1. Don’t Worry, Be
One of the most dangerous mistakes your IT Department (or IT
Person) can make is forgetting that the internet is a perilous place. In John
Le Carre’s espionage novels, the highest level of security was Moscow Rules. An agent working under
cover in Moscow had to take extraordinary precautions to avoid disaster. And so
must every small business with an internet connection. Sometimes paranoia is a
perfectly appropriate strategy.
Email messages (even from associates) that tempt you to
provide personal information, or click on YouTube videos, are often bogus
scamware. One careless click can download a monster-virus onto your computer
that will quickly infect every other computer in the local network. Or hack
into your “secure” list of customer information. Or encrypt your data
files until you pay a hefty ransom. Or initiate a phishing attack that will
steal your identity and empty your accounts.
It’s easy to copy graphics, a logo or even a full web page,
so even though that email really, really
looks like it comes from Citibank—it might not.
Assume every new email message may be infected. Never open
email attachments (especially executables) unless you’re absolutely sure what
they are and what they do. Be particularly cautious when the message itself is
generic: (“Check this out.” “Hot website.” “You’ll
love this!”) Look for misspelling and bad grammar. Don’t click on links in
an email, even if they seem okay, unless you know who you’re dealing with.
Instead of opening an email attachment, save the file and run a virus scan. Or
send an email to the person whose name appears on the suspicious message:
“Hey, Joe (or Hey, Wells Fargo), did you send me this?”
Phishing and social engineering have become high arts. Ten
minutes after a news event (earthquake, celebrity marriage, sex scandal, Kim
Kardashian magazine cover) hackers are sending out targeted emails offering
tempting photos and interviews; one click and you’re compromised. Your
employees should be totally paranoid about disclosing personal information
online. If you get an email that seems to be from your bank, or a merchant,
don’t click the link; instead, surf directly to the bank or merchant and make
sure they actually contacted you.
2. Don’t Bother
Deploying an Anti-Virus. And Even If You Do Use One, Don’t Update It.
It’s the wild west out there…and while it seems too simple
to mention, running a business on the internet without deploying a serious
anti-virus package is like walking into Dodge City without your trusty
six-shooter. And failing to keep your AV updated is like packing your pistol
but forgetting to load it. New viruses and malware are released every day, and
if you don’t keep your AV updated they can ambush you. Most AV products offer
an automatic update feature. Use it.
Here too, Moscow Rules apply. Have IT turn on every AV
feature your package offers, even if it slows down your system a bit.
Anti-spyware options? Anti-malware protection? Proactive Threat Prevention?
Absolutely. Anti-MAC Spoofing? Sign up. And leave UAC (User Account Control)
enabled to prevent hackers from rewriting your system code without permission.
There are lots of highly reliable AV products today, most
designed to protect a company as well as the individuals who work for it.
3. No Need to Update
Software designers are constantly updating their
productivity applications to defend against the latest hacks, but if you don’t
install those updates on your business systems, they won’t do you a bit of
good. As with your AV protection, you should tell IT to enable auto-update
features on your business software—or simply click Yes when the software offers
you the latest update. And the sooner you update, the better; hackers get the
updates just as soon as you do, and they start redesigns quickly
One piece of software that’s particularly important to
update is your browser: Internet Explorer, Mozilla Firefox, Google Chrome, and
all their plugins and readers.
4. Use a Bad
Pesky as they are, passwords are an unavoidable fact of
life—and if your employees fail to use them effectively you are asking for all
kinds of trouble. Here are the rules:
Passwords. Yes, it’s annoying to have to remember 25 different passwords
and IDs, but if you use the same password everywhere, a leak at just one
website means that hackers and identity thieves will have instant access to all
your accounts—and your database of customer information. (We have a suggestion
to help remember all those different passwords; just keep reading.)
Frequently. No mystery about this—except how to remember 25 new passwords every month. But that’s
the price of doing business securely.
Use Secure Passwords.
It’s almost embarrassing to discover how many businesses use silly passwords
like “password” or “12345.” A good password should be long
and complicated with lots of odd symbols. How do you remember 25 complicated
series of random characters? Just keep reading.
Don’t Let Your Browser
Save Passwords. If you allow your employees to allow their browsers to save
IDs or passwords, only one of them needs to get hacked before every saved
password in the company is compromised.
Close Your Web
Browser. When you are finished accessing the internet, shut down your
browser to clear all sensitive password information.
Do Not Write Passwords
on Yellow Sticky on Monitor. Need we say more?
Now, how do you
remember all those complicated, ever-changing passwords? You can buy a password
manager, though opinions vary on how useful they are. Easier to create a text
file with all your password and ID information. Give it an innocuous name (Aunt
Mary’s Birthday, Beatles Lyrics), save it in an encrypted format (if your
software permits), then use high-powered stand-alone cryptographic software to
further encrypt the encrypted file, and stash it in some out-of-the-way
subdirectory on your hard disk. Open as needed to refresh your memory. (You’ll
only need to remember one password: the one that opens the encrypted file.)
Is this absolutely hack-proof? Of course not. But nothing
is—and it’s probably as good as anything you can buy commercially.
5. Lose Track of Your
Not all data loss happens online. A surprisingly large
percentage of sensitive business data and customer information is lost when laptops, hard drives and thumb
drives go missing. Obviously, your first line of defense is to encourage your
employees not to leave their laptop
in the taxi. But accidents happen, so it’s a good idea to deploy high-powered
encryption software to protect your data. Another sensible strategy is to
securely wipe or destroy media before disposing of them.
6. Download Pirated
Software, Movies and Music.
You can’t control what your employees do with your hardware
when they take it home—or find themselves alone in the office after hours—but
you can make sure they understand the
consequences. “Pirate” downloads from peer-to-peer sites are often
laced with malware, worms and dangerous code. It only takes one corrupted
download to infect your entire business network. Just say no.
7. Don’t Back Up
You’ve heard this before, but it’s still true: The best
defense against data loss or corruption from malware (or a fried hard drive) is
to back up your critical data to another computer (preferably offsite) or a
service in the cloud. Back up often—either automatically or via a desktop
One last suggestion: Create a bookmark right now to OnGuardOnline.gov. This government
website was created to promote safety and security while doing business online.
The Federal Trade Commission manages OnGuardOnline.gov in partnership with the
Department of Homeland Security, and the National Initiative for Cybersecurity