To kick off Small Business Week, we wanted to give small-to-midsized businesses some advice for protecting themselves from online security threats with limited resources. It’s extremely difficult to manage all aspects of security involving people, process and technology, as there are often limited resources in terms of budget, staffing and technology. Without security controls to limit what people can do, a breach is nearly inevitable. People can make honest mistakes that lead to security vulnerabilities or cyber criminals can lurk the dark web looking for business data to monetize – and you need to protect your business from both.
With so many challenges to face, you need to prioritize and make the best use of your time while protecting critical business data and financial assets.
Here’s our suggested list of 3 areas of focus that can help you manage risk with more confidence and insight.
1. Power to the People through Password Management
The weakest link in the security chain can be your payroll specialist who makes an honest mistake by clicking on a link in a phishing email. Or a mistake made by a partner, contractor or vendor with authorized access to certain areas of your network.
With better password management, you can help any colleague avoid becoming the weakest link in your security chain. However, expecting people to remember long, strong passwords is not going to work, especially if you expect them to change every 90 days. In order to work efficiently, people will naturally write down passwords on paper, or keep them in a spreadsheet on their laptop. You can solve this problem by implementing a password management solution like LastPass.
With LastPass, you only have to remember one strong master password and LastPass remembers the rest. Because employees don’t have to remember passwords, they can create strong, unique passwords with our password generator and LastPass will automatically save and autofill them for the user.
A password manager not only protects mobile devices, laptops and desktops, but is also handy for users to add credentials to gain access to any number of personal accounts, store sensitive data like social security numbers or ATM PINs. Once they start using it for multiple accounts, your security mechanisms will continuously improve.
2. Keep Cyber Criminals Off Your Turf
With malware consistently shapeshifting in design to effectively exploit existing vulnerabilities or leverage new ones, any network is fair game. For example, ransomware has become a very common attack vector that affects businesses of any size. With product vulnerabilities across common platforms like your Microsoft operating system, every business can get hit.
I advise you to consider the following:
- Apply strict physical access controls to your server closet or data center.
- Use two-factor authentication and tighten those admin access privileges.
- Roll out password management (see #1).
- Continuously monitor your network against threats like malware. That may take time and resources you do not have, so partner up with a threat monitoring and response vendor to give you the intel you need. You’ll appreciate the ability to quickly apply critical patches to protect your network.
- Provide a way for folks outside your company to engage through your website so you can learn about potential product or network security issues sooner than later.
3. Create a Security-Aware Company Culture
No matter what technology you have in place, you are still vulnerable if you do not bolster online security through employee awareness. Without security awareness and educational resources, your people may not understand how to identify a phishing email or malicious links on a webpage. All it takes is one infected laptop to instigate a security incident.
There’s no need to create a program from scratch. Instead, apply a security curriculum created by experts from industry organizations like SANS that your employees will easily understand. Forget the security lingo and use multiple touchpoints like video, blogs and connections to outside resources. And make it relevant to their lives outside the office to generate even more interest.
People are your company’s best asset, and they can also be your worst liability, perhaps even more so than a cyber criminal. With this in mind, considering new security controls can make that combination of people, process, and technology easier to manage.