Cybersecurity Tip for Business
The internet allows businesses of any size or location to reach new and larger markets. It allows opportunities to work more efficiently using mobile devices or remote access. Whether your business is adopting cloud computing, actively using social media, or just using email and maintaining a website, cybersecurity is critical.
A recent study showed that 87% of small to medium businesses don’t consider themselves a cyber attack target. While larger enterprises may have more data to steal, small/ medium businesses tend to have less secure networks. By using automated attacks, the cybercriminals can breach thousands of small businesses at a time, making size less important than security.
There are effective steps any company can take to avoid becoming a victim.
Use a Firewall
The Federal Communications Commission recommends that all businesses set up a firewall. While external firewalls are somewhat standard, it is recommended that an internal firewall also be set up. Employees working from home should also install a firewall on their home networks, preferably firewall software and support provided by the company.
Protect equipment, information and networks
- Equipment protection: Regularly update computers: including desktops, laptops and mobile devices. Make sure all operating systems and web browsers are up to date.
- Mobile device security: Require users to password protect their devices, encrypt their data and install security apps.
- Data protection: Regularly, preferably automatically, backup data on all devices, especially word processing documents, electronic spreadsheets, databases, financial files, human resources files and accounts receivable/payable files. Store copies separately and securely.
- Network Protection: Check for and install any new versions of software, including security, anti-virus and operating software. Set antivirus software to run a scan after each update. Install key software updates as soon as they are available.
Control physical access
- Lock up laptops or other mobile devices when unattended.
- Establish separate user accounts for each employee and require strong passwords, which should be changed ever 60-90 days.
- Limit administrative privileges and limit data access based on job needs.
- Secure the Wi-Fi network for your workplace. Be sure it is secure, encrypted and hidden. Password protect access to the router. Use a separate computer to access confidential data on the network, and do not use that computer to surf the internet. Set up a separate Wi-Fi for customers, if that is a convenience you wish to provide.
Train. Limit. Authenticate.
- Your employees are your first defense perimeter. To be effective in that role, they must have regular training, appropriate access and strong means of authenticating their access.
- Train: Establish basic security practices and policies, such as strong passwords, appropriate internet use guidelines, rules on how to handle and protect customer information and vital data, and how to recognize cyber threats such as phishing.
- Limit: Do not provide any one employee with access to all data systems. Limit access to the specific systems needed for their jobs. Do not allow employees to install any software without permission.
- Authenticate: Multifactor authentication (MFA) is a process to verify that the person accessing a device or account is who they claim to be. Logging into the computer at work is a single factor authentication. While your network may be secure, a single factor is insufficient to protect against the many ways in which anyone’s identity can be hacked. A multifactor authentication process will include several types of Identity Claim Factors, such as:
- Something you own: sending a code via an application, text message, email or voice call to a mobile phone or device in your possession, which you then enter at the site you wish to access.
- Something you know: a PIN or answer to a security question.
- Something you are: a fingerprint or retinal scan, confirming that you physically are the person you claim to be.
- Kirkpatrick Bank offers multifactor security protocols for business accounts.
Wire Transfer Fraud
Business email compromise is an advanced form of spear-fishing and it’s a growing problem and companies are losing thousands, even millions of dollars instantly. Scammers may either gain access to an executive or high-level employee email account or they may spoof the account, changing where the email is sent when the recipient responds. In the first case, the scammer acquires access through a phishing attack and waits for the perfect time to take over, usually when the individual is out of the office for a trip of some kind. The scam targets employees of businesses that regularly perform wire transfer payments or work with foreign companies or suppliers. An email is sent from the CEO of CFO asking that employee to make an immediate or urgent transfer of funds. When receiving any request to wire transfer funds, look closely to verify the email address. Call the person is supposedly requesting the transfer to verify that they did make the request. If you reply to the message, be sure to look at the real email address before replying. It is best to have a transfer process in place that requires more than just an email request and is a multi-person process.
There are several sources of reliable information and assistance on the topic of business cybersecurity.
Federal Communications Commission
445 12th Street SW
Washington, DC 20580
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Website: ftc.gov (tips & advice, Business Center)
Department of Homeland Security
offices located in each state
Website: search Cybersecurity| Homeland Security
National Cyber Security Alliance
Website: staysafeonline.org (cybersecure-business)