While the data breeches that make the headlines – Target, Sony, Home Depot – may all be large corporations, that doesn’t mean small business owners aren’t at risk of having their valuable data comprised.
“Small businesses need to treat this seriously,” says Bob Weiss, CEO of Wyzguys Cybersecurity based in Bayport, Minn. “A lot think they are too small of be of interest to be a target, but they are enough of a target for a cyber crook in a foreign county. And most small businesses can’t survive that kind of a loss. If they’re attacked, they’re going to be done.”
Small business owners can take the following three strategic steps to start increasing their cybersecurity: Avoid data replication, have a data security plan and train their team.
Avoid Replication
The first step to securing your data is to conduct an internal data audit and figure out what kind of data you have and what is most important. “Data tends to clone and replicate itself,” says Doug Jacobson, director of information assurance center at Iowa State University in Ames, Iowa. Avoid keeping multiple copies of your data. “There should be one central server, whether it’s the cloud or VDI (virtual desktop infrastructure), which is basically terminals on desks and a central server,” he says. “It’s easier to control one copy in one place than 100 copies in a 100 places.”
If you’re going to do online banking, Weiss suggest using a dedicated computer that only has an operating system and a browser. “It’s better if the OS is not windows,” he says. “It can be a simple as a Chrome book. Google makes an Android variant called Chromium. These are limited in that these operating systems cannot install software, so you can’t install malware. You also can’t do emails or any casual web browsing.”
Not only should business owners limit the number of places where data is stored, but they also need to consider who should have access to that data. “Businesses tend to focus on passwords – the front door,” says Jacobson. They want to make sure the door is locked, which is critical. But they need to look at who has access to the data on the inside. The overarching assumption that a company should work under is: ‘I’m going to get broken into.’ So compartmentalize it. You will potentially reduce what will eventually happen.”
Plan Ahead
Next, small business owners should have a technology plan in place that includes security. “The worst time to implement a security plan is after the fact,” says Jacobson. If you have customer data, make sure you have a plan for how you will deal with customers. If it is intellectual property, know how you will deal with vendors. If you are dealing with customer financial data, you can seek out assistance from your financial institution. Once you have an overall security plan in place, be sure to look at it once every six months or so. If you have a new acquisition or major change to your business, then you will want to reevaluate your plan.
Train Your Team
Last but not least, you should train your team to follow your security plan. “People are potential weak links,” says Jacobson. “Are copies of important data on everyone’s computer? It’s human nature to store and collect things.”
When you are dealing with malware, for example, an individual has chosen an easy password or even more common, software gets downloaded. According to Weiss, more than two-thirds of cyber attacks start with an email containing a malicious link or attachment. They are crafted to be very compelling, whether it is a past-due bill alert that says, “Click here to open,” or a notice of a shipment delay that says, “Click here to track your order.” “The bad guys are able to get past all the security,” says Weiss. “They establish a Trojan horse that allows for remote access at a later point. They then move laterally through network and engage in privileged escalation that can lead to full-fledged breach.”
You need to train your employee how to recognize a malicious email. “The user makes the mistake because they are not made aware or trained to be aware of security. They need to feel like they are apart of the solution.”
Your entire team should also be alert to changes on their screens or computer processing speed. “Watch for flickering of the monitor – these things are strangely slow,” says Weiss. “You want get ahead of that earlier in the process. Don’t wait a month and live with it. During that time, the perpetrators have had plenty of time to move about the network.”
All businesses are at risk of a potential cyber attack. You can mitigate the risks, however, by containing your valuable data, creating an action plan for dealing with a security breach an
SooJi Min is a freelance writer and nonprofit executive based in Ann Arbor, MI. She has written on small business topics for Crain’s, Imagination Publishing and The University of Chicago Booth School of Business.