Security Strategy

While many businesses are still assessing the odds of being breached, hackers keep improving their data intrusion methods.

The reality is that no company is safe. Even small businesses are targets and increasingly so. Earlier Ponemon Institute research report showed that 50% of surveyed SMBs had been breached in 2017. Only 14% were found to be able to mitigate risks, which is an alarmingly small figure.

In the enterprise ecosystem, millions of dollars are being invested in security systems, staff, and training. Such investments usually pay off, but failures still happen due to simple mistakes and overlooked basic steps.

These trends illustrate the increasingly complex, unpredictable, and confusing cybersecurity landscape.

To help you understand how you can avoid a devastating scenario in your business, we asked entrepreneurs like you to share their best data security tips. They were an incredible help in creating this article, and we are grateful for their time and effort.

Take a look at what they said!

1. Data Protection: the devil in the details

Like any other business, our company wants to keep our data safe. We did it all – advised employees to use different passwords for their different accounts, don’t save them on the PCs, don’t share sensitive information with outside people, (if they are not sure if something fits these criteria, better not discuss it). We did everything to be secure.

Or did we?

Something escaped our attention.

You know how there are different sharing options on Google Drive documents, sheets, etc.? Well, now it appears that people occasionally just copy the shareable link to give it to colleagues. That is not OK. This way, the link can go into the wrong hands.

And while you may think that there isn’t any sensitive information on this document or sheet, why risk it?

It is pretty disturbing when viewing a private document with disclosed information, then some Anonymous Hippo appears and starts highlighting text. There’s no way of tracking who that is. Learn from our mistakes.

Check your sharing settings.

2. Layer your business data security strategy

Many businesses cannot afford to think outside the box when it comes to data security. They need reliable, cost-efficient solutions with a strong ROI for everything, especially data security. As an IT firm working with SMB, we advise our clients to build data protection in layers because not one single tactic is bulletproof. Three best tactics:

• Double Up Your Firewall. Instead of buying a firewall, rent it (known as Firewall-as-a-Service or FWaaS) because most companies provide two machines for the price of one, so you have instant redundancy without the extra expense. Without that redundancy, your firewall is a single point of failure that can bring down your network or leave it unprotected until your IT person can install and configure a new firewall.
• Use Email Filtering with ATP (Advanced Threat Protection). Email filtering scans inbound emails for potential threats found in both attachments and links, preventing malware from entering your network. (Most viruses enter a network from someone unwittingly opening an attachment with a virus embedded in it.) ATD means your system gets notified of a virus within an hour of being found on the internet to protect your network better. This service costs just $2/month per user.
• Human Firewall. Your employees are your best line of defense and your biggest vulnerability. Train them to look out for suspicious emails and requests, to lock server room doors, use passcodes on their smartphones and workstations, and to report things that look suspicious. We send our clients a monthly simulated phishing email to test them, measure their susceptibility, and to improve our training.

3. Plan for the worst-case scenario.

It is not a question if something will go wrong but when. That is why every small business should plan for the worst-case scenario it can think of. For many, that would be a complete loss of all data. To mitigate that risk, develop an appropriate backup plan that involves keeping offsite backups and testing data integrity on a regular basis.

Next, consider the network perimeter. That means reducing the ability for an attacker to penetrate the network by ensuring a firewall is in place, backed up by appropriate data security software and complemented by virtual private network access for all remote employees.

Lastly, given how many successful attacks rely on human error or lack of knowledge, you need a robust employee security training and awareness program. It will ensure that all employees know how to spot common and active attacks, such as ransomware and phishing.

5. Keep your data organized.

Before you rush to a technical solution, sit down and think about what data resides on your systems and where.

Next, create a little spreadsheet that divides the type of data you hold into levels of importance. Customer data such as credit card numbers should sit right at the top of your list, for example. Secure the most critical, sensitive data first.

Less important data will need less security. You will also want to think about policies and user access privileges.

Good security requires in-depth defense. Ensure you have endpoint security on every business computer and mobile device, implement proper patch management and strong passwords policies, establish proper access controls and regular data backups.

If the worst happens, being able to recover your data quickly might make a difference as to whether a hack is a minor inconvenience or a major disaster.

Create containers and even hidden containers using disk encryption software, so you can keep important data encrypted on a laptop or PC even when it is open. Full disk encryption is great if someone steals your PC when it is switched off, but when it is open and running the encryption is also off, providing no protection against a cyber-attack. By using containers, you can isolate sensitive data and keep it encrypted while you work.

6. Don’t let your employees be the weak links.

• Your weakest security link might not be your networks or infrastructure. It might be your people. A well-meaning employee is a hacker’s best friend. Educate all employees on social engineering prevention. Make regular education an ongoing part of your security plans.
• You would be surprised how many companies spend big bucks on aggressive digital defenses but leave their side door propped open for the delivery guy. Don’t take physical security for granted; pay just as much attention to locked doors and perimeter security as you to firewalls and encryption.
• Never assume you’re too small to be a target for a security breach. Bad actors aren’t always looking for the biggest target to take down. Instead, they prey on the unassuming and unprepared. Have a security strategy in place that matches your organization’s size, industry and specific vulnerabilities.

7. Deploy the right software-level protection

Cyber attacks against small businesses have been increasing steadily over the past five years.

According to a report by Keeper Security and the Ponemon Institute, 50 percent of small businesses have been breached in the past 12 months.

Small business websites, employee email accounts, and customer data are attractive targets for hackers since they often have more digital assets than an individual consumer, but less security than a large organization. Hackers are very much aware that small businesses are less careful about security,” notes John Swanciger, Manta CEO, adding his top tips for businesses to protect themselves.

