for you! Small businesses are a huge part of the economy and provide work for millions of Americans. We're a small business, too, and we handle the data security and IT needs of dozens of small businesses. So we're pretty qualified to tell you the following: You and your data are in grave danger.
Now, more than ever, small to medium sized businesses are the target of cyber-attacks. These crooks know what you do: small businesses don’t have the capital of a large, multi-billion-dollar, international conglomerate, ergo, you cannot invest as heavily in securing your data. So you have to invest in your security wisely.
What To Do
Small businesses are a fantastic place to work. Unfortunately, for you as the small business owner, your biggest liability may be the employees. The employee that opened the email that (on the surface at least) appeared to be a resume, but was actually a ransomware virus and has now brought the entire company to a standstill because all of the data is now encrypted and therefore useless. The summer intern who gives out the wireless password to a “visitor” has inadvertently opened the entire network to potential attack.
So you may be asking, “How do I stop this?” Train your employees. Create an environment of caution.
It can be intimidating to tell a supervisor the email that you just opened doesn’t look right and there’s a bizarre message on your computer explaining that all the files are encrypted and being held ransom for Bitcoins.
Send out monthly newsletters, have lunch and learn meetings and discuss what a potential attack could look like. The sooner you are aware of a problem; the sooner it can be fixed.
Employees should know how to critique an email from an unknown source. Look for things like spelling and grammatical errors, symbols where letters should be, and file attachments from unknown senders.
Employees should know what constitutes a strong password: at a bare minimum, eight characters, mixing upper and lower case letters, numbers and symbols. The longer and more complex a password is, the harder it is to break.
Employees should also be trained on social engineering attacks. When the phone rings and the caller states they are from the IT department, and you don’t have an IT department, it’s probably not a good idea to give out passwords, much less remote access to your machine. Employees should be trained not to leave their computers unattended especially if the screen is not locked. Unlocked computers are an open door to those who would love nothing more than to wreak havoc on your network.
What to Buy
There is a myriad of products a small business can invest in for data security. Let’s look at the true necessities and go from there.
Firewall and Wireless
First and foremost, you need a firewall appliance. A firewall is a piece of equipment that sits between the internet and your internal network that can filter the traffic. No, that wireless router you bought at the big box store does not count as a firewall. This device needs to have some form of gateway antivirus, website blocking and tracking, inspecting both encrypted and unencrypted web traffic. The firewall may or may not come with built-in wireless, however, it should govern the wireless traffic.
Speaking of wireless, if you decide to implement it, there should be separate corporate and guest access. In other words, the wireless network allowing devices to connect wirelessly to the corporate network where your data is stored should be completely separate from the wireless that you would allow guests or clients to connect to. A client could walk into your business with a compromised computer, connect it to your network wirelessly or physically and unknowingly create a huge problem for you. The guest network should be completely separate with only access to the Internet.
Another investment that you will need to make is a backup solution. There are two kinds of people in the world when it comes to backups: those that do regular backups and those that wish they had. Don’t be the latter. It’s not uncommon for companies to lose years of work due to not having a backup solution.
What should you look for in a backup solution? Your best bet is an image based backup. The days of just doing file-level backups are over and done. Image-based backups take a snapshot of the system at that time and store it. The image-based backup gets everything, operating system, programs, files, and permissions etc. This drastically decreases recovery time.
In a file-level backup recovery, you must first replace the hardware, if necessary, reinstall the operating system, reinstall all programs and then restore the files from the backup. Not the case with image-based. Simply replace the hardware, if necessary, restore the image-based backup and you are right back to the point in time where the last good backup occurred.
These backups aren’t just useful in disaster recovery, i.e. natural disaster, fire, theft etc. They are also helpful if you happen to be the victim of one of the many cryptoware attacks. Once the time of the attack is discovered, simply remove the machine where the attack originated from the network and restore the backup prior to the attack.
The second part of the backup solution should include an off-site component. Technically according to best practices, it should include two off-site components: one local, one not local.
A local backup could be taking the backup drive to the safe deposit box at a local bank on a weekly basis. It could be as simple as taking a backup drive home every night or every week. The idea is to not have all of your backups in one place at one time. If your office burns to the ground one night and all of your backups were in the building you may as well not have had any backups at all.
There are several cloud backup solutions that offsite your data to their data centers and can assist in disaster recovery efforts. Typically, this involves either spinning up virtualized versions of your servers or files on their equipment in the cloud or shipping a drive to your location to restore your data locally.
Backups are a crucial part of your data security. The more money you spend up front, the less money it will cost on the back end to fix the loss of data. Now let’s move on to our last topic.
What Policies to Put in Place
Policies are one of the most difficult and time-consuming measures to implement for data security in a small business. Policies should be as detailed as possible to leave little room for doubt. Policies cover everything from who has access to what file shares, allowing users to connect their mobile devices to your corporate, or guest network or not at all. Here are few questions to consider when putting your data security policies in place:
Will you allow employees to store information from their workstations on removable media like flash drives or writable media such as CDs or DVD’s? Allowing users to store proprietary data on external removable media leaves you open to the possibility of data theft.
Will you allow employees to store and send information on cloud storage or file shares? Cloud storage is great (we’re big fans on OneDrive in particular), but only when it’s tightly controlled and everyone’s on the same system. Users should have the minimum access necessary to still be able to perform their job. The recent rash of cryptoware malware attacks preys on the open access that most users have to company file shares today.
Will you allow employees to access the network from outside the office? Permitting employees to access corporate networks from outside should be very tightly controlled. It does not take an overly skilled attacker to find a vulnerability to exploit on a less than secure remote access method. Remote access should always include connecting to a VPN over an open port allowing access to the corporate network.
Will you implement two-factor authentication methods like an RSA key or biometrics? Two-factor authentication is a great way of securing your network even further. Couple the two-factor authentication with hardware level encryption and the frightening specter of a stolen laptop becomes a lot less scary. Since the thief wouldn’t have the key to decrypt the drive even if they remove it from the stolen laptop, it becomes as useful as a paperweight.
Will you force users to change their passwords on a regular basis and require a complex password? Forcing users to change passwords on a regular basis helps to mitigate long-term dictionary password attacks. These attacks involve the perpetrator running a program that uses an enormous “dictionary” of common words to try and match the password. Best practices are to change the password every 30 days while not allowing for repeated passwords.
All of these decisions can have huge impacts on your company’s data security. Strict data security policies might seem annoying now, but they’re critical to your company’s security. But keep in mind, a policy doesn’t do anything if it isn’t enforced. Luckily, with data security, policies affecting computers and computer systems can be set within the programs, at the user level, making them much easier to enforce.
The bad guys of the cyber world are only getting more skilled and crafty in their attacks. It’s up to you to put measures in place to help keep them out.
Have questions about your data security? Contact us to find out what you security measures you can put in place on your budget.