Small businesses are often poorly prepared to defend themselves against a cyber attack.
According to recent studies, small businesses may feel that they are less at risk of attacks than larger businesses, and that the impact of an attack will be small.
In fact, small businesses are targeted by cybercriminals to an alarming degree, and make up as much as 40% of all attempted attacks according to the last Symantec Internet Security Threat Report, and the impact of a cyber attack can be significant.
The threat is real, and while most small businesses do employ a range of security measures to protect themselves it is rare for us to encounter a new client who does not suffer from some glaring weaknesses in their protection strategy.
Our customers hear from us regularly about the strategies that we recommend to improve cyber security, and six of the key areas to consider are listed below:
Install anti-malware and anti-virus protection
It may seem obvious, but it is truly surprising to us how often we encounter a new client who has systems connected to their internal network with no form of security software installed at all. It only takes one infected computer for malware to spread within your business network, so ensuring that all of your systems have suitable security software installed is critical. Mobile devices, including smartphones, require protection, as do systems that may include a normal PC as part of their operations.
Some of the common sources of a malware or virus infection are:
- compromised wifi network;
- spam emails;
- harmful websites;
- infected portable drives.
If a malware infection is successful the malware can install code that runs in the background, capturing keystrokes and login information and relaying it back to the attackers. According to recent research, malware was used in nearly half of data breaches in 2013 and was responsible for almost 80% of records stolen.
Secure your hardware
A cyber attack can be facilitated if a company computer device is lost or stolen, exposing confidential system data or passwords. We have all heard about security blunders where confidential information is accidentally made public when a device is lost, but not many business owners have considered that a lost device can mean they are at greater risk of a cyber attack directed at their business systems.
Physical security to prevent theft, and measures such as hardware based encryption, can ensure that you are less likely to lose information with hardware.
An additional measure to consider is tracking software, which is particularly important if your business regularly operates from mobile devices outside of your office. A lost device can be disabled or wiped remotely, and can even report its location back to you to aid in recovery.
Educate your employees
Many forms of cyber attack rely on impersonating a legitimate email or website and tricking someone into triggering an infection of their computer. A properly configured network, where staff do not have the system permissions to infect their computers, can minimise the risks, but educating all employees about the risks and the signs of a cyber attack is very important.
Some very effective measures to take are:
- Drawing up a formal company Internet policy;
- Advising all employees of the filtering and monitoring of Internet use;
- Keeping employees up to date with current threats.
If an employee is aware of what past and potential threats can look like they are far less likely to click on an email purporting to be from your online banking site, or the ATO.
Test your security
Arranging for a professional assessment of your security can be a very simple way to identify the areas where you need to improve. Such an assessment will involve an expert firm performing various forms of tests to confirm your level of exposure, and may include automated probing of your online connections, simulated social engineering attacks, and other strategies.
When the assessment is completed you will receive a detailed report showing exactly how well your security measures have worked, and suggesting changes or improvements you could make – an ideal way to learn where you need to focus your efforts and investment.
Encrypt your data
The information stored on your systems, including local or cloud storage, can be encrypted so that only authorised parties can read it. This approach does not in itself prevent the information being intercepted, but the information will be ‘scrambled’ and unreadable without the required decryption keys, similar to a password.
Windows itself includes the BitLocker encryption system, and there are other products that allow information to be encrypted, but still used and shared within the business.
It can be inconvenient to encrypt all information stored on a system, but the simple strategy of storing sensitive information, such as banking details, online banking passwords, confidential customer or employee information and financial information in an encrypted location can be very effective.
Secure your network
Your network equipment, including firewalls, network switches, routers and wireless access devices, are all vulnerable to attack, and can in fact be the entry point into your network.
Many cyber attacks target vulnerable Wi-Fi networks, with weak or in fact absent password protection. Apart from using strong password protection, a good, simple option is to disable the service set identifier (SSID) broadcasting function in your equipment. This creates a hidden network, invisible to casual Wi-Fi snoops and accessible only to users with the exact network name.
Of course, your network firewall represents a key part of your security systems, and it needs to be configured correctly, updated over time, and monitored continuously to warn you of an attack attempt, but other network equipment including network switches and routers are also at risk.
A strategy that including regularly updating and continuously monitoring your network will ensure that you are not exposed to a network based attack.
RODIN staff receive ongoing training in cyber security and the systems that we design follow industry best practice to ensure that exposure to cyber attacks is minimised. In our experience, most small businesses are vulnerable and yet are not aware of the risks they are exposed to.
If you would like to discuss the security of your business systems, free of cost or obligation, give us a call on 1300 138 761, or email to firstname.lastname@example.org.