• Business owners should deploy antivirus software like Norton or Avira to create a defense against most types of malware. To provide an extra layer of protection, small businesses should look into firewalls to prevent unauthorized data access. Some operating systems like Microsoft Windows come with built-in firewalls. Data backup solutions ensure any information compromised during a breach can be recovered from an alternative location. To protect sensitive data like employee, customer and financial information, business owners should also consider encryption software. And, be sure to perform software and web platform updates regularly. Outdated computers and systems are more prone to crashes and security gaps, so taking the time to check for updates and install them periodically is important, even if it seems like a hassle at the time.
• Educate and train your employees to ensure they are aware of the harmful consequences of cyber attacks. Teach them how to recognize the signs of a data breach, as well as best practices to securely use the company’s network. Along with this, implement company-wide security policies to ensure all of your employees are on the same page when it comes to cybersecurity. For instance, institute a password policy, which would require you and your employees to change their password regularly, as well as avoid sharing passwords, usernames and other sensitive, secure information via email.
• Serve your website over HTTPS, especially for any pages that collect information or passwords. HTTPS encrypts traffic so attackers can’t eavesdrop and intercept passwords and other critical business information. To implement HTTPS, you’ll need to obtain an SSL certificate.

9. Know your enemy – assess the threats and implement appropriate data security protection.

Knowing exactly what risks you face can help you choose the right system of protection.

• Be realistic about the threats you face. Don’t waste time protecting data which is, for practical purposes, already public, such as your company’s credit rating or size.
• Don’t gild the lily. You have adequate security already built into your accounting application. You can add passwords to almost any document or spreadsheet without spending a dime on additional software, or create a virtual private network to safeguard data coming in from your road warriors with an old PC and some free open-source software.
• Don’t be afraid to try new things. Your email client already has end-to-end encryption capability built in. All it takes to use it is a couple of encryption certificates that cost less than $50/year. PGP is a reliable alternative, with free applications available for Linux, and free or low-cost Windows/Mac options.

10. When in doubt, don’t cheap out on security.

Limit what you put online. Pay someone who knows what they are doing to shut off unnecessary services on your servers/web host. At minimum, set up a Software Firewall/IPS and a Web Application Firewall. Most inexpensive servers and hosts come with many options open by default which should not be left on.

Encrypt, Encrypt and Back Up. Get a trusted and signed SSL certificate and encrypt all traffic to and from your web server end-to-end. Encrypt and/or salt and hash any unique information that is stored, passwords, payment data, even email address. Back up all of your data on your server regularly through a security provider.

It is always too good to be true. – Phishing is one of the most common ways in when hacking small business. Email filters are usually not as effective. Small business owners and entrepreneurs are open to emails they receive as they look for partnerships and other opportunities to grow their business. Host your email on a separate service or set of servers. And scrutinize emails you receive, think twice or three times if it seems to good to be true. It might end up being really bad.

When in doubt, don’t cheap out on Security, pay a service provider that specializes in small business cybersecurity. The investment will be immensely cheaper than the average cost of an incident, which is more than $200 per customer record exposed.

11. Choose security solutions based on your business needs.

• Know how long your business could survive without any of your data before it begins to suffer client loss or service delivery promises. Then build your system recovery plan around that window. Whether it is a ransomware attack that corrupts all of your data or a fire that destroys your computer network, how fast you can recover your business operations is going to be key to your survival. Your recovery system/Disaster Recovery Plan has to focus on your Recovery Threshold, and you have to test it periodically to ensure it will work when you need it the most.
• The #1 vulnerability to your business data privacy and security is your staff falling for a hacker ploy on the web or via e-mail. Ongoing security awareness training for your employees is the best way to reduce risk in your organization. Socially engineered e-mails are the biggest infection delivery method affecting business today. You have to invest in keeping your employees up-to-date on the most current threat types that they will encounter. Spam filters will NOT catch everything, so keeping your employees current on the latest hacker tactics is critical.
• Anti-Virus software isn’t enough to protect your business anymore. There are eight different ways that hackers can exploit your defenses. You need to supplement your defenses with enhanced firewall Gateway protection, off-premises spam scrubbing, and periodic security inspections by professionals that know what to look for. You also need appropriate use policies for people who use your network to reduce risks of infection from outside websites, social media or personal e-mail services.

12. Have these three types of security training in place.

Making your employees strong links in the cybersecurity chain requires more than just implementing general security policies. They need different types of training to be able to recognize and deal with different threats. Below are some of the vital ones:

• Security Awareness Training

Get employees to focus on themselves; don’t harp just on security awareness that affects the company. Make workers understand that business security is about *them* too, not only the elusive bigwigs. Talk to them about the most common scams and tricks cybercriminals use, and how to protect themselves at home, with tools such as firewalls and wireless VPNs.

• Phishing Simulation Training

After presenting information about security awareness, come up with a scheme to set up a situation where employees are given the opportunity to open a very alluring link in their email. This is called a “phishing simulation.” This link will take the worker to a safe page, but you must make the page have a message, such as “You Fell For It.” You should also make sure that these emails look like a phishing email, such as adding a misspelling.

• Social Engineering Awareness Training

Consider hiring a professional who will attempt to get your staff to hand over sensitive business information over the phone, in person, and via email. This test could be invaluable, as it will clue you into who is falling for this.

13. Don’t underestimate the likelihood of an attack.

Small businesses often lack necessary security policies and practices because they underestimate the likelihood of cyber attacks striking their companies.

Manta, an online resource for small businesses, surveyed over 1,400 small business owners and found 87% of owners do not feel they are at risk of a data breach. However, 12% had previously experienced a breach and, what’s even more concerning is that about 1 in 3 small business owners have no controls in place!

Every organization has sensitive data, including customer information, employee records, intellectual property, and medical records that they must protect. Here are three steps to follow:

• Understand the lifecycle of data in your business – How can you prevent an attack if you do not first know where vulnerabilities lie?
• Explore these vulnerabilities — Determine what the data is, how it is being created or collected, how it is maintained, stored and shared while it is being used and how it should be disposed of.
• Implement best practices that will protect these valuable assets — Now that you are better situated to detect potential points of attack, it’s vital that you take all the necessary precautions to prevent future harm.

Success, without security, can easily turn into a catastrophe.

14. Go beyond securing your computers.

Data security is not limited to your computers.

