01 Jun A WORD ON CYBER SECURITY FOR MEDIUM AND SMALL BUSINESSES
The world is increasingly remote and reliant on our technology infrastructure to be able to get work done. We at PeachBPO have examined what it means to be a safe citizen in today’s cyber world as a small and medium-sized business. In the interest of current events, we feel it is important to have an open conversation about security.
We have worked alongside cyber security experts and consulted with some of the most respected cyber security companies to develop a comprehensive security strategy. You do not have to be a tech expert to implement a highly effective plan, however, we highly recommend you consult cyber security experts should you have doubts about your security program.
Best practices for a small to medium-sized business are simple and common sense. We will pass on our knowledge on to you. Feel free to add to this article with your own thoughts, experience, and expertise. We aim to elevate the awareness of the importance of security. The more we talk about it the better we will all be.
Let us dig in
Have a Solid Policy in Place… and train people on it.
No matter who you are, cyber security is a must! It is essential to have a security policy. A good security policy should handle:
- Physical security measures
- Internal and external data management
- Device management
- Access and controls for systems and data
- Acceptable use policy (AUP) for email, internet usage, social media, and other forms of communication
- Software download and installations
- Reporting and responding to security issues (this should be looked at as preventative and not just after the fact; more on this later)
Train the people according to the plan. A security policy alone cannot secure your organization, you need the people to know it, follow it, and feel the importance of it regularly.
A regular security training workshop should be organized to teach a safety mindset and culture in your workforce. It has been observed over the years that some of the worst attacks are a result of insider carelessness. So, it is everyone’s responsibility to ensure they are operating in a safe manner.
Robust Password Security
Passwords are still the most impactful front-line security method. It is a must to have strong passwords.
How strong is considered a strong password?
Well did you know that if you used only lowercase letters, you could have a 12-digit password that would take on average 50 years to crack
Many systems limit the number of attempts that can be made before the account is disabled but do not let things go to chance. The longer and more complex the password the better off you will be.
Also, change your password every 3 months, it is harder to hit a moving target. I know what you are thinking…long passwords, that change every 3 months how to do I stay on top of it all? Well let’s move on the the next topic.
State of the Art Password Storage Practices are Important
Passwords have to be stored in a secure way. Gone are the days when people used to leave their passwords on sticky notes in their offices. Now is the time to store passwords digitally using a password manager. On a budget? Try Keepass for password storage. KeePass is an open-source and free program that serves the purpose. The passwords are stored within a database with the best in line encryption mechanisms (AES-256, ChaCha20 and Twofish).
There are also a few paid ones that provide password management services. Dashlane is a paid password manager which also provides VPN and secures the stored documents. Bearden is another paid program that asks you for a fee and provides a lot in return. It deploys two-factor authentication and serves as an authenticator in itself.
Another important cyber security method is to implement a multi-factor authentication method or at least two-factor authentication. Duo Security is a promising tool for this purpose. It also provides end-point security.
2FA, or two-factor authentication, requires you to use another verified device or system to retrieve a code. This way even if a password is obtained or cracked a person attempting to breach into your systems would have that much more trouble gaining access.
You do not need to have a special fob to enact 2FA you can use your cell phone, alternate email address, or applications like DUO. It is highly recommended you enact 2FA in all your companies’ systems. With the number of tech companies providing service here, there is no reason to not implement 2FA.
Ditch the Physical Copies
The world is moving into a paperless environment where fewer things are maintained in black and white these days. Keeping things physically might make important information vulnerable; after all, you cannot password protect a sheet of paper. Your bank statements, tax returns, and the like do not need to be sitting on your desk. Require employees to have a clean desk policy. The paper needs to be stashed under lock and key if not in current use and only if it is absolutely necessary to have a physical copy.
Put it in the Cloud.
If you have not already, you should make the move to the cloud. Without the cloud, files are sitting on a local drive or server room. You have to have an IT professional oversee your tech, ensure backups are made, and the software is up to date. Your company is on its own to ensure all current best practices are maintained. Cloud provides reliability, security, and disaster recovery solutions.
Enterprise-level cloud service vendors keep their security methods consistent and up to date to survive in the online space effectively. The cloud offers features like built-in firewalls, a redundancy that is ultra-backed up data and built-in two-factor authentication methods that make it a secure place for everyone.
