Recently I came across a survey of small business owners done by Oracle that had small business owners list their greatest stressors, and surprisingly security was second to last. So I started looking more and more at what small business owners are doing overall to protect themselves, and the rankings in the Oracle survey seem to match up with the apparent lack of security measures being implemented by many small businesses. For example, this graph shows the percent of small business owners that have implemented various security controls as of March 2017.
This makes sense when you take into account that 87% of small business owners say that they don’t believe they are at risk of a cyber attack (Manta). Considering we are a company that works with small businesses every day, we absolutely know that many don’t have the resources to hire a dedicated IT person and IT services from an outside company will not be the first thing they spend their money on, but in most cases this isn’t the best course of action for your business. I think we start every post about cybersecurity with the same advice, and this post is no different. You are not too small to experience a cyber attack. If you have data, cyber criminals want it, and you should be making every possible effort to keep them from it.
Implementing adequate security controls can be daunting, but we do this every day and want to help make it easier. So we’ve put together a list of the top 6 topics to help you start the discussion within your organization, so you can get your security measures headed in the right direction.
1. Securing Your Data
This is something every business needs to be doing. Making sure all your data is secure can be complex but a couple of the main things you need to discuss internally are:
- What data do we actually need? The less personal data you keep about your customers the better. If you don’t need their social security number, don’t ask for it. Most customers generally don’t want to give it, and then you’re off the hook for keeping it secure.
- Only keep data for as long as you need it. This is along the same lines as only collecting what you need, but if your retention policy states you have to keep data for five years, make sure you have a plan in place to get rid of it when that five year time span is up.
- Only give employees access to what they need. If your salesperson doesn’t need access to the database where secure data is stored, don’t give it to them. By only giving access where it’s needed you eliminate entry points for cybercriminals.
2. Secure Passwords & Authentication
These are two topics we talk about a lot and can’t stress the importance of enough. Internally we have password policies to ensure we are using complex and unique passwords. You can find a lot of good guidelines online to help if you’re not sure what these policies should look like for your business. (NIST Password Guidelines) We also use two-factor authentication on anything we possibly can. We dove into more depth on two-factor authentication in a recent blog post, but it’s essentially another layer of security between your data and the outside world, which is always a good thing.
3. Network Segmentation
This is something we have seen as an issue for a lot of small businesses and organizations that we talk to. So often the main goal is to just get the network up and running, meaning that not a lot of thought/time is put into who can access that network and who shouldn’t be able to access it. For businesses that have clients in and out of their office having a specified guest network is important. Having a segmented network can not only help make sure there aren’t too many people weighing down your employee network, but it can also make sure that guests have absolutely no pathway to important internal resources (like your server) that contain sensitive data. For more information on network segmentation head over to our post on why you should have an internal and a guest network.
4. Updates & Patching
It’s time to stop ignoring update notifications. Yes the popups are annoying, but the updates are released for a reason. Your business should have rules and procedures in place for employee devices to ensure they are being updated. You should also make sure you have a maintenance schedule for your larger hardware (servers) and operating systems. This is where having a service provider to manage all your devices can come in handy, as they should have a schedule to make sure updates are being applied promptly and correctly.
5. Mobile Device Management
With more and more of today’s employees working remotely, it’s increasingly important to make sure that their devices are secure and that you have the ability to erase company information should that device be lost or stolen. We recently blogged about how we manage employee mobile devices and how MDM can keep everyone’s devices secure.
6. Train your Employees
All of your procedures and security tools are a good base for keeping your data secure, but human error will always be one of your biggest areas of concern. If your employees don’t know what to look out for, or understand the consequences of not being on alert, they could be the opening for cybercriminals to gain access to your network and data. We put together a simple guide for creating a cybersecurity training program and steps to ensure that the training sticks with your employees.
We know this seems like a lot to talk about and can be a little overwhelming, but that’s why we are here to help! We make sure all these security measures, and more, are taken care of for our clients all over Austin every day, so they can stop stressing about their technology and get back to what they do best.