According to IdentyForce.com, data breaches in 2016 were 40% higher than in 2015. In 2016 Yahoo! Announced the largest data breach in history. 2017 has also seen its share of data breaches, including Verizon, Hyatt, Intercontinental Group and Kmart. In September, Equifax announced a breach that affected 143,000,000 consumers. The Equifax breach may be the most severe breach in history considering the information involved included social security and drivers’ license numbers.
As a small business owner, you may be thinking that these breaches only happen to large companies or that hackers aren’t interested in attacking small businesses. Of course, nothing could be further from the truth. According to the Insurance Information Institute (III), half of all small and medium sized businesses (those with under 250 employees) in the U.S. experienced a data breach in the past year, and 55 percent experienced a cyberattack. The III also says that almost 40 percent of businesses have experienced a ransomware attack in the last year with one third of those losing revenue as a result. Moreover, Carbonite estimates that a single data hack could cost a small business between $82,200 and $256,000. Quite honestly, attacks on small businesses happen all the time, they just don’t make the news.
The other issue small businesses have is that while large companies seem to have the ability to recover from a cyber attach, it is more difficult for small businesses. Most small businesses can’t survive a $250,000 loss. Allison & Mosby-Scott wants to be your partner in helping your business succeed, as such we’ve put together this Small Business Guide to Cybersecurity to help your business improve its cybersecurity.
- Make Sure that your Operating Systems are up-to-date
A priority for your small business should be making sure that your operating systems on your computers and mobile devices are up-to-date. Many small businesses don’t upgrade their operating systems because they think it will be too expensive. Updates to operating systems contain security updates that address recent threats. For example, Microsoft released an update that addressed the WannaCry vulnerability in May of 2017. But if your company is still running Windows XP, Microsoft hasn’t issued an update for that system in over three years.
Updating your operating system frequently reduces your business’ vulnerability to cyberattacks. Your business should set computers and devices to auto-update or have a regular update schedule.
- Make sure that your software is updated
While updating your business’ operating systems will help prevent cyber-attacks, your software is also a risk. This is especially true with regards to outdated internet browser software. Using outdated browser can subject your business to browser-based attacks. Similar to your operating systems, you should set your software to auto-update or have a regular update schedule.
- Require and use strong passwords
Don’t assume that just requiring passwords will protect your business. The problem that small businesses have is that their employees don’t understand proper password protocol. Make sure that your employees understand how to create strong passwords, that they don’t share passwords, and that they don’t use the same password for everything. The best practice is to have a password policy that is shared with your employees and have training if needed. Strong passwords contain at least six characters (the more the better, some experts recommend twelve characters), contain a combination of letters, numbers and symbols (@, #, $, %, etc.), and contain both uppercase and lowercase letters. If you or your employees have to write down passwords, make sure that they are kept locked up. Better yet, use password manager software with itself having a strong password. Finally, turn on two-factor authentication if available. Two-factor authentication requires both a password and an additional piece of information to log in to your account, such as a code sent to a phone, or a random number generated by an app or a token. Two-factor authentication protects your account even if your password is compromised
- Secure your WI-FI networks
If you have a Wi-Fi network, make sure that it is secured. Change the name of your router from the default and change the route’s pre-set password. Routers have software and that software also needs to be kept up to date. Turn off any remote management features of the router. Finally, use encryption on your wireless network.
You should also limit access to your Wi-Fi network. Only allow specific devices to access your wireless network. If you need to give visitors access to Wi-Fi, create a separate guest network. This practice will keep your internal business network secure.
- Beware of social engineering
Make sure employees don’t share passwords with anyone, even if the person says that they are with IT or an IT service provider. Most hackers actually gain access to systems by convincing employees to voluntarily give them their passwords. Moreover, most malware makes it onto business computers by employees clicking on phishing emails or inserting malware-infected thumb drives into their computers. As such, you need to train your employees to identify phishing email. Your company should also have policies limiting the use of thumb-drives. If you don’t have access to training, the Department of Homeland Security’s cybersecurity website includes resources for businesses as well as a list of training and education courses (https://www.dhs.gov/topic/cybersecurity).
- Back up your data
Back up your business’ data regularly. With proper back-up procedures, your business can recover quickly from a loss of data. The shorter the time frame between your back-ups, the less costs and inconvenience your business will have. Best practice is to back up your data daily on two separate platforms. This could include the cloud and a portable hard drive. Backing-up daily means that you will only have to recreate one day’s worth of business in the case of an attack. Backing up on separate platforms reduces the risk of technological problems.
- Wi-Wi Hotspots
If you or your employees are on the go, they may be using Wi-Fi hotspots in coffee shops, libraries, airports, hotels, and other public places. The problem is that most of these networks are not secure. If a network doesn’t require a WPA2 password, it’s most likely not secure. Make sure that your employees know that when using wireless hotspots that they should only send information to websites that are fully encrypted. You can tell that a website is encrypted by looking for “https” in the page address. Don’t share personal, financial or confidential information over public Wi-Fi.
- Protect electronic and physical devices
All your business’ computers should be protected by a hardware or software firewall, as well as anti-virus and anti-spyware programs. Your physical business location should be secure and access to your physical location should be protected by locked doors, access cards, security monitoring, etc. Physical files should be kept in secure locations. Make sure that employees aren’t leaving laptops, phone, other devices or physical files unattended, even in a locked car. Consider turning on device encryption to encrypt all data on each device in case a device is stolen or misplaced.
- Deal with employee devices
In today’s business environment, employee will have their own devices. This means that your employees are most likely using their own smartphone, tablets and personal computers to access work data. While the benefits of allowing employees to use their personal devices probably outweighs the risks, you will still need policies in place dealing with what data employees can access on personal devices and what an employee should do if an employee’s device is lost or stolen.
- Consider buying cyber-liability Insurance
One way to deal with the financial consequences of a data breach or cyberattack is to purchase cyber-liability insurance. Insurers are increasingly making cyber-liability coverage available to small businesses. Some coverage can be found in endorsements added to package policies that your small business may already purchase, such as a Business Owners’ Policy (BOP) or a commercial property policy. For example, an endorsement can usually be added to a BOP that covers data breaches, data replacement and restoration, cyber extortion and business interruption from cyber events. Adding an endorsement to a BOP has the benefits of a simplified application process and potentially lower premium.
Another way to get cyber-liability coverage is through a stand-alone cyber-liability policy. Stand-alone policies have the benefit of allowing tailored coverage for your business, but the application process can be more entailed and the costs are usually higher. Coverage under these policies can include: coverage for the expenses and legal liability that arise from a data breach; coverage for damage to data and systems caused by a computer attack; coverage for defense and liability coverage for third-party lawsuits alleging damage due to the insured inadequately securing its computer system; coverage for defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online and via social media; coverage for losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee; and coverage for settlement of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
- Educate your employees
Any security policies and procedures your business has are only as good as your employees make them. Make sure that your employees are up to date on your business’ security policies through regular training and communication. Keep updated, written policies that are shared with employees. Consider having your employees sign a statement confirming that they have read, understood and will enforce your company’s cybersecurity policies.
While you can’t prevent all cyberattacks, being prepared is the best way to protect your business and to make sure it can recover from a cyberattack. Allison & Mosby-Scott wants to be your partner in helping your business meet its strategic goals. Please visit our website at www.allisonmosby-scott.com or call us at 309-662-5084 to find out more about our Business & Commercial law practice.