Once in the cloud endeavor to not keep any files locally. This will minimize the risk of having issues if your machine is ever compromised. Just keep in the cloud.
Don’t forget to lock down the devices
Another best practice is to lock devices while they are not in use. Most people forget to lock their screens when they go out for a break or lunchtime during office hours. More so, in these CVOID times when people are working from home, their habits of protecting their personal systems may lapse. Remind them to always shut down their machine when walking away. Set your sleep settings on your computer to a short time frame just in case you forget to ensure that your system is not accessible.
Be careful with access privileges
The concept of privileges is that they should be granted to those who absolutely need them. Having access to areas that are not otherwise needed creates a level of exposure that can and should be 100% avoided. The bookkeeper needs only read access to the bank account to pull a statement, not permission to send funds too.
Knowing that privileges are only on a need to have basis will also help with auditing security issues within systems. If the pool of people that can be in areas within a system is more limited it will be easier to isolate and address.
Cyber hygiene is important as any other hygiene
Good cyber hygiene includes following good security practices for better security:
- Update software frequently: Locally installed software including your OS needs constant updating. It might be annoying to see that Java message pop up for the 100th time but chances are you are missing out on important security updates too.
- Run antivirus software: The antivirus software must be run regularly. Make sure to set a schedule for it to run so you do not forget. And of course, check if your antivirus software needs updating before running it.
- Do not surf unknown sites: Another tip for better and safe browsing is to avoid visiting sites that are not known or look strange. Browsers are getting better at letting you know that something is off if you are straying toward the wrong side of the internet, but you should not rely on your browser alone. When links are presented as alternate text look at the destination. Hover your mouse cursor over a link and your browser should show you the link info in the lower left-hand corner of your browser.
- Downloading should be avoided: It is important to never download or install software that you are not sure of the publisher. Similarly, in companies, it is essential to never allow employees to install or download any exe files or downloadable software.
- Browsers should never be entrusted with passwords: One good tip is to never allow browsers to remember passwords. It is true that it is a convenient way to browse the web. However, if a browser is compromised, all your passwords will be exposed.
- Make sure your firewall is always running. This layer of protection will help your private data stay private. Your OS should have a built-in firewall. If not, there are free firewall programs in abundance.
Continue to introduce cyber security practices into organization culture
For online safety, cyber security best practices cannot be just followed. They need to be embedded into the organizational culture.
- 5 minute discussion before meetings: There are many ways to make cyber security practices part of the culture. One way is to train people with frequent workshops as mentioned earlier. Another way is to talk about it during meetings. Meetings are more frequent than workshops or webinars. Thus, security stays on top of everyone’s mind. Taking 5 minutes to discuss a cyber security-related topic before starting a team meeting is a good way to achieve this goal.
- Talk about incidents: Another way to continually deliver security practices into the organization culture is to discuss incidents. They can be incidents that have occurred within the organization or incidents that lead to an attack. Of course, it is never recommended to name and shame your employees. They are your biggest asset. You just need to perform an After-Action Review with them to make sure there are 0 security issues in the future, but be sure to use the incident as an opportunity to share best practices across the organization.
- Empower your team: The people in your team must have the courage to speak up. If there are concerns, let the team have the courage to discuss those amongst themselves and with the managers. This improves productivity in terms of security. When an employee sees a phishing email, tell them to report it and let others know they identified a risk. The more folks talk about safety the more they will think about it in their day to day.
We at PeachBPO hold cyber security as a top-level priority. This article is about making cyber security best practices a part of your life as it is with ours. To protect your digital presence and digital assets, it is essential to inculcate best security practices within the organization’s culture. Following tips and advice in this article will surely help you raise the bar.
We would love to hear more tips and security tricks from you. If you know more about cyber security in the online space, let us know in the comments below.
Contact us to get started on setting up your team with PeachBPO!
About Michael Howard
Prior to founding PeachBPO, Michael (or Mike) worked as a business leader in finance and analytics for 14 years. Michael started his career as an economist for the North American cement industry and has since worked as a marketing, strategy, and pricing consultant, FP&A director and most recently the CFO of an international tech start up closely partnered with Google. Michael, attended Loyola University Chicago for his Bachelor of Business Administration and Northwestern as a graduate student in Predictive Analytics.