Every day, entrepreneurs face a variety of decisions, from who to hire to what to tweet. It’s normal to make a decision and change course later—most of the time, your business will recover quickly. When it comes to protecting your data, however, the margin for error isn’t as wide. You’ve probably heard about attackers stealing user data over the past year. Small businesses are also vulnerable. The National Small Business Association reports that half of all small businesses have experienced a cyber-attack, costing an average of $20,752 per attack. As attackers get more sophisticated, and more businesses have the potential to be targeted, how do you keep your company’s data safe? Here are three important ways to help protect your business:
1. Put strong locks on your doors
Passwords open the doors to your company data, for both users and attackers. As a baseline, tell your employees to use strong, unique passwords. Strong passwords are long words or phrases that include lower and upper-case letters, numbers and symbols. Employees should use a different strong password for every website or service. But it’s hard to remember every strong, unique password. Users sometimes apply the same password across dozens or hundreds of services. If any one of those services is compromised, that password can be used to log into your company email or another service, putting your company’s stuff at risk.
To stop that from happening, advise employees to use a password manager. Users only have to remember one master password, and the password manager generates strong, unique passwords for every service. For critical services like email, consider requiring your employees use two-step verification, also known as two-factor or multi-factor authentication. Two-step verification only lets users log in by providing both something they know—their password—and a code generated on something they have, i.e. a text message on their phone. This feature makes it very hard for online attackers to impersonate your employees, even if they gain access to their passwords, because they won’t also have access to their phones.
Once you’ve placed these three locks on your doors, it’s time to protect your company from risk from the inside.
2. Guard access to your data kingdom when employees leave
Turnover happens. Chances are, you already have some routines in place to deal with it. When someone leaves, you stop paying them. They turn in a copy of their keys or badge. But are you considering their access to data in your services? Add a data access component to the checkout process by tracking which services your employees rely on to do business.
Take action to disable access the moment someone stops working for you. Use features like remote wipe to remove any company data stored on former employee’s devices.
Financial records, contracts, and social-security numbers are just a few of the bits of information that can be accessed by your employees. Which services contains the most critical, confidential material? Be proactive and make a shortlist of the services on which your company relies, and whether they make it easy for you to handle turnover. If they don’t (say, by not offering remote wipe) consider upgrading to a more business-friendly service.
Together, these processes ensure that when your employees become exes, you get all the office keys back. The final step is to train your current employees to protect themselves.
3. Protect your employees from ”phishing”
Cybercriminals want your data, and ”phishing” is one way they pick the locks of your virtual doors. This popular intrusion method is behind many large and small attacks you’ve likely read about in the news. Phishing refers to an attempt to trick someone into giving up access to service, often by directing you to a fake login page through a link over email. Emails can come from anyone and anywhere, so it’s easy for criminals anywhere in the world to show up at your virtual doorstep and try to fool you into letting them in.
Help your employees recognize the signs of phishing. Here are some common qualities of a ”phishy” email, text or social media post:
- It contains an unfamiliar link
- It comes from a misspelled domain
- The format of the email is slightly off or unusual
- The email asks for your password in a login screen that isn’t exactly the same as the one you’re used to
- The email or message is from someone you know, but contains a strange request
Tell employees to avoid clicking on links or attachments associated with strange emails or messages. Have them forward suspicious content to you or your IT manager. If a suspicious request comes from someone an employee knows, have the employee reply in a separate thread and ask if the message was intentional.
Bottom line: If you see something odd or unusual, report it.
Decide to Protect, Right Now
The security of your business data doesn’t have to be daunting. New breaches will emerge, but if your doors are locked, your data protected and your employees educated, you’ll greatly reduce the risk of becoming a victim of an attack. Taking simple steps to protect yourself and your data is one of the wisest long-term decisions you’ll make.
Marcio von Muhlen is product manager, Dropbox for Business.