Information Security Best Practices for Small Business in 2017

Actionable Cyber Security Tips Small Business

These tips have been updated from previous years and are extremely valid these days. The need for an endpoint security solution, a firewall and regular backups or your data is more valid than ever. We have added tools available today that make your information security more practical, achievable and affordable.

For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers, employees, and trading partners it is very important. The term Small Enterprise (or Small Organization) is sometimes used for this same category of business or organization. A small enterprise/organization may also be a nonprofit organization. The size of a small business varies by type of business, but typically is a business or organization with up to 500 employees.

The customers of small businesses have an expectation that their sensitive information will be respected and given adequate and appropriate protection. The employees of a small business also have an expectation that their sensitive personal information will be appropriately protected.Such information might be sensitive employee or customer information, confidential business research or plans, financial information, or information falling under special information categories such as privacy information, health information, or certain types of financial information. Just as there is a cost involved in protecting information (for hardware, software, or management controls such as policies & procedures, etc), there is also a cost involved in not protecting information.

Such information might be sensitive employee or customer information, confidential business research or plans, financial information, or information falling under special information categories such as privacy information, health information, or certain types of financial information. Just as there is a cost involved in protecting information (for hardware, software, or management controls such as policies & procedures, etc), there is also a cost involved in not protecting information.

It is hard for a small business (or any business any way) to implement a perfect information security program, but it is possible and very reasonable to implement sufficient security for information, systems, and networks so that malicious individuals will go elsewhere to find an easier target.

Actionable Cyber Security Tips Small Business
Actionable Cyber Security Tips Small Business.

Actionable Cyber Security Tips for Small Business

Information technology are powerful factors in small businesses reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.

1) Protect information, systems, networks from damage by viruses, spyware, other malicious code and cyber attacks.
Having the latest security software or antivirus, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

Install and keep regularly updated anti-virus and anti-spyware software on every computer used in your business. Many commercial software vendors provide adequate protection at a reasonable price and some for free. You should be able to set the antivirus software to automatically check for updates at some scheduled time during the night and then set it to do a scan soon after.

It is a good idea to obtain copies of your business anti-virus software for your and your employees’ home computers. Most people do some business work at home, so it is important to protect their home systems too.

A lot has been said lately about the need for an antivirus these days. Well, it is still necessary although brands have been going away from the term antivirus and rebranding looking to not only fights viruses anymore, but now advanced threats as well. However they call it, make sure to have a security protection on your device.

2) Provide firewall security for your Internet connection
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled. It is critical to install and keep operational a hardware firewall between your internal network and the Internet. This these days is function of a wireless access point/router or may be a function of a router provided by the Internet Service Provider (ISP) of the small business.

Make sure to change the firewall or router administrator’s name and default passwords as well. The default values are easily guessed, and, if not changed, may allow hackers to control your devices and to monitor or record your communications and data.

3) Patch your operating systems and applications
All operating system vendors provide patches and updates to their products to correct security problems and to improve functionality. These updates are done regularly so make sure your devices and machines are receiving and applying these updates. Websites applications also need to be patched and updated. Make sure to work with a Service Provider that can help you with internal patches and updates or your IT staff, and with your website or marketing services provider to keep your website also up to date.

4) Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes all your word documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
Speaking about the cloud, it’s possible these days to use most of these softwares entirely in the cloud, guaranteeing that they will be backedup by the cloud provider. Quickbooks is an example of accounting software that runs in the cloud. Office 365 is an example of office software that also runs and stores everything remotely. As a small business you usually pay a monthly or early fee that corresponds to your use.

If you still use desktop softwares, make sure to backup all these local files also in the cloud and in a local external driver. Today, external drives are inexpensive and storage drives in the cloud are also affordable, like Google Drive for business, or Microsoft OneDrive, Amazon Online Backup, Box, Dropbox, etc…

5) Control physical access to your computers and create user accounts for each employee
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

Do not allow unauthorized persons to have physical access to or to use of any of your business computers. This includes locking up laptops when they are not in use. It is a good idea to position each computer’s display (or use a privacy screen) so that people walking by cannot see the information on the screen. Controlling access to your systems and networks also involves being fully aware of anyone who has access to the systems or networks. This includes cleaning crews who come into the office space at night to clean the trash and office space.

6) Train employees in basic security awareness
Most breaches today happen because of phishing or social engineering. This is very hard to catch as it preys on the human element. Social engineering is a personal or electronic attempt to obtain unauthorized information or access to systems/facilities or sensitive areas by manipulating people. The social engineer researches the organization to learn names, titles, responsibilities, and publically available personal identification information. Then the social engineer usually calls the with a believable, but made-up story designed to convince the person that the social engineer is someone in, or associated with, the organization and needs information or system access.

Employees who use any computer programs containing sensitive information should be told about that information and must be taught how to properly use and protect that information. On the first day that your new employees start work, they need to be taught what your information security policies are and what they are expected to do to protect your sensitive business information. They need to be taught what your policies require for their use of your computers, networks, and Internet connections. In addition, teach them your expectations concerning limited personal use of telephones, printers, and any other business owned or provided resources.

Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

7) Create a mobile device action plan
Mobile devices such as smartphones,tablets and even pen drives can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

8) Secure your Wi-Fi networks
If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router and change all default admin passwords. It has been common lately intrusion attacks by using vulnerabilities in your wi-fi routers.

The current recommended encryption is WiFi Protected Access 2 (WPA-2) – using the Advanced Encryption Standard (AES) for secure encryption. See your owner’s manual for directions on how to make the above changes. Rely on your Managed Services Provider or IT staff to properly configure this.

9) Employ best practices on payment cards
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner of your web browser window. After any online commerce or banking session, erase your web browser cache, temporary internet files, cookies, and history so that if your system is compromised, that information will not be on your system to be stolen by the individual hacker or malware program.

10) Limit employee access to data and information, limit authority to install software
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

11) Passwords and authentication
Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

Do not save common passwords, like for access to systems in public files or easily accessible places. For these passwords, it is usually a good idea to have one email that the business owner has access to, be the central repository for all important email logins and passwords.

Max Francisco has been doing digital projects in Brazil and the US for the last 15 years.