Tag: business

Protect Your Business Continued

Posted on by Greg Price in Articles
Greg Price

Last week I referenced the Verizon breach report and some of the key observations among the data.

Small businesses are a favorite target for cyberattacks.

I offered two “stacks” of suggestions: the easy-to-do stack and the more-difficult stack.  Each stack represents best practices for improving your cybersecurity posture and reducing data breach risk.

The “easy” stack included suggestions for raising employee awareness, managing backup routines, enabling automatic updates, upgrading password hygiene, and strengthening physical security.

The “difficult” stack is heavy with policy and planning.

Verizon’s report revealed that an incredible sixty percent of small businesses that suffered a data breach were closed within six months of the cybersecurity event.

Why?

Obviously, cost and damage to reputation account for many of the closures.  However, given that small businesses often operate on razor thin margins, and, owners are also operators, time is a precious resource.

As a result, expending time on building technology usage plans and incident response plans are not front-burner priorities.  Making payroll and improving revenue are vital to the business’ success, not a plan that may never be used – at least, that’s a common thought.

However, let’s suppose you operate a business that is dependent upon mechanical devices.  Your ability to produce is dependent upon machines, and, more specifically the efficient operation of those devices.

If a device breaks, many small businesses owners have the expertise to repair their equipment themselves, in fact, their knowledge of the functional side of a business is often the value they depend upon for success.  Manuals and a network of knowledgeable resources complement what the owner may lack.

What happens when a data breach occurs?

Choose your own adventure – a hacker breaks into your business software and steals customer data.  Or, a ransomware attack is successfully deployed via an email and all of your computers and cash registers are broken.  Or, perhaps, a thief smashes a window and walks away with your server.

What do you do?

If a piece of vital equipment broke, you’d employ your knowledge, or, knowledge network to repair the device.

In other words, you would launch a repair plan.

The same must exist with your IT operations.  A plan is needed, especially if IT isn’t your core business function.

Enter the IT plans.

A written security policy is necessary for modern businesses.  In some instances, a security policy is a regulatory requirement.

In Alabama, the new data breach notification law requires that businesses evaluate and implement reasonable security measures – a security policy/plan will assist in those efforts.

While there’s no penalty for not being proactive, if a breach results, your situation will not be enhanced by not having a written security policy.

A good security policy outlines how you manage customer data, how you protect it, and, if an incident occurs, what you do to respond.

I suggest considering the plan as a blueprint for you and your employees: if something goes wrong, it’s a basic manual for controlling the situation.

A good starting place for policies are templates designed by security experts.  Free templates are available at https://www.sans.org/security-resources/policies.

Review the policy templates and tailor them to your specific needs.  Share them with your employees and review them, at least annually.

Encryption is another must.

Encryption of your data reduces the likelihood of the data being read by an unintended recipient.  Most modern operating systems provide a mechanism by which you can encrypt your local data.  By enabling local encryption on your office devices, you reduce data loss through physical theft.  If someone breaks into your office and steals a computer, an encrypted device presents a formidable challenge to the thief.  Similarly, using encryption for accessing email and other sensitive systems is important.  If you employ a commercial email product, encryption is always included in the solution, simply verify that it is enabled.

Backups, part two.

I mentioned the importance of backups last week.  However, in addition to establishing a backup routine and testing the quality of your backups, there are a few additional items to consider.

The purpose of a backup is to restore lost data.

If your backup solution doesn’t encrypt your data, you should enable backup encryption.  If a data thief gains access to your backups, if they aren’t encrypted, you’ve provided a nice package that enables easy theft of volumes of data from one location.

Also, consider your backup strategy.

Are you depending on a local device for backup, such as an external hard drive, tape?  Do you depend on a cloud backup, such as Microsoft OneDrive?

Redundancy is important.  If you backup data to a local external hard drive, that’s great – make sure it’s encrypted and stored safely.  But, what do you do if the hard drive fails?  What do you do if your cloud provider is down when you need to restore lost data, or, if your internet service provider is experiencing problems?

Redundancy provides extra protection and can be accomplished very simply.  In fact, for small businesses, the tools are often available with current software subscriptions, the features simply need to be activated.

And, lastly, data destruction and life cycle should be reviewed.

Don’t hoard electronic data.  If you have no regulatory requirement or business need to maintain copies of unused data, get rid of it.  Dispose of the data properly, use verified tools for deletion of the data.  By doing so, you reduce the amount of data that a would-be bad actor can access, and, make your systems run more efficiently.

Last week’s small, easy tasks will enhance your security posture quickly.

