Being a business owner is fraught with risk. Getting started, driving sales, entering new markets, redefining services, or making investments in technology, all take some calculation to protect your organization. Cybersecurity is another risk area that owners should really be aware of and focus some time on. Here is a list I created of ten ideas to help business owners take simple, inexpensive actions today towards protecting their business and their livelihood from security threats.
1. Cybersecurity starts at the top.
There is a reason why executive involvement in security is required in many compliance frameworks, such as HIPAA. You make all the difference. Your involvement, the questions you ask, incorporating strategies into growth plans, and your understanding of the entire organization go a long way. You don’t need 10 hours a week to make a difference. More like two hours a month every month. Make sure you understand your organization’s efforts to protect your applications and data. Our most secure clients are the ones with a committed executive at the top, and not necessarily the ones that spend the most dollars on security.
2. Track devices on your network.
Most doors in our offices have locks on them. Why? To control who comes into the building or to protect valuables or valuable information. Any device on your network could introduce security problems. Smaller organizations can whip out the old spreadsheet and just track everything it purchases to keep control of what is on the network. Keeping accurate records of the device name, serial number, IP address, purchase date, disposal date, device user, or its location is practicing good cyber hygiene. This is where the challenge of working from home comes in. You lose some of that control. There are a whole bunch of devices on the typical home network that could be impacting performance or security. And they are outside of your control. Improving security starts with managing what you do control. So let's start there, where it’s easy. There are low-cost tools or partners that can automate this task with agents or scanning devices to continually see what’s on your network. Not everyone who connects to your network has the best intentions. This simple enforcement can protect your company against those threats.
3. Know your important business software.
Business owners should know every piece of software on their network to ensure the applications have proper security configuration, get patched regularly, are centrally managed, and limited to applications you know to be safe. Also, make sure important data is backed up if needed for your employees or corporate value. Documenting is helpful for standardizing across similar user groups and making sure your teams have the tools they need to complete the work assigned. While these can be manually tracked, I’d highly suggest a software inventory tool or vendor help you automate the process.
4. Train your employees on cyber hygiene.
No employee wakes up and says "I want to shut down my company network, so let me click this bad link." However, the constant pressures of work, home, clients, and people push security to the back of the mind. Do annual training on how to recognize security issues in the software and email your company uses. You don't even have to create this yourself, just search and buy presentations online that will do this training. We include security training videos for our clients that track training completion in our offering because it helps reduce the number of security incidents and emergencies. And that's a win-win for us and the business owner. Requiring each employee to complete four five-minute security awareness training videos a month will save your company thousands and thousands of dollars. If that's not doable right now, at least watch the videos yourself and communicate that to your teams. The top targets for spearfishing attacks are C suite executives, the finance department, and IT professionals. These attacks target these groups because they have more access, are closer to the money, and usually very busy. It’s like the old Sam Kinnison joke, if you’re hungry, move to where the food is.
5. Remove old employees from your system.
Sometimes in the rush of the business, it makes it hard to transition out old employees because the focus is on bringing in new team members. When we review new clients we sometimes find old accounts still enabled that could allow an old employee to connect to the network and access information. Don’t leave those open doors in your network. There are all kinds of scripts and tools that can pull information. We usually target the last time the user logged on, the last time the password was changed, and other important nuggets from Windows active directory.
6. Lockdown who has administrative access.
You own the company, so naturally, you should have access to everything. Your employees, that's a different story. Govern access by using the principle of “least privilege” which suggests people only have enough access to do their job. Have separate administrative accounts for those people who need administrative access. This allows them to run installations or complete other permission related tests without you. This also makes it easier when you do your periodic reviews of who has administrative access and ensures only a small number of people have access.
7. Separate employee smartphones from business wireless.
Most businesses already have a guest wireless network for non-employees with devices. The idea is you don’t want noncorporate assets potentially impacting your business network. I suggest extending that concept to employees' smartphones, home tablets, or other miscellaneous stuff. Most wireless networks support multiple SSIDs, so there is no additional cost to create 3 SSIDs for laptops, smartphones, and guest users. “Laptops” can have access to servers and network data. “Smartphones” can provide Internet access but without the need to access servers or data, which they shouldn’t be doing anyway. “Guest” could provide Internet access and depend on your firewall, possibly limit the bandwidth that SSID uses or apply more filtering to sites that guests could go to.
8. Revisit your Office 365 configuration, with security in mind.
Maybe you’ve spent a lot of money on great security tools to protect your logical network. But, Office 365, hosted applications, and other cloud services are their own systems and might be gaping security holes in your operations. Fortunately, Microsoft knows this and created Microsoft Secure Score. This built-in tool helps you evaluate various security best practices and how you measure up to them. This allows you to close some of these holes. Some features aren’t available until the next level of 365 but quite a few tools can be configured for free, assuming someone has the technical experience to plan and make specific changes. Stop reading this now, do this today.
9. Read the news.
Treat all those cybersecurity “new ransomware” stories as reconnaissance. If you read about a new threat or patch that needs to be applied, ask your IT or support person if you are protected. Understanding where threats are coming from can help you selectively mitigate current risks until you can afford a risk assessment and/or develop security operations to complement network support. Those are completely different technology skills.
10. Review your cyber insurance policy.
We usually review our client’s cyber insurance applications to make sure that what they think they have is what they need. Too many times we find the wrong information and that would most likely invalidate a claim - dramatically impacting your business value. And while most providers like us carry E&O and cyber for possible negligence of our organizations, you will want to make sure you also have the protection of a cyber insurance policy for your people’s negligence.
While these tips are low-cost, they work. But you can't just do these ten things alone. If you haven't already, you must make some substantial base investments in first level risk busting tools such as anti-malware, firewalls, email filtering, backup technologies, and others. Cybersecurity can seem like an overwhelming concern, but with these ten tips, you can move the needle, even on a budget, secure your business, and protect your business value.
ABOUT THE AUTHOR:
Steve Meek is Co-Founder and President of The Fulcrum Group, Inc. organization. He and Vice-president David Johnson founded The Fulcrum Group with a focus on services and client relationships. A business-person first, Steve evolved into technology and has delivered client successes working with corporate, local government, non-profit, health care, and education organizations. Whether providing hands-on technical services, managing a project, or writing technical materials such as System Documentation, Network Audits, or Security Assessments, he still enjoys the challenge of keeping up with rapidly evolving technology.