Why You Need A Cyber Security Strategy For Your Small Business

You hear a news story on the way to work. Yet another Internet breach! Sony. Target. TJ Maxx. Equifax. Even Apple! It’s unbelievable! Good thing those hacker guys have no reason to target you and your small business. Besides, you use antivirus software and passwords. Your Internet Service Provider provides the modem. You are good.

But when you arrive at work your staff are all standing around, staring at the computers.  On all the screens is a countdown clock beside a message: “Oops. Your files have been encrypted!  We guarantee that you can recover all your files safely and easily.  Press <DECRYPT> to agree to our terms of service, and we will help you decrypt your files for a small fee of ₿0.095 in Bitcoin….”

I am the son of small business owners.  Many family members are small business owners too.  I’m constantly amazed by the courage and tenacity it takes to strike out on your own.  Any small business, no matter what industry it’s in, uses computers for accounting, email/communications, payroll, information searches and more.  That means investing hard-earned dollars in computer equipment, software, high-speed internet service, and cabling or Wi-Fi.

You didn’t spend your time and money on those only to become a victim of cybercrime.

Your business is of interest to cyber criminals for two reasons: information and resources. The information on your computers might be useful in performing identity theft attacks on you, your employees or your clients.  Such attacks could give cybercriminals access to bank accounts and other information from which they can profit. The resources are your computer, your high-speed internet access, and your email.  If an attacker can gain control of them, your resources become THEIR resources.  They can use your devices to take control of even more computers, perform services like cryptocurrency mining or help attack a future target en-masse as part of a fleet of hacked (or “PWNED”) computers and devices called a botnet.

Even if you’re not worried about cybersecurity strategy, your clients may care.  Small businesses have a lot to lose if their brand is damaged by a cyber incident.  News of lost or stolen client information could disrupt the trust and reputation that such businesses run on.  A single security incident can quickly escalate and have a devasting impact on your business since alternatives to your services are only a Google search away.

You can think of the Internet as an unlocked back door to your business with a WELCOME sign on it.  You do not see it, you do not hear it open, and you really have no idea what is coming in or going out through that door.  You would never install such a door in your office but that is what you’ve done when you put an inadequately protected computer on the Internet.  Now further imagine that there are people running all around the neighbourhood, trying to find these unlocked back doors.  Sometimes they find one of these doors and it opens easily or unsuspecting person inside opens the door and just lets them right in.

That makes your business a target of opportunity no matter who you are.

Simple Alternatives To IT and Cyber-Security Staff

Many small businesses cannot afford their own IT and cyber-security staff.  Fortunately, there are readily available solutions.  Services like Google Cloud with Google Docs, or Microsoft365 + Microsoft OneDrive can provide you with all the backup, file management and self-protecting and self-maintaining software you need but without the need of additional staff just to maintain them.  The key element here is to buy legitimate copies of those systems from the manufacturer or other reputable sources. By leasing this software on a monthly or annual basis, your software will always keep itself up to date with the latest features and protection against the latest threats. The latest versions of Gmail and Microsoft Office365 Outlook, for example, are not just more resilient against malware, they also help detect and warn you of attacks against the people using the software. 

Using leased software and online storage also simplifies your ongoing administration – reducing it to little more than paying your online service fees and staying connected to the Internet.  That also frees up capital since you don’t need to buy multiple copies of entire software suites that are out of date after one year. 

Focus on Speed and Online Cloud Storage

Furthermore, instead of buying computers with lots of storage, you can focus on buying faster Internet access, and faster computers with minimal local storage since your files are kept on the cloud service. Online cloud services also allow you to go back in time to any previous version of a document and never lose your latest changes.  This means that malicious destruction or encryption of your files – by malware, ransomware, hackers or even disgruntled employees – will never be effective against you.  The online cloud services are protected by the best cybersecurity software and professionals that money can buy, giving your small business the benefits of top-notch cybersecurity.

Now that I’ve explained the case for a cybersecurity strategy in any and every small business, let’s save you some time and give you a checklist of what you need to do now, to protect the business that is the foundation of your success, your financial security and your future.

