US Small Business Administration's Top 10 Cyber Security Tips for Securing Your Small Business

The US Small Business Administration (SBA) has compiled a list of their top 10 cyber security tips for small businesses. In reality, this list is good practice for just about anyone. Here we comment and expand on their list. Click here to be brought to the article's webpage.

  1. Protect against viruses, spyware, and other malicious code
    Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. This is crucial and simple. It is one of the easiest steps you can take to protect yourself. Not all cyber security processes are created equally but automatic updates require nothing from the user after being set up. We cannot tell you how many customers have invited a host of problems solely from not installing an update that would have prevented them.

  2. Secure your networks
    Safeguard your Internet connection by using a firewall and encrypting information.  If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. Ensure your network and firewall are set up properly. Having a firewall does absolutely nothing if it is not configured properly. If necessary, hire a professional to do this for you. You can find professionals who will do this for a reasonable rate on sites like Thumbtack, Amazon Home services, etc.

  3. Establish security practices and policies to protect sensitive information
    Establish policies on how employees should handle and protect personally identifiable information and other sensitive data.  Clearly outline the consequences of violating your business’s cybersecurity policies. Most breaches occur due to human error. Make sure your employees are trained on cyber security to avoid becoming another victim of cyber crime. For example: If you emailed an employee inquiring about sensitive client information or a username and password for a work account, what would they do? Would they email you back with the requested sensitive information (fail)? If they were working from home would they still email you (SUPER fail)? Would the employee walk over to your desk, scold you for ignorance and lecture you on data security and privacy?  Alternatively, would they verbally tell you where to find the information and walk away shaking their head (PASS!!)?

  4. Educate employees about cyberthreats and hold them accountable
    Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites.  Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses.  Hold employees accountable to the business’s internet security policies and procedures. Again, most data breaches are due to human error!  Training your employees and simply opening the discussion of cyber security will go a long way and could protect your business from becoming a victim. The data is not good- 60% of small businesses close their doors within 6 months of a breach. That number could be worse by the time you read this.

  5. Require employees to use strong passwords and to change them often
    Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. Nobody ever claimed security was convenient. Those annoying passwords with upper and lower case, special characters, etc. actually do help. Even better, turn on a two-step verification process for your accounts. This is the best way to be logging into your accounts. See our previous post regarding two-factor authentication here.

  6. Employ best practices on payment cards
    Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet. We understand this is not convenient, but neither is getting hacked. It will be much more expensive and time consuming once someone has breached your system.

  7. Make backup copies of important business data and information
    Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud. Backup, backup, backup! Here is one example where backup will save you: An employee clicks on a very real looking email that enables an outsider to gain access to your system who holds your files for ransom (we've all heard about this all too often). Luckily, you were smart and cyber conscious so your files are encrypted (pass!). They are unable to access your files and you have them backed up so you do not need to pay any ransom in order to retrieve them! Now it is straight back to business as usual for you... after rethinking your cyber security training so employees don't click those phishing emails... 

  8. Control physical access to computers and network components
    Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. Laptop locks, employee cyber security training, and time and energy put into creating and changing strong passwords are all relatively inexpensive. Taking the required steps after a security breach is not. Be certain about how devices and accounts are configured so you know exactly who has admin privileges. Also important to note here: be sure your staff is trained not to insert anything into their computer from an unknown source, such as a USB drive from a customer. Give it to your IT person first.

  9. Create a mobile device action plan
    Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment. Additionally, any business apps or business related content on an employee's phone (work or personal) should be set up through the business. If an employee is terminated, someone steals their phone, or whatever the case may be, you want the ability to wipe those apps and any sensitive information off of the phone immediately so they no longer have access.

  10. Protect all pages on your public-facing websites, not just the checkout and sign-up pagesAgain, if you do not know how to do this yourself, hire a professional. Call us!