This week’s suggestions require more planning and thought.  However, there are many free sources for technology, security plans, and, most modern software provide the enhanced features that I mentioned.

Be safe and protect your business and your customers’ data.

Protect Your Business

Posted on by Greg Price in Articles
Greg Price

When web presences began to take off, it was debatable what constituted an effective site. Thirty years later, I hear the same questions being asked. Do updated graphics and imagery attract more customers? Does frequently-updated content bring customers to your site? Does intuitive navigation make any difference? What about mobile compatibility? Adaptive needs support? Search engine placement? Social media presence?

The list is extensive, seems to repeat every few years, or, whenever a new platform or service emerges.

All of those items are important to a successful business presence, especially a business that is driven by an online customer base. And, you shouldn’t neglect securing your online business presence.

However, I’d argue that there are other items of equal, perhaps, more significant importance when evaluating your business technology operations.

Not paying attention is a problem in different avenues. Technology is synonymous with change. If you use technology and expect that technology to simply keep running, need no maintenance, you’re setting yourself up for failure.

Your information technology is no different than mechanical devices. Information technology requires attention. Complacency with all technology will result in poor performance, and, ultimately, failure.

Verizon produces an annual data breach investigation report. The information housed within the report is outstanding and terrifying.

Small businesses are a favorite target for cyberattacks.

According to the most recent Verizon report, almost two-thirds of all cyberattacks were directed at small businesses and individuals. The average cost for a business to recover from a successful cyberattack exceeded $400,000. And shockingly, nearly sixty percent of all business go out of business within six months of a successful cyberattack.

In the same report, a survey revealed that ninety percent of small businesses don’t use any data protection at all for company and customer information.

Wow. Ninety percent of small businesses do not use any software or service to protect data.

I’m not a website expert, but, I’ll offer this: it doesn’t matter how pretty your website’s images are or how well you place in search engines results, if you can’t protect your business data and customer data, you won’t be in business long. Similarly, your Twitter account might be on fire, but, if you hemorrhage data, your social media site will become a collection of outdated memes and twisted puns.

So, what are you to do? How do you protect your business and your customers?

Ordinarily, this is where a list would emerge. A top ten, or, top five delineation of chores to review or pursue.

For this discussion, let’s keep things simple. We have two stacks: the easy items and the more difficult items.

Let’s start with the easy stack.

Raise employee awareness. Human error accounts for a sizable portion of the successful cyberattacks. If you fail to inform your employees about the importance of data management and securing information, you shouldn’t be surprised that they open all email attachments and click every link in every email messages. Set the stage with commonsense advice: beware of fake invoices, don’t open unsolicited email attachments, don’t click on peculiar links, ask for help before “trying” a new app on your work device. If you train staff to spot and report security concerns, you will create a solid defense.

Backup your data. Often. Yes, more than once a month.

Regular backups are necessary. If you experience a ransomware attack, loss of storage systems, a recent backup will have you up-and-running quickly. That is, if you also test your regularly-occurring backups.

You only cover half the field by starting a frequent backup process. If you don’t test those backups, you cannot have confidence in the process.

Backup frequently and test regularly.

Install anti-virus and anti-malware software and enable automatic updates and scans. This is an easy, low-cost protection. Yes, the software will slow your computers. Would you rather the computers work slowly or not at all?

Update your software, especially the operating system. Modern operating systems can install and update patches automatically. If your business efforts can accommodate a fast, frequent patching process, enable automatic updates. If you have a business need to review the patches and install manually, schedule at least once per month.

Use complex passwords, passphrases. Don’t use easy passwords, just don’t. The would-be bad guys enjoy easy passwords – they’re the gift that keeps on giving. Where available, enable two-factor authentication. Often, the service is included in modern software – turn it on and turn up the difficulty to breaking into your systems.

Survey your paper documents and how you store your various computing devices.

Do you have paper scattered everywhere? Are filing cabinets locked? Are computers locked and secured to a heavy structure? Do employees walk around with USB thumb drives? Do you shred all discarded documents?

Physical security is vital. Not all theft of data occurs through a cyberattack. Crafty criminals will dig through trash, collect items from desks, take photos of computer screens, or, walk out the door with a computer.

And lastly, don’t allow personal devices on your networks. You have too much to worry about already as a small business owner. Your employees’ cellphones aren’t your concern and shouldn’t have access to your business network. Eliminate the security risk by refusing to allow the devices.

Small, easy tasks will enhance your security posture quickly.

And now, let’s move to the more difficult stack. Be safe and we will continue next time.