Human error or malicious intent is just as much of a threat, if not more so. Therefore, your first and most important step in securing your business’ data is to thoroughly check the backgrounds of any new hires, including references and criminal background checks.

In addition to this, you should make sure to safely and securely shred any old documents before you dispose of them. Hard copies of files that are thrown out or stolen are one of the leading causes of security breaches, particularly identity theft and credit card fraud.

Another important thing is to stay up to date. Many small businesses neglect their software updates, especially if they do not have a dedicated IT team. When a software company pushes out an update, it is often to improve security. Not updating your installation can make you vulnerable to attack as hackers exploit known issues in older versions.

Similarly, only download and install software from known and trusted sources. It may be tempting to save some money by downloading a cracked version of the software you need, but these often have malicious malware embedded that leave your computer wide open to attack.

15. Develop a security culture.

According to Reg Harnish, CEO of GreyCastle Security, the following three tactics are key to maximizing business data safety:

• Get a Risk Assessment. Unlike most large companies, small businesses can be financially wiped out after a cyber attack, so it is critical to understand cyber risks right away. Fortunately, in a small business, there is much less to assess than in larger companies — the surface area is smaller. However, resources are thinner, so it is critical to identify the company’s most valuable assets so as not to exhaust resources protecting worthless data. There are only five critical assets worth protecting: bank accounts, credit cards, identities, intellectual property, and reputation. Once those are identified, focus on protecting them.
• Create a Culture of Security. In all businesses, people are the most critical cybersecurity risk. It is impossible to eliminate human error. However, small business owners can minimize risk by consistently and continuously educating and testing employees regarding desired cybersecurity behaviors. Training should include how to identify phishing emails, how to develop unique passwords for each application or website, and how to implement two-step verification. Business owners working with third-party vendors, such as payroll companies, accounts payable and others, should spell out their position on cybersecurity in all contracts and require regular audits for compliance.
• Prepare for the Worst. For every Fortune 500 company, there are thousands of small businesses, which means cyber attacks on small businesses are much more prevalent. Moreover, smaller businesses’ cyber protections tend to be less established or less mature than those of than big companies, simply because the companies are typically younger, smaller and have less money. This highlights the importance of resilience for small business owners. Resilience is the ability to prepare for and recover rapidly from disruptions. Since it’s easier to play offense than defense, small businesses should aggressively train employees and regularly audit people, networks, and devices.

16. Follow basic steps for advanced protection.

STEP 1: The first step is easy: Get some. Don’t make the mistake of thinking you are too small to be attacked. Hackers prey on this, making you even more vulnerable to having customer records, employee data, and other privileged information stolen. 62 % of small businesses suffering attacks go out of business within six months; don’t become part of that statistic!

STEP 2. Back up your data. Automate backup so that employees do not have to think about it.

STEP 3. Think about physical security and managing business continuity. The recent hurricanes, floods, and wildfires provide ample evidence that backing up your data to another location is a must. Maybe the cloud, or servers at two securely networked business locations. Or, a dedicated server on the site of your managed services provider or IT consultant. Do not walk around with USB sticks and portable drives that can easily be lost or corrupted.

STEP 4. Keep current with updates and “patches.” Vendors regularly update their devices against the latest ransomware and other exploits. Keeping up with these updates is a simple thing that can avert disaster.

STEP 5. Don’t go it alone. It is not a question of whether you need business security but how much you need. You likely have anti-virus and anti-malware programs running and perhaps basic firewall capabilities. These are a good start, but if you have mobile workers, guests using your Wi-Fi, or need to comply with regulations for protecting data (HIPAA for example), you need more.

Engage a trusted IT consultant to help think through securing networks and data, and educating employees. Sometimes simple, inexpensive measures like whitelisting or blacklisting Internet sites, or defining clear rules for who can access specific resources can make all the difference and cost little or nothing.

17. Ensure security on both provider’s and your end.

There is a tremendous risk to SMBs of significant (if not devastating) financial outcomes caused by the rise of cyber attacks. SMBs typically lack the in-house security expertise to both understand the new types of attacks that occur and protect against them appropriately, and also have limited budgets for enterprise-class solutions. A few tips Arlen suggests include:

• Look to your internet provider to offer robust DNS-based network protection and device security. When protections are built into the ISP network based on DNS query data, attacks can be identified and thwarted before they do harm. DNS security is the broadest layer of protection to have for every device on the network and is the easiest to implement.
• Enforce end-user best practices by requiring highly secure passwords before allowing devices to connect to the network.
• For retail or other businesses that process payments, they should segment their payment processing tablets/machines onto their own VLAN. They should then turn off all internet access to that VLAN, providing it ONLY to the payment processor.  This approach would have prevented the Target and other major retail breaches that have occurred in the past.

18. Use analytics to develop a tailor-made security program.

Every company’s security program has different threats. There’s no one rule or one guideline to watch out for. There are a few different ways to help reduce data security risks.

• Using security analytics can help you see what threats your business faces and any possible changes in the threat landscape. Any security programs should be updated based on these insights.
• Having your company operate with an extranet (private server) can help reduce these risks as your private documents between your employees and clients are not accessible through the Internet. It is a great added security measure and helps ease communications between your company and clients as well.
• Make sure your deleted files are properly removed from your computers. Overwriting the deleted files is the only way to properly remove any trace of the file from your computer. If a person knows their way around computers, they can easily find deleted information that wasn’t overwritten.

19. Review your password and information sharing policies.

Even in settings where there are no advanced business security systems, some basic best practices need to be implemented. Gregory Morawietz, an IT Security Specialist, highlights the following:

• Have strong passwords. Have complex and long passwords, change passwords as often as you can. Don’t expose your passwords in files on your desktop, post-it notes on your desks, etc.
• Don’t give out your personal data, information or anything via email, phone or text. Refrain from giving out any other personal data on your Facebook, LinkedIn or otherwise that might compromise your identity.
• Get the information out to your company through a meeting, hand-out, training video, etc. Make an effort to have some training that will disseminate information for security awareness. Communication is the key to success of security awareness.

