While advanced forms of cybersecurity measures can be costly and time-intensive, there are numerous practices small businesses can incorporate that cost little or no money and go a long way in providing extra cybersecurity. Examples of these practices include properly constructing and protecting passwords across the business; ensuring that systems (including firmware and software elements) are updated safely and regularly; encrypting stored information and e-mail communications; effectively controlling employee access to company assets; securing company wireless networks; creating policies for account setup and credential sharing, and generally implementing best practices regarding network setup and device management both internally and externally.
This article will discuss each of these topics in detail, revealing common cyber security mistakes that small businesses make and offer recommendations for how these mistakes can be avoided.
Do’s and Dont’s of password usage
Good password practices are probably the most important and lowest cost part of an effective information technology management plan. Millions of people still use weak passwords and experts estimate that at least 50% of all passwords can be cracked by brute force attacks. Since small businesses are seeking to maximize low-cost preventative methods, using strong passwords is an essential tactic for helping to secure their accounts, data, and other assets. Below are two lists outlining standard “Dos” and “Don’ts” for creating and managing passwords.
- Do use complex passwords with varying character types including numbers, upper and lowercase letters, and special symbols. The NIST recommends using passwords consisting of at least 12 characters. Short, non-complex passwords can be cracked by a brute force attack in less than one day.
- Do consider using multi-factor authentication.
- Do use phrases that only you could know (think of a series of words that a hacker could not guess because they are unique to your experience) if complex random-sequence passwords are too difficult to remember.
- Do regularly change passwords for critical tools, sites or applications. Some administrators make these changes a requirement for corporate users.
- Immediately change default passwords for all programs and hardware.
- Do not use simple passwords made of easy to guess or find personal information like birthdays, first or last names, street names, names of children or spouses or references to pop culture. This is especially true for c-level management, as their information can be easier to find using common business research websites.
- Do not use the same password for multiple accounts.
- Do not write down passwords and post them where they can be easily seen by passersby.
- Do not write down passwords and store them on documents on your desktop.
- Do not openly share passwords with other employees.
- Do not automatically let browsers save your passwords for online applications or accounts.
Update outdated operating systems and software
Because they are operating on tight budgets, many small businesses tend to use the same software and hardware for years after they are purchased, installed and set up. However, these unsafe practices present excellent opportunities for exploitation. Vulnerabilities are common across virtually all operating systems and software.
Software vendors are constantly discovering bugs and issuing patches (i.e. updates that make the product safer or easier to use). Even several months of avoiding updates almost certainly increase the chance that an operating system or software can be successfully compromised. Companies issue updates precisely because they have found potential vulnerabilities or issues that reduce the performance and usability of their products
One ubiquitous example of a widely used application that was famously “abandoned” and left unsupported by the developers is Internet Explorer. In 2016, Microsoft that it would stop supporting older versions of Internet Explorer and clearly warned users to switch the newest version of their product. Nonetheless, many continue to use unsupported versions of Internet Explorer daily, unnecessarily exposing themselves to risk.
It is vitally important to note that essentially ALL software products need to be updated, including services and products used for hosting websites. Some of the most commonly exploited vulnerabilities are found by hackers who scan websites en masse to find outdated server software or other easily located weaknesses. Because these vulnerabilities are usually discovered by security researchers, they are typically posted on open source security forums. Unfortunately, this makes them easy for attackers to find and use for malicious purposes. Be sure that your hosting providers and outsourced technology partners also follow best practices.
Lastly, verify that installed products are vendor-supported. If you are aware of a particular vulnerability or are concerned that a product is underperforming, the original manufacturers usually issue patches for their products directly on their company websites.
Update software that does not usually get updated
Similar to software, it is also crucial to ensure that “out of the way” tools like wireless devices, routers and firewalls are updated in a timely manner. These products are sometimes referred to as firmware (e.g. permanent types of software that are foundational elements of a functional network). These updates can require a little more effort to deploy, but they are essential to properly securing network hardware.
Make sure that all former employees do not have leftover access
There is a standard set of protocols that any business should follow when an employee voluntarily leaves or is fired. Verifying that departing employees no longer have access to any company information or property like passwords, devices, remote access, and more should be a top priority for HR and IT administrators.
Be aware that failing to properly secure systems and applications from a begrudged employee places the organization at serious risk and might be subject to legal punishments if an organization is covered by regulations like HIPAA. Below is a list of basic steps to follow when an employee is separated:
- Remove or deactivate an employee’s accounts/access (e-mail, proprietary servers, laptops/desktops).
