The Internet, broadband and information technology are powerful tools to help small businesses reach new markets and increase sales and productivity. Cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data. Theft of digital information has become the most commonly reported fraud, surpassing physical theft.
No matter the size of your business or the extent of your computing, cybersecurity should be a crucial part of every business’s risk management process. Use the following cybersecurity tips to help protect your small business:
Train employees in security principles – Establish security practices and policies for employees. These should include how to develop and use strong passwords, appropriate Internet usage guidelines that detail penalties for violating company cybersecurity policies, and rules of behavior describing how to handle and protect customer information and other vital data.
Protect information, computers, and networks from cyber attacks – Ensure you have the latest updates to your security software, web browser, and operating systems. These are the best defenses against viruses, malware, and other online threats. Be aware that operating systems do have end-of-life dates after which you will no longer be able to obtain software updates to address vulnerabilities. For example, in January 2020, Microsoft Windows 7 and Windows Server 2008 operating systems reached their end of life and are no longer supported. In addition, set anti-virus software to run a scan after each update. Install other key software updates as soon as they are available.
Provide firewall security for your Internet connection – A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure your operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
Create a mobile device action plan – Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access your corporate network. If mobile devices access your corporate network, require users to password-protect their devices, encrypt their data, and install security apps. This will prevent criminals from stealing information while the device is connected to public networks or if the device is lost or stolen. Be sure you have procedures in place for reporting lost or stolen equipment.
Backup important business data and information – Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. The backup should be done automatically, at least weekly, and be stored either offsite or in the cloud.
Control physical access to your computers – Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
• Secure your Wi-Fi networks – If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.
• Employ best practices on payment cards – Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs, and don’t use the same computer to process payments and surf the Internet.
• Limit employee access to data and information, limit authority to install software – Do not provide any single employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
• Passwords and authentication – Require employees to use unique passwords and change passwords regularly – at least every three months is recommended. Multi-factor authentication that requires additional information beyond a password to gain entry is also recommended. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
Visit www.fcc.gov/cyberplanner to create a free customized Cyber Security Planning guide for your small business. Visit www.dhs.gov/stopthinkconnect to download resources on cybersecurity awareness.