Three steps (and their costs) to secure your small business
Every reader of the technology press has read many scare stories about cybersecurity, ransomware, and hacking. The tragedy is that the majority of the threats are real, and stories of businesses going bankrupt after an attack are usually true.
Rather than sit and wait for the inevitable cyber incursion to happen to your organization, what are the practical steps an organization’s decision-makers can take without a degree in Computing Science? Here is our guide.
Before we begin, a quick word of advice. Your car’s annual service goes a long way to preventing faults from appearing during the course of normal driving. To undertake this service, it’s pretty standard for a qualified expert to step in, sourced from the local garage. It’s possible, of course, to do your own vehicle maintenance. In the same way, if any of what follows feels outside your comfort zone, employ an expert. A simple search for “MSP <my city>” (managed service provider) will throw up several companies that will be happy to help.
Alternatively, if there is someone in the organization who knows their way around a computer more than most, they may be able to help you, at least with some of what follows. If not, we urge you to contact that local MSP for any missing steps outside your friendly on-hand expert’s areas of knowledge. With that in mind, here goes.
1. Password manager software
A password manager is a piece of software that can and should be installed on every device used by everyone in the organization. That includes everyone’s cellphones, tablets, PCs, laptops, at work and at home. Several companies also offer every employee’s family (usually up to six people) free licenses.
The password manager is installed standalone on every device and as a plug-in for every web browser. In either form, the software will step in and help generate unique passwords to new services that the user signs up for and it will remember them. It will also remember existing passwords, adding to the user’s store of credentials each time it senses a new (new to the software, that is) login to a service.
The central store of passwords is encrypted and unlocked by a fingerprint, long PIN, facial recognition, main password, or even a piece of hardware like a USB key.
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk
— Microsoft Security Intelligence (@MsftSecIntel) January 11, 2022
Why it’s important: your employees (and you) have a terrible habit of using the same password (or three passwords) everywhere. That means when Bob-from-Account’s gym membership details are hacked and sold on the dark web, the hackers now have all the credentials they need to not only ruin Bob’s life (opening his bank accounts, PayPal, and so on) but ruin yours too. That’s because Bob will be using the same passwords to unlock his payroll software at work every day. It’s payday…for the hacker.
What you should pay: three or four dollars per month, per employee (and their families). If a password manager is protecting your business’s livelihood, why are you even looking at the free tiers?
Essential extra steps: encourage every one of your people to use their password manager, maybe by offering training or free arm-twisting or thumbscrews. Make sure everyone is comfortable using this very simple piece of software.
If it would be more than an irritant to lose a piece of data (a document, or email, for example), it needs to be copied and kept somewhere else. As a startup or two-or-three person outfit, copying everything off computers to USB drives and taking them home was (or is) probably enough. But after those initial stages, backups need to be formalized (scheduled to happen automatically) in duplicate, and one of the duplicates should be held off-site.
There are many variations in how backups can be taken, and they can also depend on where you already store your data. As a rule of thumb, if your information is held in a cloud application, you need to export your data and store it a) somewhere else in the cloud and b) in the office. If your data is held on computer(s) in the office, it needs to be copied a) somewhere else in the office and b) somewhere in the cloud.
Why it’s important: when you suffer from a data loss — note the deliberate use of the word when — you will need to get back up and running as quickly as possible. The law of probability states that at least one copy of your business-critical information will probably survive. If you have no copies, then you’re in very deep trouble.
What you should pay: for local backups (copies of data in the office), you pay the going rate for disk space. At the time of writing, hard drives are quite expensive thanks to supply chain issues affecting all technology. For a small business, however, a few hundred dollars for a couple of 10 terabyte drives are nothing compared to the loss of revenue from a hack, fire, or flood. Cloud storage is more expensive, but there are many options out there to choose from.
Essential extra steps: Having disaster recovery measures in place is all well and good, but in reality, recovering from a terrible situation isn’t easy. It does get easier, however, with practice. Make sure you test restoring data from all your backups, both to check each data copy’s integrity but also to ensure staff are well-versed in getting the show back on the road.
Keeping all your software, firmware, and hardware up to date is an essential element in any company’s cybersecurity policy. Sometimes this process can be simultaneously convenient yet very inconvenient, for example, when your Windows desktop PC decides to restart and install updates in the middle of an important conference. Cloud applications and services are, on the whole, updated by their provider, but companies need to be aware of software that’s used to access those applications, like web browsers and local applications that talk to the cloud (Dropbox client software, for example).
Companies should keep on top of updates to software in daily use and refer to their asset lists and any software audits to make sure that all devices connected to a network are up to date. This can include printers, IoT control devices, network switches, and routers. In some cases, the system firmware needs to be updated, which can be addressed by reading the online documentation for each device and downloading and applying updates as required. Your router that connects the company to the internet is a prime example.
Your staff’s cellphones and software also need to be up to date (running the latest versions of Android and iOS, for example), as do any laptops, tablets or desktops used when WfH or remotely. A general rule to observe is that if it connects to your network or to the cloud services your organization uses, it needs to be brought and kept up to date at all times.
Why it’s important: This element of security precaution doesn’t guarantee safety, but it removes your business from the category of “low hanging fruit” for the hacker. Essentially, you are making it as difficult as possible for any of your connected systems to be exploited. An old networked scanner controller running Windows XP makes a prime target.
What you should pay: On the whole, the update process is free — just have someone keep an eye on the websites of all your suppliers of software and hardware. When new patches are released, apply them.
Unfortunately, some manufacturers have been building-in obsolescence on purpose in recent years. That means to keep running the latest OS or software, the hardware has to be replaced with a new model. When that’s the case, an organization has to ask the same question as it’s posed in all these situations: what is the business worth to you? Replacing hardware might be expensive, but not as expensive as going bankrupt.
Essential extra steps: Many people now work from home, and that means they may well be using non-work devices to get a day’s work done. It’s worth checking that personal devices are up to date and considering offering to replace aging software and hardware. If it’s used to get work done, it needs to be secure.
Every company today depends on technology’s smooth working. The worst incident that can interrupt that is a disaster, either natural or man-made (the latter including hacking). Some basic preventative measures and a little time will pay dividends. To return to the vehicle analogy, if your business depended on a fleet of trucks, you’d look after them, wouldn’t you?
4 October 2022