Data breaches, phishing scams and ransomware attacks are everywhere and show no signs of waning. For the small business owner, reading the technology news today is sure to create anxiety and worry. It’s hard enough to protect a single computer at home from infections and data theft. Small business computer networks have more components and, arguably, more sensitive data like client files and financial records. You not only have to protect your own company’s data, but also your client, customer, or patient information. Data loss or theft is only part of the risk; some industry regulations in healthcare and finance enforce hefty fines for businesses that fail to follow best IT security practices.
While computer security is a vast and many-layered subject, there are a few relatively simple steps that every small business can take to vastly improve security. Much of this advice is not new, but small businesses continue to routinely ignore this information because they don’t think they’re at risk. According to Security Magazine, only 31% of small businesses take active measures to guard themselves against security breaches. However, more than 70% of cyberattacks target small businesses, most likely because criminals know just how negligent those companies are when it comes to securing their IT systems. These 6 simple tips are easy to implement and in most cases, don’t cost anything except a few hours of your or your IT staff’s time, so there’s no excuse not to consider them.
Step 1: Keep your operating system up to date
There was a time many years ago that you could argue that automatic updates were as much a hindrance as a help. Early on in Microsoft’s auto updates, some patches could cause blue screens or incompatibility issues. Luckily, those days are long gone and it is much more prudent to keep up-to-date on patching than to forego it. Hackers and malicious software routinely target known vulnerabilities more often than “zero-day” exploits, so making sure all of your systems are fully patched is one of the best ways to prevent damage from malware and data theft. (NOTE: If you are already a RED74 client, we patch your systems automatically and monitor for any missing patches…you’re covered on this one.)
Step 2: Get rid of weak passwords
I’m sure you are hearing about stronger passwords all the time, but I’ll bet you also have a couple of “pet” passwords that you still haven’t changed since you had an AOL account and a floppy disk drive in your PC. Weak passwords are one of the most common ways that hackers can break into your systems. Aim for at least ten characters and don’t use dictionary words, names, phone numbers etc. Enforce a password policy for all of your employees. This is very easy to do within Microsoft’s Active Directory. If you don’t have a Microsoft AD environment or a server, there are other ways to enforce this. Contact us for additional advice if that is your case.
Step 3: Strengthen physical security
Your server room holds “the keys to the kingdom” for your computer network. While uncommon, it’s not unheard of for businesses to experience theft of the old-fashioned kind (i.e. physical break-ins) or even vandalism from intruders or disgruntled employees. It is best to lock your server room and network equipment room, and only give access to authorized employees. Any office with a computer that accesses sensitive data should also be locked when no one is there.
Step 4: Don’t share administrator accounts
It is understandable that more than one employee may need administrative access to your systems, not to mention third-party software vendors. But, you should avoid giving out the same account for more than one user to make changes to your computers. On top of being a security liability, it also makes it much harder to track down data breaches and other problems in system logs. Each user should have her own admin account (separate from her regular user account) to be used for administrative functions. That account should also follow the policy of “least privilege” wherever possible.
Step 5: Don’t leave temporary fixes in place permanently
This step requires a little bit of homework. Just like “duct tape” jobs at home, your company’s IT environment may have a few projects that were left hanging that may introduce vulnerabilities. It’s like leaving an extension cord plugged in long after it’s needed, and it has now become a tripping hazard. For example, you may have an old script to copy files which has the administrator password in plain text within it. Or, your employees share a single Scan folder that never gets cleaned out, and there are sensitive documents sitting in there. Make it a habit to maintain a list of these stop-gap measures with a date to revisit them. While some duct taping can’t be avoided in the short term, it is a good idea to replace those temporary fixes with permanent and secure ones.
Step 6: Backup, backups, backups!
It can’t be repeated often enough; backups are your number one, positively crucial, never-skip-over protection against data loss. Technically, backups are not really a security tool per se, but they do contribute to an effective overall IT strategy. While a backup does absolutely nothing to proactively secure your systems, it is your most valuable remediation tool when it comes to ransomware attacks. Ransomware like Cryptolocker and its variants encrypt your data and hold it for ransom, forcing you to pay a fee to unlock the data. To avoid having to pay criminals to get your data back and restore productivity quickly, make sure you run your backup nightly and you check its integrity.
As I mentioned earlier, these tips are nothing new or exciting. There are more comprehensive and in-depth security solutions available. However, these 6 steps are easy to perform and they will put your business in a much safer space than if you continue to ignore them.