It is the trickle-down effect no small business wants. The big businesses are getting better at locking up their IT, so the criminals are scanning for softer targets. The pickings are still rich:
- Small business often have vast collections of credit card data and other valuable customer information.
- If they work with larger corporations, their systems could provide a soft target for a backdoor attack on the bigger business.
- At the very least, you risk their own banking details falling into the wrong hands.
Small business can present as easy targets because they have less time, money and expertise for security at their disposal. Their only security test might be whether all their computers are running up-to-date antivirus software. That is crucial, but it is just the beginning.
Tips for beefing up security
1. Strengthen the weakest link
Attacks often begin with a phishing email or even a social engineering phone call. Make sure employees know not to open any attachments that are remotely odd. They should also know never to give information like passwords over the phone, whomever they think is asking. (Ideally, passwords should be so complicated they would be hard to spell out over the phone.)
2. Strip it back to basics
Access points need firewalls. Endpoints and servers need anti-malware. Whitelist sites where employees can download software so that anywhere else is off limits.
All software should be up-to-date. If a patch comes out, it’s because there is a vulnerability in your system that might already have been there for a while and is now widely known, so do not delay.
3. Get physical
When disposing of old computers, USB sticks or anything else that stores data, get the drill out. Destroy everything. If you do not know how, contract someone who does.
At the same time, think about physical access. Hackers do not just sneak in over the wires. Who can walk up to one of your computers or pick up a loose USB from a desk? Lock down all computers when you are not using them.
4. Find the devil in the detail
What does each employee really need access to? It is not about trust; it is about everyone contributing to data safety. Restricting employees’ access to information they do not need protects them too. No one wants to be the one who let hackers empty the company’s bank account because they double-clicked the wrong email attachment.
5. Make security a matter of policy
What do you expect of employees when it comes to data security? Lay it out in a policy.
- Where can they go online?
- How should they store data?
- How should they restrict access to it?
- How complex should a password be?
A simple policy not only promotes a culture of security, but it also educates and education is essential when people are the weakest link in any IT system.