21. Don’t overlook the basics.

As a small business, there are some important steps that need to be taken to ensure the security of your data. The following are the easiest ways to avoid security breaches:

• Keep computers up-to-date: *Keep all computers equipped with the newest in security software, operating systems and web browsers.
• Keep Wi-Fi networks secured: *Make sure your Wi-Fi networks are secure, encrypted and hidden. One way is to set up your wireless access point or router so it will not broadcast the network name, known as the Service Set Identifier (SSID). Also be sure to password-protect access to the router and disable UPnP.
• Train employees on security basics: *Set basic security practices and policies that employees should adhere to such as requiring appropriate internet use, strong passwords, and the detailed penalties for violating those policies. Establish rules for protecting customer information and other internal data.
• Use firewall security for your Internet connection.

22. Implement encryption on multiple levels

For all of our clients, we recommend measures that match the importance or criticality of the data being protected. However, there are some general best practices that should be applied universally.

For logins, we recommend utilizing “two-factor authentication” whenever possible, especially on cloud systems. Whenever one of your systems requires an additional factor to log in, you have dramatically increased the difficulty for an attacker to use an exposed login and password. It is not infallible and needs to be combined with other authentication best practices, but it is so easy to use in some cases, there is no right excuse not to use it.

Secondly, encryption everywhere. Data on the move should be “encrypted in transit” – this means using HTTPS/SSL for your website and web applications, as well as connections between database servers. Encryption at rest – data on persistent storage (such as server disks, server backups, database backups, etc.) are all to be encrypted where possible.

Lastly, personal data and private data (consumer names, phone numbers, and email addresses, in addition to the traditional items such as credit card numbers) is often the target of a breach attempt should be protected with encryption as well – perhaps as database column encryption.

One final tip – Full Disk Encryption (FDE) on both Windows (via BitLocker) and Mac (via FileVault) – for all workstations and laptops. It’s easy to enable and manage, and it ensures if a machine is lost or stolen (a common occurrence with laptops) that the data will not be retrievable.

23. Stop thinking like a small business.

Stop thinking like a small business. You are NOT too small to be a target. If your business data is the core value of your business, protect it.

Don’t run to Best Buy or Staples to buy the cheapest gear, especially Wi-Fi. Again, if your business is how you and your employees feed your families and invest for your future, treat it as such and only deal with skilled professionals who are themselves invested in protecting their business and their clients.

Be afraid, be very afraid. It is a bad new world out there, and the bad guys have tools you would not even believe, and all the time in the world to use them against you.

SMB’s need to have a healthy paranoia about their network and data security.

24. Understand the trends – small businesses get hacked too.

• Get rid of the notion that you do not have the data hackers want. No matter how small your business is, you are the modern-day mark hackers are going after. If you connect to the internet in any way, your business is at risk. Hackers are looking to get a hold of your client lists, payroll, financial data, employee information, prospecting lists, and some of them have something even more sinister in mind. SMBs unknowingly harbor malware, which lies dormant until triggered by an unsuspecting employee and is spread to your vendors and contacts, which are often the actual target.
• Implement cybersecurity training for everyone on the payroll. Many breaches are due to negligence such as lost devices, mistakes, and errors, employee theft, or falling for frauds such as phishing and malware from click bait. By providing security training at least twice a year, employees are more likely to make conscious and smart decisions as they come to learn about their role in the cybersecurity plan.
• Staying on top of the latest cyber threats and ensuring your systems are applying patches promptly can be a critical method to help stay ahead of an attack. Many small business owners have neither the technical knowledge nor skills to implement these measures while simultaneously handling the day-to-day routines of managing their business. Fortunately, there are reputable subscription based Security-as-a-Service (SaaS) providers that can monitor and manage these aspects for a nominal monthly fee. In many cases, the provider will also include the necessary security hardware with their monthly rate. By leasing the equipment from the provider, the small business owner can rest easy knowing they have up-to-date protection for their network without the up-front expense of purchasing computer hardware, which will only depreciate.

25. Quick wins can make significant differences.

On average, a robbery occurs every 13 seconds, and small businesses are four times more likely to be the target of a break-in compared to a home. As a small business owner, it is important to know your weak spots and safeguard against them.

• Update your security system. While having a security system is great, make sure you have *one that monitors the property 24/7* (as opposed to a system that just makes noise during an intrusion). In case of a break-in, these types of systems will immediately alert you and the police. The faster you can notify the police of a break-in, the more likely you are to recover stolen property and minimize damages and losses.
  Most security systems capture video footage that details the time of day the break-in occurred, who it was and where he/she entered from. Make sure to install security cameras, as these alone can deter burglars who like to go unseen.
  Most security systems can be controlled from a smartphone or laptop, and you can choose the type of security system that will work best for you and your company.
• Perform routine internal safety checks. Unfortunately, 64 percent of small businesses fall victim to internal employee theft. While co-workers are often your office family, not everyone can be trusted. It is important to conduct routine internal safety checks to prevent robbery. Keep and frequently update your inventory of office equipment, IT equipment, office furniture, and products. Also, distribute the workload and financial responsibilities among a team, instead of leaving one employee responsible for the all of the company’s finances.
• Secure doors and safes. Take the time to secure all doors and lock all safes at the close of business each day. It is easy for thieves to kick down doors and pick locks–giving them easy access to files, merchandise, and petty cash. Most burglars are in and out of a location within ten minutes, so they will grab whatever they can access with the most ease. Consider bolting your safe to the ground–as some burglars simply take the safe with them and crack it offsite.
• Regularly update your digital security. Invest in database security or IT team and take all necessary precautions to keep digital information safe.
• Secure your printer. Printers are the second-biggest safety concern for small businesses, according to Eric Montague, CEO of Executech. Multifunction printers (MFPs) have a hard drive that stores every scan ever made. Businesses use printers and scanners daily, leaving private information on the hard drive that could be hacked. When businesses upgrade their printers, it is essential that they wipe the printer hard drive clean or take out the hard drive altogether.