- Change all network and workstation passwords that the employee used.
- Recover backup data sources (external hard drives, thumb drives).
- Invalidate their account passwords.
- Remove the employee from access lists.
- Retrieve all devices used for accessing physical company property or for dual authentication to access computers (i.e. swipe cards, key fobs, etc.).
- Retrieve cell phones, laptops, tablets and other work-related devices.
While some companies have different protocols depending on whether an employee is potentially hostile, some experts recommend always defaulting to the most secure practices to ensure total access denial and asset protection. Make sure that management clearly communicates to HR and IT if an employee is being terminated and there could be potential ramifications, or if they are considered a security threat.
Do not use generic accounts
Most organizations have several types of what are called “generic accounts.” These accounts are used across the company by multiple people, but for a single purpose. Examples of accounts that typically considered generic include system administrator, help desk, customer service, information (info), and more. Think about e-mail addresses usually seen on web pages, like info@examplecompany, or sales@examplecompany. There two main types of generic accounts: user accounts (for work-related applications) and e-mail accounts (for answering internal and external queries, orders, help desk tickets, etc.).
These accounts are shared because more than one employee is responsible for managing work related to that department or role, so it’s easier to give them all the same login and use a simple naming scheme for account access and e-mail addresses. Not surprisingly, these types of generically named accounts are often the first target of attackers because the credentials can be easily guessed.
Because several different employees have to access these generic accounts, the account name or e-mail address is constructed with the full or abbreviated department title (e.g. sysadmin, or firstname.lastname@example.org). Additionally, the passwords are constructed with similarly unsafe techniques, often employing the current year and a phrase with only a few characters. While generic accounts might seem like they create more efficient processes and shared workload, they are not recommended as a best practice.
If you think that generic accounts would be helpful, the following four aspects should be considered:
- Management - What policies and practices are in place for creating account names and passwords. Will the password be changed regularly, and what is the processes for controlling who has credentials?
- Access Limits - Will the program only allow a limited number of people access at one time? Sharing credentials might reduce the number of employees that can use the application. Solving this issue might require buying additional licenses or account spaces.
- Turnover Process - Be sure that a clear policy is established for reviewing and changing credentials as needed when an employee leaves the company.
- Best Practice - Simply determine whether using generic accounts places your organization at undue risk. Does it align with recommended best practices for your company’s size, industry and the type of information handled by employees in this department?
Secure your wireless access point and networks
It is essential for small businesses to secure their wireless routers and other network hardware elements. There are a few key points to remember when securing these elements:
- Change default or pre-set passwords WHEN the devices are set up and installed. Do not wait to make these changes. Default credentials can make your network highly vulnerable as generic usernames are often public and can be found online.
- Check to make sure that your wireless access point is not broadcasting its Service Set Identifier (SSID). If you want your network to be visible, change the name to something more personalized or unique.
- Check to make sure that the router firewall is activated.
- Routinely check router settings to see if there are recommended updates or suggested firmware changes.
- Change your router settings to use Wifi Protected Access 2 (WPA-2) with Advanced Encryption Standard (AES) for encryption protocols. Standard Wired-Equivalent Privacy (WEP) is not considered secure.
- If your business provides wireless Internet access for customers, ensure that this is distinctly separate from your business network.
Again, it is important to note that none of these practices require extra investment and when used in combination they contribute greatly to overall protection against network infiltration.
Use encryption for sensitive business information
While encryption might sound complicated, it’s a relatively simple measure that helps to protect data, even if a breach has occurred. If a malicious cyber actor does gain entry to a network, it will be more difficult for them to use the information they find if it is encrypted. As a result, the attacker could potentially be stalled or even prevented outrightly from decrypting and using the information for nefarious purposes.
Encryption can and should be used across most core business processes; especially ones that involve the handling or storage of sensitive information. While some systems include these capabilities by default, there are also many encryption software available for helping to secure electronic information. Two basic recommendations to follow are:
- Use full-disk encryption to protect all information stored on work devices. Full-disk encryption takes place at the most foundational level of data storage and protects the entire disk, including swap files, hibernation files, and system files. This continual disk-level encryption occurs in the background, but when authorized users request access to the files they are decrypted and presented normally. If changes to the file are made, it is re-encrypted during the saving process. If the files are accessed by an unauthorized user, or if the physical disk is stolen, the information remains encrypted.
