Computer security is an important concern for small businesses - breaches occur with alarming regularity at companies of all sizes. While the most media attention is directed toward situations that occur at large companies where millions of people may be impacted, such as the breaches at Target and Michael's stores, small business owners and managers should not let themselves be lulled into a false perception that computer security issues can't impact them.
Three Top Threats
Bill Carey, Vice President of Marketing & Business Development for Siber Systems Inc. states, "It pays to be aware of cyber threats and to look for ways to protect your company. One of the first steps is understanding the types of threats your company may encounter." He states, "The top three security threats small businesses will face in 2014 include cloud computing, passwords and Bring your Own Device (BYOD)/mobile device vulnerabilities." He recommends, "These threats should be accounted for in company policies."
1. Cloud Computing
According to Carey, "Smaller companies are increasingly adopting cloud computing, which can help them scale up quickly and save on infrastructure costs." He points out, "Cloud computing isn't inherently dangerous - in fact, some experts say most small businesses become more secure when they migrate operations to the cloud since cloud vendors have an incentive and obligation to use sound security practices. However, as with any tectonic shift in the technology landscape, the move to the cloud opens up new vulnerabilities."
Speaking on a panel at the 2014 RSA conference, high level security professionals with both Google and Microsoft agreed that cloud services are safe for business to use. According to an article on Microsoft.com, "cloud computing can be more secure than a traditional IT infrastructure," with providers building "multiple levels of security and redundancy into their data centers."
However, a study conducted at Johns Hopkins University indicated that there is some degree of vulnerability even with cloud vendors that tout themselves as zero knowledge providers, claiming that they store data in an encrypted manner than cannot be viewed by their staff members or anyone you don't want to see it. While the researchers did not find evidence of actual compromise, they did identify the possibility that "data confidentiality could be breached." Their research indicated that there is potential for the provider to see stored information when it is shared with recipients who view it through the cloud, as opposed to actually downloading it.
Verify Provider Security
Carey advises, "It's important to make sure your cloud partner is trustworthy and that applications are secure." Carey states, "There are a variety of reports and certifications available that cloud customers can use to verify compliance with security best practices, including industry standards like a Payment Card Industry Data Security Standard Report (PCI DSS ROC), an ISO/IEC 27001 or an SSAE 16 SOC2 report."
Inc. Magazine encourages those shopping for a cloud vendor to ask for documentation clarifying how any provider you are considering will protect your critical business information, as well as customer data. According to an article on theguardian.com that touts the benefits of cloud computing for small businesses, quality cloud vendors will "explain their security methodologies" to customers, citing the Office 365 Trust Center as an example.
Make Wise Decisions
The National Federation of Independent Businesses (NFIB) urges companies to "choose services with established reputations," listing companies like Salesforce and Amazon EC2 as examples of established providers. Doing so reduces the chance that your cloud provider might unexpectedly go out of business, leaving you hanging without access to your critical business information. They also recommend backing up your data, either via a third party service or - if you use only one cloud storage service - pay the provider to "ship you a hard drive or DVD of the data" periodically.
Carey warns, "Passwords remain the first line of defense against hackers, and they'll likely continue to be a favorite way to gain access to company data into the future." he points out, "Weak passwords containing dictionary words and all lowercase letters can be hacked in mere minutes. To counter the threat, small business owners should consider training employees to create strong passwords and encourage them to change passwords often."
Best Practices for Passwords
An article on Microsoft Business advises against complacency with passwords, stating, "Hackers are a devious bunch and will stop at nothing to get into your network and files." Hacker efforts aimed at cracking passwords use everything from brute force (trying every possible combination of numbers, letters and special characters) to social engineering (trying to trick you into revealing your password) to dictionary attacks (using custom dictionaries that combine words with numbers and special characters).
According to Carey, best practices for password security include:
- "It's generally a good practice to create a new password every 30 days."
- "It's best to use passwords that contain both upper and lowercase letters as well as numbers and symbols."