“Hackers can review every scan and get a treasure trove of data,” Montague said.

• Create an emergency and disaster plan. When the unexpected occurs, it is important to be prepared with an disaster recovery plan. Safeguard your small business by having a process in place. Practice routine fire drills, earthquake or storm drills with your employees. Have employees keep snacks and water at their desks in case of an emergency or disaster. Update your office first-aid kit. Make sure your important data is backed up regularly and that the backup is located remotely. Inventory all office items for insurance purposes. This will minimize losses and help secure your business.

26. Start with proper “network hygiene.”

In today’s connected world anyone that uses social channels or email is a target for hackers. Small and medium enterprises face the same cybersecurity challenges as large enterprises and government agencies.

The trend of “landing a whale” is rapidly moving to “filling the nets.”

We are seeing greater proportions of successful attacks against the SMB and SME than ever before – one in five SMBs are hacked each year, and 60% of the victims go out of business because of the attack. The rationale for this is pretty simple. All too often, many SMB and SMEs lack the tools, skills and financial resources to detect successful breaches and insider threats. Add to that, the sheer number of prospective victims – close to 6M in the US alone, this target is easy pickings. Damages from one successful targeted attack could cost a small company as much as $84,000.

How to protect:

First, start with proper “network hygiene”. We may no longer see phishing attacks about your dead uncle who left you $10M. However, casting a broad net to snare unsuspecting small business owners is still a viable business model for hackers. Hygiene also includes proper training of your people. Training a person to recognize breach-tactics is imperative for businesses of all sizes. Fortune 100 companies do it and so should SMBs.

The next piece is around network and personnel visibility. Small businesses are often conduits for breaches to larger organizations. The SME hiring and vetting process for all your contractors and employees should be strict. Once the person is in your organization – they are in. Do you want to be the next small business that becomes known as the weak link in the next front-page-headline breach (see HomeDepot and Target)? Also, small and medium enterprises should know what applications are allowed and not allowed to run on their network. There are cost-effective, easy to use, easy to deploy solutions on the market today that enable organizations of all sizes to be situationally aware of what data is coming and what is going.

The next area is protection. Perimeter defenses should be enterprise-class. SMEs should not “settle” for a reduced subset of features just because of their size. If a vendor says, “That is only in our Enterprise Version,” run, not walk away. SMEs are very mobile device dependent. Many times the mobile device is the ONLY computer. Take steps to protect all devices, not just traditional computing platforms such as laptops.

And finally, be prepared for “oh no!” Having an easy to follow remediation plan is a critical step in keeping your business running. Ransomware is only effective if it can hold you for ransom. Have your backups disconnected from the computer? Know who can rebuild a machine quickly.

You will get punched – so be prepared to take one (or more)!

27. Do not entrust your data to just any cloud.

• Do not store all data online in a cloud you do not know. It is ok to work with Apple or Microsoft, but for less than $300.00 a company can own their Cloud Service and not be at risk of a massive attack on their systems.
• Do not store all records, banking data, patient or customer ID Data on your server. We recommend our AeigsFS Secure Flash Drive. Pictured below, this is the most efficient manner to keep all computer recordation super secure. They provide up to 480gb, offer SHA 256 Encryption that is Military grade and PIN Access. Kept on your keychain in a solid aircraft aluminum shell, these flash drives are the difference between getting hacked and not. Back up daily.
• Obtain multiple malware and serviceware software. The more power and use require higher levels of cybersecurity malware to protect you from nefarious activities and hacks.

28. Self-evaluate to keep pace with both risk and compliance.

Your business is small, but risks are enterprise-size

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of data security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

Keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection policies to focus on preventing vulnerabilities and to set goals to improve and maintain security.

Traditional data security standards and protections all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

Don’t become a victim of your own success – growth.

As SMBs grow and add employees and partners, they must share access to vital business data and systems. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the SMB grows and adds employees and offices, a “single point of failure” becomes a risk for the company. Security for data and networks should grow with the business, with precautions built into business goals.

29. Stay vigilant about threats

• Complex Passwords. 65% of Americans use memorization to keep track of their online passwords1. This leads to passwords that are easy to remember and even easier for criminals to crack. Since 39% of online adults say they use the same password for many of their accounts, a cracked Gmail password may give a criminal access to your bank account. There are several free password managers available.Let the password manager generate and store your passwords so that they are unique for every site.
• Backup Critical Data. When most people consider a backup and disaster recovery solution, they think about hurricanes, wildfires, and flooding. More often, backup solutions are used to recover employee deleted files or full systems due to a cyber-attack.A small business should not scrimp on a backup system as it may save them thousands of dollars if they become a victim of a cybercrime. A reliable backup solution should include both onsite and offsite storage, backup verification and must protect against Ransomware.
• Email Vigilance. Attackers are using social media to craft emails that are irresistible to their recipients. Most phishing emails contain subject lines or text with rushed language that causes the user to take action immediately. We had a customer whose accounting clerk received a well-worded email from the owner directing her to transfer money instantly to refund an angry customer. A quick phone call to the owner prevented the clerk from moving $35,000 out of their account.Business owners should be using email solutions like Microsoft’s Office 365 or Google’s G Suite, which will filter out most phishing attempts. Recognizing that these emails will reach your employees makes it imperative to train your staff to identify and delete malicious emails.

30. Understand why you need controls and how you can implement them.

For the owner, manager or executive of a small business, my three tips for data protection would be:

• Know why security controls should be applied. This will allow you to know what your priorities are and save time, effort and money on implementation.
• Make your team understand how a data compromise can affect their lives and how they can protect information. This will give them a sense of commitment and will save you time, effort and money that would be spent with dealing with easily avoidable incidents.
• Ensure that information is backed up and tested regularly and that your organization knows how to act in case of problems. Incidents will happen, and this will save you time, effort and money in recovering your business operations.

