Is There an Unlocked Back Door in Your Business? 10 Tips to close it again.

6 minute read

Technology is essential to
running a business of any size. Whether you’re operating a doctor’s office,
remodeling bathrooms, selling houses, or slinging the best tacos in town out of
a truck, you are very likely using some sort of technology to keep that
business humming along. So here is a question you need to ask yourself: Is that
technology leaving a back door open for robbers, miscreants, or other bad guys?
It might be. We rounded up some experts and asked them for their best advice
on how to close that back door – or look and see if it’s open – before you lose
the cash drawer or the secret to your success. We know
you are too busy with your patients or mixing up another batch of your famous hot
sauce to stop and research this yourself.

1. Know Your Assets

Focus first, on what you
need to protect,” says Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA). If you
are a small falafel shop, your most important thing might be the credit card
numbers and personal information of your customers. But you might also have
some intellectual property – that special sauce that makes your falafels great
perhaps? If you start with what needs protecting, you’ll eliminate worrying
about a host of scary technical scenarios that don’t apply to you – brute force
attacks to your Web site, hackers, or the NSA, (probably) for example. And that
makes your job more manageable. “This is not a technical
question,” says Kaiser. “It is a management question. Ask yourself, ‘What are
the assets and the devices I need to protect?’” Once you know that, your
technology worries will make sense to you.

2. Count Your Devices

Once you have zeroed in on the data you need to lock up, think
about the devices that have access to that data. “With the growth of bring your
own device (BYOD) scenarios and a more mobile workforce tackling jobs across a
diverse set of connected devices, sensitive data can be accessed and stored on
any number of devices,” offers Chris Hallum, Senior Product Marketing Manager
for Windows Security. So when you think about your own business data, you have
to think about what devices – and whose devices – have access to it and what
would happen if any of those phones or computers got lost, stolen, infected, or
hacked. “Teach your employees about phishing emails, keep their Windows and
antivirus software up to date, protect devices via password protection, have
users use Standard User accounts rather than accounts with Administrative
privilege, use BitLocker protection to encrypt your devices and data, and
utilize other built-in security technologies such as biometric sign-in for
devices,” says Hallum. 

3. How’s Your Hygiene?

Practice a bit of sanitary data management. When you put
software or data files on a computer, tablet, or phone you also use to operate
your business, make sure that code is clean. “Keep your software up to date,”
says Gary Davis, chief consumer security evangelist at Intel Security. “Some
attacks depend on previously known vulnerabilities and can be fixed with updates.
So when you’re given the option to update, do so.” And think about where the
data files you are putting on that device have been. “Don’t download illegal
content,” says Davis. “If you do, you not only risk running afoul of the law,
but also infecting your devices with malware capable of stealing passwords,
bank account numbers, and personal information. When downloading video, music,
applications and other such files, you are safer using a known, legitimate
source such as iTunes or Google Play.” Similarly steer clear of file-sharing
sites. “Such open-source warehouses for digital content cannot be trusted, says
Davis. “Where there is little policing of the content that is uploaded, malware
is sure to get in the door.” And that USB drive you are about to stick into
your computer? “Do you know where that’s been?” asks the NCSA’s Kaiser. Your
antivirus software can scan those. Do it.

4. Get a Technical Solution

No matter how careful you are, though, you cannot guarantee
a machine will stay clean of malware without a technical solution. “So regardless
of what type of online activity you participate in,” says Intel’s Davis. “Always
have a sound security solution installed on all of your devices. A good
security suite can help protect you from malware and other bad things lurking
online, across all of your devices including your PCs, Macs, smartphones and
tablets.” So get something. Pay for it. Install it on everything. Let it run every
security scan it wants to run. And always let it update itself.