STAGE 1: Cleaning house

• 1. If you bought Windows or Office software from anywhere other than the manufacturer or a reputable store, then it is likely to have infected your computers with malware.
  Go to any local big box store that offers computer maintenance services and ask them to…
  • backup your data,
  • wipe your computer,
  • re-install a current and properly licensed Operating System and set it to automatically apply patches,
  • install good Anti-Malware Software
  • install DriveSync for Google Docs or Microsoft Office365 on a monthly lease,
  • install any other licensed software you own – just make sure to bring the installation media and license codes with you to the store.

• 2. Deep clean your computers every three months.
  • Boot your computer off your Anti-Malware DVD to run a full scan of your computer overnight or over the weekend.  Delete any malware it finds.

STAGE 2: Keeping Your House Tidy, Clean and Safe

• 3. Use unique strong passwords and keep them in a password keeper:
  • Get a password keeper on your smartphone. Popular password keepers include LastPass, DashLane, and 1Password
  • Have a unique password for EVERY individual website, bank account, and service you use. 
  • Use long passwords or passphrases. Passwords don’t have to be an undecipherable mess of uppercase, lowercase, numbers and symbols.  You can use longer sentences which are much more resistant to password cracking than short complex passwords. (e.g. The passphrase “The bathtub is full of Jello!!” is much easier to remember and harder to crack than “XqEzb1-!”).
  • Keep a copy of the password for your password keeper in the tool as well.  That password is needed to restore backups and transfer your passwords to a new device.

• 4. Set unique, fake answers for each Personally Verifiable Question (PVQ) on website or account.
  • Social media has been the biggest boon to hackers ever.  It provides them all kinds of personal information about potential targets every day.
  • If you set fake answers for personal questions, then hackers will never be able to use the real name of the street you grew up on to pretend to be you. 
    • First, do NOT use real answers for PVQs.  Make up the answers for each.
    • Second, do NOT use the same answer across different websites.
    • Third, save the questions and answers for each individual account or website in your password keeper too.
      
      
• 5. On your mobile device, activate and use biometric fingerprint (or “Touch-ID”) authentication.
  • It is MUCH faster than entering codes and will ensure you can always log in to your phone.
  • Turn on Touch-ID authentication on your password keeper.  That way you always have access to your passwords.
  • Register a few fingerprints from each hand, so if a finger is ever injured, you can still get into your smartphone.
  • Consider registering a fingerprint from a trusted business partner like your spouse or your lawyer, so that critical information can be passed on for business continuity.

• 6. Do not respond to unusual or unsolicited email or texts that…
  • Ask for your personal or financial information, or
  • Request you “verify” your bank or service accounts by clicking on their links.

• 7. Keep your personal and business information private:
  • People around you can see your smartphone and computer screens, so be careful about what you are sharing.
  • Everyone around you in your office or in public can hear your phone conversations so beware of how much you are sharing.

• 8. Arrange for basic computer and email cybersecurity training for you and your staff at least annually.

Humans are the weakest link in the chain of computer security, so it’s important to keep your whole team up-to-date on the basics :

• Using strong passwords or passphrases
  • basic terms in cybersecurity so that they can understand when they hear further news or warnings about cyber threats
  • how to recognize phishing emails that could trick the reader into clicking links which attack computers or mobile devices,
  • how to recognize the signs of a computer that has been compromised and what to do about it
  • avoiding dangerous practices like installing unapproved software onto your business computers

• 9. Plan ahead: find a local service that can help you deal with cyber incidents like data theft and compromised devices.
  • Keep their name, phone number and list of services in your smartphone’s contact list, so you can reach help quickly if you ever need to.

Have you ever been through a cybersecurity incident in the small business you owned or worked for? 

About The Author

Fabian Soler is a senior manager and cyber-security consultant in the Canadian financial industry. Over his two decades of information security experience, he has created end-to-end security programs, managed compliance for Canada’s largest white-label network, advised international banks and credit unions on infrastructure and security, delivered cyber awareness training and is currently assessing security for a range of high profile projects. Fabian holds GSEC, GSNA and CISSP® certifications in cybersecurity, and a degree in computer science from Queen’s University.

He is married with two children, one dog, and a flock of wild birds in the suburbs of the Greater Toronto Area. In his spare time, he reads up on topics in economics, defense, science and politics.  He also enjoys photography, bird watching, travel, fine wines and science fiction films.