32. Make your systems hacker-proof.

• Small businesses should ensure they have implemented a proper backup and disaster recovery system that is monitored and tested for recovery on a regular basis. Knowing you can recover your data after a breach, such as falling victim to ransomware, will allow you to sleep easier at night!
• Configure your Windows computers and servers to automatically install Microsoft updates as they become available. Occasionally an update from MS breaks a valid 3rd party software or their own software, but dealing with those occasional issues is a far better path then dealing with the results of security vulnerabilities, like the SMB vulnerability exploited by WannaCry and Not Peyta earlier this year.
• Training, training, training! Employee training is paramount to protecting a small business’ data. Training should include how to detect email phishing scams, fraudulent phone calls, bad web sites and dangerous email attachments. Furthermore, training on what information should never be provided on social media posts and to unverified sources is important.

33. Put the right technologies in place

Every company, every business, and rather every enterprise is facing data security risk. One plausible reason for this is the fact that majority of us intentionally or unintentionally save data on our machines, which, as a matter of fact, are vulnerable to data breach. Businesses going down and getting bankrupt is becoming a norm only because people’s ignorance or lack of knowledge to understand data security risks.

Let’s quickly catch up the biggest and also the most commonly witnessed mistakes companies make with data security protection. These are:

• Failure to understand the threat against their employees, customers, competitors, etc
• Wrongly assuming data security technology to be an information technology problem rather than a business problem
• Relying on cheap cyber products, including anti-virus
• Unable to prioritizing the significance of data and trade secrets
• Failure to detect Insider Threats
• Using unencrypted data on emails
• Saving unencrypted data on backup machines
• Re-using passwords
• Using weak or easy-to-hack passwords
• Lack of sharing data security technologies and policies with employees

These are some issues that businesses, as well as individuals, have been facing over the years. They are not just limited to large companies. Small businesses also face the dangers of getting affected because of the lack of security measures.

But, the good news is that this can be dealt smartly. The following steps might help assist in data security.

• Implementing Security Policies. Set up strong security policies for your company and ensure that every employee is aware, as well as strictly adhere to them. Clarity and understanding of these policies are essential for every worker of the company.
• Putting the right technologies in the right places. Virus and data corruption are not the only threats. Hackers are too! They attack, steal and are capable of misusing your data. You must use a secure internet connection weather LAN or Wireless and protect it by putting a password to access. Also, make sure that your internet security is not on the initial level, which can be breached easily. Hence, use multi-layer security on all the devices that contain your company’s sensitive data. Always try using strong passwords, and try avoiding usage of common or easily ‘guessed’ passwords. Also, try changing your passwords after some time rather than sticking to only one password for long. Using multifactor authentication to access sensitive information is the safest way to go by. Your system’s software must be kept up to date. You must install all the patches and new versions of software because security patches are included in the newly launched versions. Also, use the anti-viruses. Try maintaining backups of all your data because there is a likelihood that certain situations arise where you lose your data. So, make sure of have a backup that is secure in all ways. Use encryption method on your data your all data is stored in encrypted form.
• Conduct a Security Audit. If you are unable to identify the weak part that’s creating a hurdle to fulfill all the security and privacy policies, then a security audit is what you need. You must conduct an audit of all the devices and networks that contain sensitive data/information. It will make your data as well as your business safe from security threats.

Belonging to a company that offers security services, we, at Kualitatem, know how important your data is to you and are cognizant of the significance of keeping it protected.

34. Set up business data security policies

Outside of the staples (clear company policies/SOP), when it comes to data retention and dissemination along with consistent back-ups, I would say:

• Use group policy settings provided in Windows to prevent the use of USB mass storage devices by users so you can reduce the likelihood that employees can walk out of the office with confidential company data on their flash drive or cell phones.
• Require the use of dual authentication (RSA key, etc.) and meter access to any applications employees are capable of accessing outside of the office. This reduces your exposure should an employee’s credentials ever be compromised and metered access should prevent wholesale raiding of confidential company data (at least remotely).
• Verbose logging. Knowing who and when a file was last accessed, updated, or changes goes a long way in increasing data accountability. When employees know they can’t lie, hide, or blame someone else for the breach or unauthorized transmission of data, they tend to be more prudent and careful.

35. Consider outsourcing qualified IT security staff and systems.

For any business, a data security issue can be ominous. For a small business, it can be catastrophic. The three top tips I can unequivocally recommend are as follows:

• Outsource your IT security for endpoints and servers to a reliable Managed Security Service Provider (MSSP). Their purpose is to provide expert solutions and consulting to their clients, allowing a small business to focus on their business, not information technology.
• Encrypt your data. Data encryption is one of the most effective methods available to reduce the impact of a data breach. Encrypting data also simplifies compliance validation with regulations and mandates such as Sarbanes, Oxley, HIPAA, GDPR Regulation, etc.
• Engage with a Risk Adviser to review your insurance coverage. This is an often overlooked aspect for many organizations, but especially critical for small to medium-sized businesses. Cyber risk and the associated liabilities can be the death knell if not understood and appropriately mitigated.

There are no silver bullets for data security, but by following these tips and proactively engaging with your IT service provider on a monthly basis, any small business will be in an excellent position to understand their exposure, the current cyber environment, and keep their data and business out of harm’s way.