5. Passwords vs. Humans

“Many of the security risks small businesses face originate
when employees are social engineered into revealing passwords,” says Marcio von
Muhlen, a product manager at Dropbox.  “They’re
tricked into clicking a link in an email which could lead to a fake login page
(phishing) or a website designed to infect a visitor’s machine with malware.”
The solution? “Invest time training employees in basic security,” he says. Talk
to them about the passwords they use. If they are using birthday and pet names,
those are weak and easy for hackers to social engineer out of them. “Weak
passwords mean weak security for your company,” says von Muhlen. “It’s
important to have strong, unique passwords for each website, app, or online
account. Reused passwords are vulnerable passwords: once they’re compromised on
one service, all other services are exposed. Since it’s not easy to remember
dozens of passwords, try using a password manager — to securely manage all your
passwords.”

6. Watch that Wi-Fi

If
you travel for work, or work away from your own office frequently, your own
clever ability to find a free Wi-Fi network might be exactly the technical back
door we are talking about. “Wi-Fi wasn’t made to be secure; it was made to be
convenient,” says Davis. “Today, cybercriminals are more sophisticated than
ever, so if you are using an open unsecured network, you risk exposing your
data. If you do use public Wi-Fi, make sure not to shop online or access your
personal and financial sites. And keep in mind that potentially anything you
are doing online can be accessed by someone.”

7. Silo Your Data

Does everyone in your business need access to everything you
have? Probably not. “Create limited access to various parts of the business,”
suggests Kaiser. “Find a service that lets you limit access to
particular files, folders, or even entire accounts,” agrees von Muhlen. “And only
let trusted employees have access to sensitive data.” At least limit who has
access to financial information and intellectual property. “Maybe there is a
machine that only one only one person has access to,” offers Kaiser. “And maybe
that machine is not even connected to the Internet.” For some businesses, it
might make sense to control access to transactions over a certain dollar
amount. “There are a lot of attacks that led to money being stolen where
controls were weak around that,” says Kaiser. “Maybe after a certain dollar
amount, the transaction requires two signatures?”

8. Two-Step Verification

Two-step
verification may sound complex,” explains von Muhlen. “But it’s a simple, free,
and increasingly common tool to protect your online accounts. In addition
to entering your password, you also enter a one-time-use code, typically
delivered to your mobile phone. The idea is to combine “something you know”
(your password) with “something you have” (your phone) to confirm you’re the
right person.” It adds a small extra step to logging in, which is a slight
hassle, but many experts feel it is well worth it. “That authentication of the
user to the network is really important,” says Kaiser. “Hacks often happen around the
loss of credentials like passwords and account names. So adding another factor
is a significant increase in security.”

9.
Prepare for Loss

You don’t want to lose your phone or realize someone just
walked off with your laptop. But it doesn’t have to be a disaster for your
business as well as the heartbreaking
loss of your device – at least if you plan for the possibility before it
happens. Make sure you know how to remote wipe that device before it leaves the
office. “Sometimes you need to delete data stored on an employee’s device
because it was lost, stolen, or they left the company,” says von Muhlen. “’Remote
wipe’ features do that. And, if you lose a phone or laptop, Dropbox and other
services offer ways for both end users and administrators to remove access to
data as well – a good way to quickly lock down data immediately after a device
goes missing.”

10. An Emergency Plan

Hoping nothing goes wrong is optimistic. But it is not a
plan. Hope for the best. But plan for the worst. So take some time while things
are going well to ask yourself what you would do if your company was breached, customer
credit card information was stolen, or something else brought your technology
to a halt. “Who are you going to call?” Asks Kaiser. “How are you
going to handle communication with your customers? Do you have a way to recover?
Do you have a plan to get back and up and running? What if you couldn’t use
your credit card swiper for three days? What would you do?” Think about it
before it happens and you will save time, get a recovery plan in place faster,
and maybe even have insurance to cover your losses if it does. “Review your
cyber insurance options with your broker,” says Kaiser. “Many brokers are
offering something. And that sometimes covers your losses during a recovery
period. Every small business has to have some form of liability insurance and cyber
coverage is becoming more common.”

Christina
Tynan-Wood is a freelance writer living in California. She writes
the
Family Tech column in Family Circle magazine and blogs at GeekGirlfriends.com