- E-mail encryption is becoming more popular and provides additional security for companies transmitting sensitive information internally and externally. Again, many e-mail clients have some form of encryption options available, but additional software programs can augment these capabilities. Using e-mail encryption protects files that are sent until the recipient can enter the correct password. The password is typically sent separately and sometimes to an entirely different device (e.g. phone). The password should never be sent in the same e-mail as the encrypted information.
One of the biggest headaches associated with encryption is simply managing and remembering passwords. Make sure to implement a secure and efficient system for data recovery if a password is lost or compromised. Potential options for recovery processes include local recovery (where the user answers pre-defined security questions), recovery token (often only available one time per device and per user), or an administrator key, which is stored on a separate and secure device.
If encryption sounds complicated or intimidating, consider starting with the default capabilities available on systems and software already in use, and consult an IT professional for further guidance on installing and managing more complex methods.
Dispose of old computers and media safely
Throughout the normal course of business operations and growth, outdated and unused equipment frequently gets thrown away or sold. There are a few steps that should always be taken to protect company equipment before it is disposed of or relinquished:
- Completely clean computer hard drives. This is commonly referred to as electronic wiping. This will remove all company-related files and information. Before completing this process, remove any files that should be kept using some type of external storage (i.e. thumb drive, standalone hard drive, cloud software, etc.). Virtually all operating systems should provide the option to initiate a wipe. After the hard drive has been wiped, ensure that it is physically removed and destroyed. Check to see if there is a local company that will handle proper destruction and disposal.
- It is also prudent to consider using remote-wiping software for employees that are mobile or based outside the office. This software allows all information to be erased, even if the employee is non-responsive or failing to comply.
- When disposing of storage devices, check that they are “cleaned” before physically destroying them yourself or by taking them to a company that provides disposal services.
Do not connect personal or untrusted storage devices or hardware to your computer, mobile device, or network
One of the most common lapses in security that leads to a cyber incident is the failure to keep a strict separation between company devices and personal or untrusted/unknown devices. Bringing unsecured personal or external devices to work and connecting them to a network or company asset creates unnecessary risk exposure. While it can be tempting to quickly connect these devices to a company network or plugin an unrecognized USB drive, these actions ultimately create additional methods of breaching otherwise secure defenses.
The same principles described above also apply to unknown or unsecured wireless networks. Concerningly, a study conducted by Symantec discovered that 55 percent of Internet users are not concerned about using public Wi-Fi. One quick litmus test to determine the security of a wireless network is whether or not they require a password to access the service. Public Wi-Fi networks can be fully open, meaning that they don’t require a password and they utilize unencrypted connections.
Connecting to potentially unsecured networks leaves users vulnerable to:
- Hackers actively monitoring the network and using pre-built tools to conduct attacks.
- Malware injection
- Man-in-the-middle attacks, which allow an attacker to intercept communications sent over unsecured connections
- Rogue hotspots that are fake networks set up and named to appear like legitimate public access points.
Available protective measures to mitigate the risks of using public Wi-Fi include using a VPN (virtual private network) and significantly reducing the amount of information shared or exposed while connected to public networks (including avoiding bank accounts or e-mail).
Be careful downloading software
Perhaps second only to the importance of using strong passwords, exercising caution when downloading software is a foundational pillar of effective cybersecurity practices. The following list comprises common sense guidelines that all organizations should implement:
- Quickly research the software publisher to verify their trustworthiness. Websites like MajorGeeks, FileHippo and Softpedia are generally reliable resources for these types of inquiries.
- Download directly from a manufacturer’s website. Most reputable publishers will provide links to download their software directly and this should always serve as a trusted starting point.
- Double check to make sure that you are at the correct publisher’s website - even experts can be fooled by convincing URLs and spoofed landing pages (a common example of this would be spoofed manufacturer pages urging users to update their software).
- Scan the software file before beginning installation. This can be done using readily available antivirus software contained on company computers, or by using external partners like VirusTotal.
Bear in mind that the harmful impacts of downloading free software (i.e. freeware or shareware) are not always obvious. While many criminals use surreptitious attacks that run in the background (like a keystroke logger) and fool users into thinking the system remains uncompromised, there are many other ways that unknown or unverified software can impact productivity and security. This software might change default settings (like browsers or applications used for normal business actions) or set up automated functions unbeknownst to the end user. Additionally, malicious aspects of the software might remain dormant for sometime before being activated by the perpetrator (e.g. using your machine as part of a botnet).