Cyber security is a growing concern for small and medium-sized business owners. Today, more businesses run online applications than ever before. A system vulnerability resulting in a loss of sensitive data can have devastating effects on these organizations, yet many small business owners, in Oklahoma and beyond, still don’t take the proper cyber security measures.
If you rely on your computers or the Internet for day-to-day operations, cyber security should be important to you. After all, a data breach could cost you your business. To promote cyber security, the US Department of Homeland Security designates each October as Cyber Security Awareness Month. Learn how you can protect your business by avoiding these seven common mistakes.
Insufficient Backup Procedures
From healthcare and financial records to personal information such as birthdates and social security numbers, most companies handle some form of sensitive information. A data loss due to a security breach or system failure can have a lasting impact, yet many businesses do not take proper steps to secure its data. A 2013 survey by GFI Software found that 53% of SMB’s do not perform daily data backups, and 32% of businesses do not regularly test its backup plans to ensure they are working properly.
Furthermore, what many business owners are failing to recognize is that data loss incidents can result in huge fees. A single hard drive recovery can cost anywhere from $500 to several thousand dollars. Add in the costs associated with productivity loss, and it should become clear why data backup is important.
The best way to mitigate the risk of data loss is to be diligent about data backups and to use multiple solutions in tandem. IT professionals often follow the “3-2-1” rule for data backups:
- At least 3 copies of important data…
- On 2 different types of media…
- With at least 1 copy offsite.
For daily backups, online cloud-based services are a great option. These programs automatically replicate your data and save it offsite to ensure it is safe in the event of a system failure or catastrophic event that physically destroys the server. Visit our cloud services page to learn more about how your business can benefit from cloud-based storage.
In addition to backing up your business’ sensitive information to the cloud, we recommend that you also backup your data to a local device such as a portable hard drive or server. Windows’ Backup and Restore program and OS X’s Time Machine are good options for individual computers, and Windows Server’s Robocopy is a great option for many servers.
The most common cyber security issues businesses face are the result of poor password practices. There are three main password elements that create vulnerability issues: weak passwords, reused passwords, and the exposure of passwords.
Weak passwords are extremely common. Because complicated passwords are hard to remember, people tend to use simple passwords such as names, dates, common words, or combinations of these elements. Unfortunately these passwords are relatively easy for modern software to crack. This ArsTechnica article, for example, shows how an untrained reporter was able to crack more than 8,000 passwords in only a few hours using publicly available software and guides.
Another common issue is using the same password for multiple logins. Even if your password is strong, it’s not a good idea to use the same password for different accounts. One data breach from a single site could compromise your entire digital environment.
It’s also common for users to inadvertently expose passwords or login information to unauthorized parties. Phishing is the most common vector for these types of attacks. For example, last year’s data breach at Anthem Inc, a popular health care provider, was the result of an employee’s login information being stolen. This blog post from SecureList details the latest phishing attacks and shows how important spam and email filtering is for businesses.
There are several solutions to reduce the risk of password theft and keep you safe from attack. Here are a few of the most effective methods:
- Better training – The most effective password security measure is training and awareness. Your employees should know what the best practices are for password creation, use, and sharing.
- Password Encryption – Services such as LastPass allow you to create encrypted, randomized passwords and manage them from a single app, however, they still require you to create a strong master password.
- Two-Factor Authentication – For your most important data, two-factor authentication is an excellent security measure. Two-factor systems require you to have a device (often a mobile phone that can receive text messages or a security token) in conjunction with a traditional password or PIN. By using both authentication methods in tandem, logins are made significantly more secure.
Improper Printer/Device Security
An often-overlooked area of cyber security involves network printers and copiers. The modern printers and copiers are built just like computers, complete with processors, RAM, and operating systems. Many businesses, though, do not take steps to secure these devices.
This can lead to problems. For instance, in 2013 a vulnerability was exposed in some HP printers by Google. This vulnerability allowed hackers to assume control of the printer, to view all printed and scanned files, and to prevent the printer from upgrading its firmware to patch the hole.
