1. Don’t Worry, Be Happy.
One of the most dangerous mistakes your IT Department (or IT Person) can make is forgetting that the internet is a perilous place. In John Le Carre’s espionage novels, the highest level of security was Moscow Rules. An agent working under cover in Moscow had to take extraordinary precautions to avoid disaster. And so must every small business with an internet connection. Sometimes paranoia is a perfectly appropriate strategy.
Email messages (even from associates) that tempt you to provide personal information, or click on YouTube videos, are often bogus scamware. One careless click can download a monster-virus onto your computer that will quickly infect every other computer in the local network. Or hack into your “secure” list of customer information. Or encrypt your data files until you pay a hefty ransom. Or initiate a phishing attack that will steal your identity and empty your accounts.
It’s easy to copy graphics, a logo or even a full web page, so even though that email really, really looks like it comes from Citibank—it might not.
Assume every new email message may be infected. Never open email attachments (especially executables) unless you’re absolutely sure what they are and what they do. Be particularly cautious when the message itself is generic: (“Check this out.” “Hot website.” “You’ll love this!”) Look for misspelling and bad grammar. Don’t click on links in an email, even if they seem okay, unless you know who you’re dealing with. Instead of opening an email attachment, save the file and run a virus scan. Or send an email to the person whose name appears on the suspicious message: “Hey, Joe (or Hey, Wells Fargo), did you send me this?”
Phishing and social engineering have become high arts. Ten minutes after a news event (earthquake, celebrity marriage, sex scandal, Kim Kardashian magazine cover) hackers are sending out targeted emails offering tempting photos and interviews; one click and you’re compromised. Your employees should be totally paranoid about disclosing personal information online. If you get an email that seems to be from your bank, or a merchant, don’t click the link; instead, surf directly to the bank or merchant and make sure they actually contacted you.
2. Don’t Bother Deploying an Anti-Virus. And Even If You Do Use One, Don’t Update It.
It’s the wild west out there…and while it seems too simple to mention, running a business on the internet without deploying a serious anti-virus package is like walking into Dodge City without your trusty six-shooter. And failing to keep your AV updated is like packing your pistol but forgetting to load it. New viruses and malware are released every day, and if you don’t keep your AV updated they can ambush you. Most AV products offer an automatic update feature. Use it.
Here too, Moscow Rules apply. Have IT turn on every AV feature your package offers, even if it slows down your system a bit. Anti-spyware options? Anti-malware protection? Proactive Threat Prevention? Absolutely. Anti-MAC Spoofing? Sign up. And leave UAC (User Account Control) enabled to prevent hackers from rewriting your system code without permission.
There are lots of highly reliable AV products today, most
designed to protect a company as well as the individuals who work for it.
3. No Need to Update Your Software.
Software designers are constantly updating their productivity applications to defend against the latest hacks, but if you don’t install those updates on your business systems, they won’t do you a bit of good. As with your AV protection, you should tell IT to enable auto-update features on your business software—or simply click Yes when the software offers you the latest update. And the sooner you update, the better; hackers get the updates just as soon as you do, and they start redesigns quickly
One piece of software that’s particularly important to update is your browser: Internet Explorer, Mozilla Firefox, Google Chrome, and all their plugins and readers.
4. Use a Bad Password.
Pesky as they are, passwords are an unavoidable fact of life—and if your employees fail to use them effectively you are asking for all kinds of trouble. Here are the rules:
Don’t Re-Use Passwords. Yes, it’s annoying to have to remember 25 different passwords and IDs, but if you use the same password everywhere, a leak at just one website means that hackers and identity thieves will have instant access to all your accounts—and your database of customer information. (We have a suggestion to help remember all those different passwords; just keep reading.)
Change Passwords Frequently. No mystery about this—except how to remember 25 new passwords every month. But that’s the price of doing business securely.
Use Secure Passwords. It’s almost embarrassing to discover how many businesses use silly passwords like “password” or “12345.” A good password should be long and complicated with lots of odd symbols. How do you remember 25 complicated series of random characters? Just keep reading.
Don’t Let Your Browser Save Passwords. If you allow your employees to allow their browsers to save IDs or passwords, only one of them needs to get hacked before every saved password in the company is compromised.
Close Your Web Browser. When you are finished accessing the internet, shut down your browser to clear all sensitive password information.
Do Not Write Passwords on Yellow Sticky on Monitor. Need we say more?
Now, how do you remember all those complicated, ever-changing passwords? You can buy a password manager, though opinions vary on how useful they are. Easier to create a text file with all your password and ID information. Give it an innocuous name (Aunt Mary’s Birthday, Beatles Lyrics), save it in an encrypted format (if your software permits), then use high-powered stand-alone cryptographic software to further encrypt the encrypted file, and stash it in some out-of-the-way subdirectory on your hard disk. Open as needed to refresh your memory. (You’ll only need to remember one password: the one that opens the encrypted file.)
Is this absolutely hack-proof? Of course not. But nothing is—and it’s probably as good as anything you can buy commercially.
5. Lose Track of Your Hardware.
Not all data loss happens online. A surprisingly large percentage of sensitive business data and customer information is lost when laptops, hard drives and thumb drives go missing. Obviously, your first line of defense is to encourage your employees not to leave their laptop in the taxi. But accidents happen, so it’s a good idea to deploy high-powered encryption software to protect your data. Another sensible strategy is to securely wipe or destroy media before disposing of them.
6. Download Pirated Software, Movies and Music.
You can’t control what your employees do with your hardware when they take it home—or find themselves alone in the office after hours—but you can make sure they understand the consequences. “Pirate” downloads from peer-to-peer sites are often laced with malware, worms and dangerous code. It only takes one corrupted download to infect your entire business network. Just say no.
7. Don’t Back Up Important Files.
You’ve heard this before, but it’s still true: The best defense against data loss or corruption from malware (or a fried hard drive) is to back up your critical data to another computer (preferably offsite) or a service in the cloud. Back up often—either automatically or via a desktop shortcut.
One last suggestion: Create a bookmark right now to OnGuardOnline.gov. This government website was created to promote safety and security while doing business online. The Federal Trade Commission manages OnGuardOnline.gov in partnership with the Department of Homeland Security, and the National Initiative for Cybersecurity Education.