37. Set up multi-layered security measures

• Explore all your options. Before you commit to anything, spend the time to research all of the available options for data storage and cloud products. There are thousands of service providers, and it might be easy, especially as a small business with a low IT budget, to go for the cheapest option. When that temptation comes, perhaps it will help to remember that 60 percent of small companies that suffer a cyber attack go out of business within six months. Do a “background check” on several providers and weigh the pros and cons before reaching a decision, because this is one thing your company cannot afford to get wrong.
• Set up multi-layered security measures. When it comes to cybersecurity, passwords are generally the weakest link. 63 percent of hacks occur because of weak passwords, and even though cybersecurity experts constantly address the topic businesses have been slow to learn. You can require employees to regularly change their passwords, but companies would also be wise to implement two-factor authentication. Multi-factor authentication requires multiple pieces of evidence to verify identity, whether that means various passwords, a key-card, facial-recognition or otherwise. It is a fairly simple solution, but according to Symantec 80 percent of breaches could be eliminated by implementing it. Another layer to add is to use data encryption, which is basically taking your data and re-coding it so that it cannot be read or translated without a key.
• Consider purchasing cyber risk insurance. Another solution that isn’t often considered is cyber insurance. To be clear, the insurance should be a last resort. If you have to use it, that means you’ve failed. You’ve risked your clients’ information and your own. At the same time, however, it can be a good safety net for companies who can benefit from secure footing while they’re trying to address the problem. Cyber insurance can help your company avoid the fate of most small businesses that are hit by cyber attacks.

38. Leverage remote storage and backup solutions.

Tip #1: Store Your Data On An External Hard Drive

It is common nowadays for businesses to store documents on Google Drive and Dropbox. They are convenient, free iCloud storage systems that many use every day. However, they are not the most secure especially for business information and data. To be safe, store your business data on an external hard drive. It may cost a little depending on the size of your small business but will be well worth it in the end. By storing your information this way, it will save you the panic attack if for some reason your data is lost.

Tip #2: Limit The Number Of Employees Who Have Access To Account Passwords

When it comes to data account passwords, it is better to be safe than sorry. Only provide passwords to employees who absolutely need them, and whom you can trust. Issues with account passwords can arise if you have a disgruntled employee or ex-employee. They could steal your business information leading to your business being ruined.

Tip #3: Never Use Public Wi-Fi For Business Work

Public Wi-Fi is a playground for hackers and cybercriminals. When it comes to doing work, never use public Wi-Fi. If a hacker were to gain access to your data, your customer information and business information would be compromised. This type of situation a small business may never recover from.

39. Understand and control your data

In May 2018, GDPR (General Data Protection Regulation) will come into force. That’s just five months until the most significant reform in data protection and privacy laws for over 20 years. Things will be very different. GDPR is going to seriously affect data security and how businesses must operate. Whether you’re a multi-national or a small business, all will handle some level of personal data whether it’s on staff, customers or enquirers.

GDPR is the government regulations defining how that personal information is managed, to protect consumers and their privacy from data misuse. GDPR brings stricter guidelines and higher fines than the current data protection legislation. The clock is ticking. How prepared are you?

Here are three data security tips on this topic to get you started:

• Understand and control data – keep a log of all the personal data handled by your business; when and where it came from, who has access, why you have and when you will delete it.
• Only keep the data you need – the more data you have, the harder it is to track and control. Just keep what you need and have a documented purpose of retaining any personal data.
• It’s a company-wide initiative – ensure all staff are aware of data security requirements and sign their adherence. If they’re alert to risks of the data security, breaches are less likely.

40. Secure your website domain.

Three quick wins for a small business right now would be to:

• Get a security certificate for your site. It is a flag to customers that you care about their security notwithstanding Google penalizing sites without it.
• Ensure that you have SPF set on your domain so that bad actors cannot spoof your domain and trick employees into clicking links in phishing emails.
• If you store data on EU citizens, have a plan to be GDPR compliant. For larger firms consider encrypting data at rest or use services that have this as an option.

41. Implement email best practices.

Email is essential for all businesses. That necessity is why email is also the number one threat vector for hackers.

That is why it is important to have an email security plan in place. Three things all small businesses can do are:

• Protect yourself from spam, phishing, and malware. Using a strong email filter can help keep most of the threats at bay.
• Don’t click suspicious links, even if it is from someone you know. If someone’s account is compromised, it can send malicious emails without their knowledge. It never hurts to check with the person BEFORE clicking on that link to verify it is legitimate.
• Block large email attachments with macros. Word Docs, Excel and PDF files may be standards in business productivity, but they are also the most common attack files used for malware. There is usually little reason to have attachments larger than 10MB. Attachments with Macros are especially dangerous.

43. Ensure your applications are secure-by-design

Cloud data security is frequently thought about in terms of managing existing risk. It’s crucial that organizations ensure that applications are ‘secure by design’ – whether they are developed in-house or purchased from an external provider.

Shifting left and fixing security flaws in the development stage and shifting right to monitor for new vulnerabilities ensures that firms are doing everything they can to stay ahead of the hackers. It helps prevent ransomware locking-down data or from allowing it to be exfiltrated. When purchasing cloud applications, it’s crucial that organizations manage their software supply chain and source solely from providers that can demonstrate proof of security.

Where businesses already have a preferred vendor without such certification, they can be a positive force in supporting their suppliers’ application security processes. A number of firms that CA Veracode works with, for instance, even pay the third-party license fee to

enable their supplier to become compliant with their company’s standards.

46. Treat security as a process, not an event.

Achieving some level of security requires a specific mindset that every organization needs to understand and then internalize. It doesn’t matter if you’re engaged in “routine” tasks or something more specialized – every organization is more and less secure over time since the nature of cyber attacks constantly evolves. The process of security means adjusting and learning accordingly.

A head-in-the-sand approach ensures that an organization will become less secure.

Also, beware the unwitting perpetrator. Like crimes in the non-virtual world, Distributed Denial of Service (DDoS) attacks and cyber hacks rarely come with calling cards. Those with ill intent find honeypots of oblivious organizations they can commandeer easily, with a single password. In the incident referenced earlier, the mega-provider didn’t even have an abuse team. So, at the very least, businesses need to insist that their hosting company assign a unique password to every server – and have an abuse team at the ready just in case.

47. Understand privacy policies of your cloud accounts.

Strong passwords and 2 Factor Authentication are the best things consumers of cloud software services can do themselves to improve the security of their data. The days of swapping letters for numbers and special characters in a password are long gone. So is the advice that they should be changed often.

The recent recommendation is that passwords should be formed of 3 random words. For example, ‘TreeKeyPencil’ is far more difficult to guess than ‘1iv3rp00l’. Adding an extra layer of security with 2 Factor Authentication will further prevent your cloud-stored data from getting into the wrong hands.

