The 5 ways to protect your business from being hacked
Online business owners need to take hacking attacks very seriously indeed, no matter what guise they come in.
Data breaches, Denial of Service attacks or compromised sites being used to distribute malware will all have an impact on your business; and that includes the small business sector. In fact, small businesses are likely to suffer greater consequences as a result of of being hacked than the larger enterprise, which has the financial reliance and organisational resources to bounce back in double quick time.
Ask yourself this: could your online business survive the website being offline for a week, your email service not working for days on end or the reputational (and data protection regulatory) fallout of customer data being compromised? And that doesn’t even take into account time – the most precious commodity you have as a small business owner – wasted identifying and resolving the problem.
Sadly there’s no 100% guarantee that your business will be hack-free in the connected world of online business.
However, here are five simple tips that will make life much harder for the would be hacker…
1. Employ a password management system
Passwords are at the centre of most security policies, and also many successful site compromises.
Larger enterprises employ expensive password management suites to enforce and manage them, while consumers are increasingly turning to password ‘vaults’ to generate, encrypt/store and access them. Neither are solutions for the average small business, being too expensive and too simplistic respectively.
There are alternatives, however, such as the enterprise version of LastPass, which is relatively low cost on a per user basis and comes with business-oriented extras, such as setting company-wide minimum password standards to meet your policy requirements, applying customised policies to restrict access to specific devices, groups or locations, Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) integration and real-time syncing across devices.
2. Two factors are better than one
Even with proper management in place, passwords are still vulnerable to compromise. For example, if a hacker can get into business email or social media accounts (by way of social engineering or the use of password resets) then they will likely gain access to information that will help them hack your business. Put simply, a password alone is no longer enough and Two Factor Authentication (2FA) or Two Step Verification should be implemented wherever it’s offered.
With 2FA, if someone tries to access company services from unauthorised devices (that is, ones that haven’t been used before or haven’t been authorised for continued usage) they will be asked for a separate authorisation code in addition to the typical username/password login. This can be generated either by a SMS text message sent to a registered smartphone using an approved code generating app, or, sometimes, with a dedicated hardware token.
2FA is an excellent mitigation against hackers who have got hold of login data from the use of malware or third party compromises and are trying their luck.
3. Policy matters
Many smaller businesses erroneously assume they don’t need a formal security policy, but these documents aren’t just something for enterprises. Even the smallest SMB will benefit from employing this type of plan, and they are easier to create and implement than you might imagine. In fact, if done correctly, it will form the backbone of your overall security posture.
The trick is to understand that it’s more than just a formal document to be filed away gathering dust; it should be seen as a dynamic device to help you understand what data security means to the business and the basis of the structured response to the needs identified. The best security policy will detail not only how to protect your data, but also how to react when things go awry. Setting out an incident-response strategy when you have a calm head is far better than trying to put things right in the heat of the moment.
4. Education, Education, Education
Social engineering remains a huge threat to small business site and data security, whether we’re talking about targeted Trojans or spear-phishing aimed at specific staff members, broad business social-media profiling so as to appear like a real customer, or worse yet the blended attacks that combine all these methodologies. Thankfully all of them can be combated with employee education, which trumps the use of hardware/software solutions alone.
Ensure that your staff aren’t opening the door to the bad guys and letting them walk off with your valuable data by making sure they’re both aware of the value that data holds and the ways in which security can be compromised. Once this understanding is there, staff can mitigate the risk by simply changing their behaviour. In fact, the smaller the business the easier this is to achieve, as the cost of maintaining awareness is directly proportionate to the number of staff you have.
5. Don’t forget the simple stuff
At the risk of sounding patronising, the most simple bit of anti-hacking advice to give the small business is to secure your network. Seriously. It’s not something that requires a fully certified geek genius to do, just a realisation not to sweat over the small stuff.
So, ensure you have antivirus software installed and keep it up to date, apply OS and application updates with religious fervour, and control who can get at what data.
Most staff won’t need full access to everything, so apply the “need to know” rule – if an employee can do their job without using a given system or data, they should be locked out. The same should apply to visitors, unless there’s a very good reason to let them in.
Remember, if you reduce the number of people who have access to your data, you reduce the opportunity for the bad guys to use them as a route to steal it.