Because of this, it’s important to configure your printers and other print devices with security in mind. Here are a few things you should do to ensure your printer is secure:
- Change the default printer administrator password.
- Set up your printer behind your network firewall.
- Only allow connections to your printer from authorized network users.
- Make sure your printer’s software is up to date and apply future patches in a timely manner.
Not Encrypting Sensitive Data
One of the biggest mistakes SMB’s make with cyber security is focusing all of its energy on keeping attackers out. Unfortunately no business can keep itself 100% secure. That means at least part of your security measures should be focused on keeping your valuable data in your environment in lieu of keeping intruders out.
Encryption is one of the best solutions for protecting yourself from data loss, hacking, and malware. When you encrypt your local data and your backups, you prevent an attacker who accesses that data from using it. Data encrypted with standard 128-bit encryption is virtually unbreakable without the cryptographic key, ensuring your data stays safe even if it is hijacked by a hacker or malicious program. Yet, according to a survey by Kaspersky, more than 35% of companies worldwide don’t use encryption to protect their data.
Fortunately it isn’t hard to set up encryption in your environment. For individual computers, both Windows and OS X have built-in hard drive encryption software. You can enable this software with just a few clicks. The process is more complicated for servers, but an IT Services company can help you get started and can train your employees in encryption and key management best practices.
Not Segmenting Your Environment
If your infrastructure consists of more than a single computer, you should be thinking about network segmentation. This is especially true if you store sensitive information on a networked server. Any time you expose valuable data to the outside world you run the risk of it being tampered with or stolen.
Network segmentation can help reduce this risk. In a properly segmented network, outside-facing users (such as computers or devices with Internet access) are segmented from internal servers, payment machines, and other devices by physical constraints or software firewalls. These systems can prevent unauthorized access to your data and keep your business secure.
To set up network segmentation in your business, contact us today for a network assessment. We’ll help you determine which elements of your network are vulnerable and how you can restructure your data environment to protect them.
Not Patching Web Services and Firewalls
One of the most surprising data points from the 2015 Verizon Data Breach Investigations Report relates to exploits of known vulnerabilities. According to the report, 99.9% of exploits occurred more than a year after the relevant CVE (Common Vulnerabilities and Exposures) documentation was published. And perhaps more surprisingly, just 10 CVEs – all but one published before 2003 – account for 97% of exploits. In other words, attackers generally exploit known vulnerabilities in hardware and software, banking on the probability that their targets have not patched them.
These statistics prove how vital a good patch management process is for every business. It doesn’t matter whether you operate off a single laptop or have a full data center. You should be regularly testing and applying security patches to all of your devices.
For larger networks, automated patch management tools can help make patch management easier. Unfortunately these tools aren’t always easy to set up or use. You may want to contact an IT services company to help you with your patch management process.
Lack of Employee Training and Enforcement
Even if you fortify your network from outside attacks, your systems are still vulnerable to errors caused by employees. User errors account for about 20% of all data security incidents according to the 2015 DBIR and can result in costly remediation efforts.
Here are just a few of the ways employees and insiders can cause security vulnerabilities:
- Using weak passwords or reusing passwords
- Opening infected email attachments or web pages
- Opening or responding to phishing emails or apps
- Handling or disposing of sensitive data improperly
Training is one of the most important and effective cyber security methods. When a new person or contractor joins your team, you need to thoroughly educate them on your security processes.
Here are a few tips for training employees on proper cyber security:
- Establish Best Practices – Every employee should know how to create a strong password, how to avoid viruses and phishing attacks, and how to properly dispose of sensitive data. Creating best practices for them to follow is a good way to make them aware of what to do and what to avoid.
- Train Early and Often – Don’t put off training new employees on data security. Bad habits are easier to avoid than break. And don’t forget to retrain your employees when things change.
- Communicate Consequences – Establish clear, concise consequences for any employee who breaks data security protocol.
Your business can afford to ignore cyber security. If you want to learn more about how you can keep your business safe from data loss, theft, malware and other security-related issues, call Xcel Office Solutions today at (405) 748-4222 to schedule your network assessment.