Additionally, when choosing a cloud software provider to share your data, it’s essential you read their privacy policy and terms and conditions. This should give you an indication of what the service provider will do in the event of a data breach, as well as what they are doing to prevent one in the first place. For example, ISMS.online undergoes regular penetration testing and has achieved Pan UK Government accreditation and PSN certification.

48. Take a zero trust approach

The best approach to cybersecurity you can take is to protect everything by default.

This zero trust approach doesn’t require user involvement to keep the data safe and it takes into account the way data is realistically used and shared with organizations.

Keep a watchful eye toward internal breaches, not only external. Even if it’s unintentional, up to 43 percent of data breaches are caused internally. It’s most effective to automate security in a way that is seamless to end-users, so they don’t try to circumvent it.

Understand that there is no longer a perimeter. With multiple entry points into an organization (so many devices), there is no longer a defined and defensible perimeter. In today’s cloud-first environment, companies no longer own or secure the servers where the data is kept.

52. There are two critical steps to take for the improved security

The first step to keeping your data secure on the cloud is to ensure that your cloud data is protected by, not just a password, but a two-step authentication process. Creating a strong password (12-15 characters, upper and lowercase, with numbers and symbols) is essential, but even a password like that can be cracked.

Add two-step authentication by sending pin numbers to your phone or adding personal security questions on top of your password.

The second way to keep your data secure is through encryption. Opt for an encrypted cloud service, so your information is always protected. This is especially important for companies in the healthcare and defense industries.

53. Add enhanced security settings to your public cloud

The most common and publicized data breaches in the past year or so have been due to giving the public read access to AWS S3 storage buckets. The default configuration is indeed private, but people tend to make changes and forget about it, and then put confidential data on those exposed buckets. There’s very little excuse to do so.

In addition to this, you should implement encryption both in traffic and at rest. In the data center, where end users, servers, and application servers might all be in the same building. By contrast, with the Cloud, all traffic goes over the Internet, so you need to encrypt data as it moves around in public. It’s like the difference between mailing a letter in an envelope or sending a postcard which anyone who comes into contact with it can read the contents.

55. Be aware of the most common security mistakes

A weak password, or reusing the same password for multiple accounts, is the biggest security risk for cloud-based applications. If one of your accounts is hacked, the rest can easily be hacked using the same credentials. You really shouldn’t be using the same password for your online banking as your email. But since it’s nearly impossible to remember a unique, secure password for every account that you use, I recommend using a password manager like 1Password.

In addition to this, you should run regular backups of data that’s in the cloud.

There’s a big misconception about how cloud-based platforms (ex. Shopify, QuickBooks Online, Mailchimp, Wordpress) are backed up. Typically, cloud-based apps maintain a disaster recovery backup of the entire platform. If something were to happen to their servers, they would try to recover everyone’s data to the last backup. However, as a user, you don’t have access to their backup in order to restore your data. This means that you risk having to manually undo unwanted changes or permanently losing data if:

• A 3rd party app integrated into your account causes problems
• You need to unroll a series of changes
• Your or someone on your team makes a mistake
• A disgruntled employee or contractor deletes data maliciously

Rewind, the company I co-founded, has been backing up Shopify accounts since 2015 and from speaking with hundreds of customers, I can tell you that these four examples are pervasive. I’ve seen everything from entrepreneurs breaking their Shopify site after messing with the code, to 3rd party apps accidentally deleting over 300 products in their store.

Having access to a secondary backup of your cloud accounts gives you greater control and freedom over your own data. If something were to happen to the vendor’s servers, or within your individual account, being able to quickly recover your data could save you thousands of dollars in lost revenue, repair costs, and time.

56. Get serious about security

Tip 1: Get serious about password security. Storing your data in the cloud means that your password is the key to the only door protecting your data from the world. Follow the advice that you’ve heard so many times, and use a secure password (a password manager such as LastPass or Dashlane can make this easier), and don’t share the password among users. Also, use two-factor authentication if possible to add another layer of protection.

Tip 2: Encrypt the data you store in the cloud. This is easiest if you choose a provider that allows encryption, but there are also services such as SmartCryptor or Boxcryptor. Even if someone is able to get to your cloud service, if you have the files encrypted, it will be more difficult for them to actually access your data.

Tip 3: Keep backups of your data in a separate location. Cloud services are a great way to store data offsite as part of a backup solution, but follow the backup rule of three and have a backup in another location as well, either locally or in a separate service.

57. Maximize cloud security with containers

Containers have been around since the mid-2000s but didn’t experience the surge in popularity until 2013. Now, 56% of all organizations have containerized product applications. Containers simplify software distribution and allow for greater resource sharing through computer systems. Containers also reduce an organization’s vulnerability for a massive cybersecurity breach by isolating data in separate environments.

58. Use specialized software to prevent attacks

Specialized software solutions can significantly improve detection and prevention of cyber attacks, but no system is ever perfect. Even the companies with a good cybersecurity setup can end up as victims too. Make sure your employees are also trained in using cybersecurity software as well as prevention, detection, and incident response.

Detection is king – the longer an attacker is inside your network, the greater the damage they can cause. Intrusion detection systems and a good analytics setup with 24h notifications can go a long way in reacting to the next system intrusion quickly.

Reaction saves the day – make sure you have access to experienced cybersecurity experts who are familiar with your IT infrastructure and setup. If you are a small organization with no IT department, you can outsource this to a range of different IT service providers who can step in when needed.

So what are the solutions available out there? Crozdesk has found that the variety of new IT security software solutions launched onto the market has increased by nearly 350% from June 2016 to June 2017, as compared to the 12 months period before.

Funding for cyber and cloud security software companies has nearly doubled over the last couple of years, and this is resulting in a surge of new cyber technology types. It is good to be updated on the latest network security technologies available and consider adding applicable ones to your cyber security setup. Honeypots (traps for intruders) were in demand last year.