Probably Your Cyber Isn’t as Secure as it Could Be. Let’s Fix It.

Feb 6, 2018 | Stephen Jackson

Last year, something called the Main Street Cybersecurity Act passed in Senate; it’s now meandering its way through the House and then off to, well you know where.

While its ultimate fate has yet to be determined, the legislation speaks to what CNBC has called a national crisis: the vulnerability of small business to cyberattacks. The article references a report issued in 2016 that found that, over a 12-month period of time, half of all small- to medium-sized businesses in the US were breached by hackers.

But the Main Street Security Act isn’t any compulsory set of regulations. It simply updates the Cybersecurity Enhancement Act of 2014, which called upon the National Institute of Standards and Technology to provide a set of voluntary guidelines for big businesses to follow. This bill would add in new frameworks to which small businesses can align themselves.

Perhaps the first step is admitting that you may have a problem: A separate survey found that 87 percent of small-business owners didn’t believe they were at risk for a cyberattack, and that 1 in 3 don’t have the tools (firewalls, antivirus software, etc.) necessary to protect themselves if they were attacked.

Regardless of where you and your business fall in this Spectrum of Peril™, let’s take a look at a few things that every small business should be doing to protect themselves against cybercrime.

Catching Phishers

“Most attacks nowadays are phishing attacks through email,” says Clint Wynn, who works in DevOps at Neighborly, a San Francisco startup that allows people to invest directly in municipal bonds in places of their choosing. “That’s going to be your first ‘attack surface.’ Many pre-cybersecurity pros talk about reducing your threat surface, and your inbox is going to be where these threats can arise from.” For those (still) unfamiliar, “phishing” is the practice of bad actors sending fraudulent emails aimed at getting unsuspecting recipients’ sensitive information. Once acquired, cybercriminals can wreak havoc on your businesses and personal lives.

“It’s important to pay close attention to the sender in emails,” Wynn says. Spammers can trick recipients by using familiar-looking names or addresses to lure them into opening emails and “can then exploit things like Excel documents to attach some bad code.”

You can brush up on your ability to spot a phishing email by taking a look at this, brought to you by the furthest thing from a small business (it’s Microsoft).

Keep Things Current

It’s important to keep both hardware and software current, as new models of computers and new operating systems get better at fighting cybercrime with each iteration. Wynn illustrates this with a simple analogy: When should you change your tires? Once they get all bald and threadbare, or before they become a safety hazard?

Wynn brings up a great point. It’s foolish to keep your OS version running until it basically stops functioning, and the same goes for hardware — including wireless routers, which are common targets for hackers.

“Set up a cycle for updating your hardware. The rule in enterprise is every four years, but I would say every four years is okay for small business,” Wynn says. “Even if your computer is running okay, don’t think of it as money out the door, see it as a business expense. At that same interval, consider upgrading your router or network hardware.”

Software on the other hand should be constantly updated. “It’s an easy thing to overlook or put off, but there is no value in doing so,” he says. Wynn has found many small businesses that don’t have a regular cycle for updating their software; this negligence increases their risk of cyber-attacks.

Change. Your. Passwords.

That study from earlier found that 59 percent of small- to medium-sized businesses have no visibility into employee-password practices, and that 65 percent of businesses that even have a password policy do not strictly enforce it.

One of the easiest and most effective ways to safeguard yourself against cybercrime is to change your passwords often. It’s something we touched upon back in our piece about protecting your business from online fraud over the holidays. In case you missed it, here are some highlights:

  • Never write them down.
  • Change them often.
  • Where appropriate, implement multi-factor authentication methods.
  • …and here are some more.

So you’re diligent about changing your account passwords. But one thing people often forget to change is the wireless password to their business network.

“Employees come and go, and access is not necessarily under control beyond this password that people tell each other,” Wynn says. “If you don’t have a habit of changing that password every six months or a year, you have a chance of unauthorized access…or what’s worse, this password could potentially be a password that’s used somewhere else.