- "People should never use a word that appears in the dictionary as a password."
- "It's a mistake to use personal information like your name, a child or pet's name, the name of your favorite sports team or your phone number. This information is easily obtainable online, so hackers can use it to infiltrate personal accounts and commit fraud"
Carey states, "People know they should create strong passwords that are hard to hack, and most are aware they should use different passwords for every site they visit, but the challenge is remembering all the passwords that requires, so too many ignore these best practices." Technology tools, such as Siber Systems' RoboForm Password Manager solution, can help counteract this tendency.
Carey explains, "With RoboForm, you only have to remember one password; once you pick a master password, you can access all the sites you visit. RoboForm will generate secure, unique passwords for each site and allow you to change them frequently for added security, all without requiring you to remember them. RoboForm also provides secure access to passwords wherever you go, on every device."
You don't have to spend a fortune to get a good password management tool. As an example, Carey points out that "RoboForm 7 Enterprise Workstation licenses start at $39.95 for companies with nine or fewer employees." He explains, "The price decreases for businesses that license 10 or more employees, with larger groups paying less for individual licenses."
3. BYOD/Mobile Device Vulnerabilities
Carey states, "The 'bring your own device' (BYOD) trend and proliferation of smartphones and tablets can make employees more productive, but these devices can also undermine company security." He explains, "That's because with BYOD, employees are in charge of keeping software up-to-date and using effective security practices. If your employees use personal smartphones and tablets to access company systems, it's important to make sure they do so in a secure manner."
BYOD Is Here to Stay
According to Carey "BYOD is a fait accompli in many ways - there are companies that are still resisting it, but most are bowing to the inevitable and even embracing it since there are benefits to the company, such as increases in staff availability. Industry analyst Gartner calls BYOD the most radical shift in enterprise computing since the PC was introduced.
Carey explains, "Companies approach BYOD in a variety of ways. Many allow employees to use whatever type of device they want." Others require employees to choose from an approved list of devices.
Carey specifies, "Companies must require employees to use a good security application and update it regularly. Otherwise, they are needlessly leaving valuable business data exposed to hackers." As ZDNet.com points out, without a proper security app, mobile apps that employees download for personal use could "allow unregulated third-party access to other sensitive, corporate information stored on their devices." TrendMicro is an example of a security app designed with BYOD in mind.
While a security app is important, it's not the only BYOD-related security consideration. Veracode points out the importance of requiring employees to "keep OS, firmware, software, and applications up-to-date." Veracode also recommends subscribing to a "device locator service" for all BYOD devices. This type of service can enable the device to be tracked if it is lost or stolen, as well as to wipe it remotely.
Requiring employees to register their mobile devices is also an important security measure, according to TechRepublic. Details they recommend using include "device type, carrier (if applicable), MAC address, and user." This will allow you to better identify users who are not complying with the company's BYOD policy and "block offending users from using your network."
Due to the possibility of having to wipe a BYOD device, it's essential to maintain backups of device data - both personal and business-related. Employees should know exactly what the company is backing up so they can make informed decisions about securing their personal data.
According to Carey, three additional key best practices for BYOD are:
- "Make sure employees use a strong password on any personal devices they will use to access company systems or data."
- "Give employees the training and support they need to operate their devices securely."
- "Put a formal BYOD policy in place and have employees sign an acknowledgement to hold them accountable."
While Carey feels these are the three biggest computer security threats small businesses are facing as of 2014, they are certainly not the only ones - and more are likely to enter the cyber security landscape in the future.
Carey reminds computer and mobile technology users to be careful when it comes to downloading. He advises, "For app downloads, an anti-virus and malware application is a good first line of defense, but it's also smart to be aware of what you're downloading and from what kind of site." Carey cautions, "Be especially careful about downloading executable files (those with suffixes like .exe, .bat, .pif, etc.) and make sure you only download apps from trusted sources."