I cringe when I hear entrepreneurs and small business workers tell me that they “… are too small to be targeted by hackers”. Let me set this straight, this sort of ignorance can cost you thousands of dollars. To set the record straight, hackers are opportunistic. They have software that scans hundreds to thousands of computers at a time and finds out rather quickly if you’ve been slacking in the security department. Once a weak spot is identified, they exploit it.
If you are like most people, you probably know you should be doing more to protect your computer and keep your company data secure. You may not know where to start, or maybe you (or someone you know) don’t think security should be as big of a concern as those “mission critical” task.
I read this Inc. article, which stated that in 2013, the National Small Business Association surveyed about 800 small business owners and found that 40% of them had been attacked. Damages cost them an average of $8,699 per attack. If you are anything like myself, that loss would be hard to recover from.
“According to a recent survey, more than 40 percent of small businesses report that they have been the victims of a cyber attack — and it has cost them thousands of dollars.” — Study: 40% of Small Businesses Have Been Victims of Cyber Attacks (Inc. Magazine)
Thankfully, protecting yourself on and offline isn’t rocket surgery. A little common sense goes a long way. Here, I have provided a list of six things you should keep in mind when working online and off.
1. Enable “full/whole disk encryption” on your laptops
Your laptop stores more information on it than you may be aware of, like cookies, passwords, credit card details, documents, photos, etc. In the event of losing your laptop (or worse, it was stolen!) you need to make sure that your data is secured. This is where “disk encryption” comes into play. Laptops that are encrypted have all of their information scrambled on the hard drive, making it completely unreadable to anyone without the password to unlock it.
On Mac OS X, FileVault is a free, built-in encryption software that takes seconds to set up. BitLocker comes built-in on the Pro and Enterprise versions of Windows 7 and 8.
An unencrypted laptop that is lost or stolen quickly becomes a company-wide emergency. You will spend days trying to figure out exactly what data was on the computer, calculating your losses, calling your customers to tell them their information they trusted with you may be leaked, and then months repairing your brand’s reputation.
An encrypted laptop that is lost or stolen is really just an inconvenience and an insurance claim.
Ask any person you know that works in I.T. about the time they realized the company needed to encrypt laptops. I bet you can see their smiles and color fade from their face.
2. Disable automatic login (and lock before you walk)
Even if you still have possession of your laptop, you want to make sure people can’t read your sensitive data (or type an embarrassing post to Facebook for a good laugh) when you take your coffee break.
On Mac OSX and Windows, you want to make sure that you disable the automatic login feature. This ensures that anyone who visits your laptop can only look at a pretty lock screen and not what is behind it. Software developer Elliott Kember wrote an amazing blog post about how someone can access your password data without doing anything illegal if your computer isn’t locked.
They say there is nothing common about common sense, so I encourage everyone to make sure that when your computer is booted, you are always welcomed with some sort of login screen, and to “lock before you walk”.
3. Make sure all smartphones and tablets can be wiped remotely
With the introduction of smartphones and tablets into the workplace, we now have smaller devices that hold company data! While they are wonderfully convenient, they also are easier to lose or have stolen.
Much like our new laptop policies, make sure you set policies in place for mobile devices. While software exists to protect these devices, it is more realistic (and cost effective) for small businesses to force these devices to have strong lock screen codes and enable remote wiping.
These two steps will make sure that the data on your lost or stolen devices are protected long enough for you erase all the contents of the device from your computer or another smartphone.
4. Turn on encryption for sites you visit
Now that our hardware is locked down and we feel safer, we have to now look at the software side of security.
Every time you visit a website, data is sent between your computer, and a large server somewhere in the aether. When data is coming to you for consumption, all that matters is you can see and/or hear it. But when you are filling out forms, uploading files, putting in your credit card details, or typing your username and password, you want to be sure that your connection is encrypted.
These days, most websites will use something called HTTPS or SSL. This technology encrypts data you send from your computer and makes sure that the data is received on the other end safely. Websites that use HTTPS/SSL will have a little lock in the URL bar.
Websites that don’t use HTTPS/SSL won’t have the little lock and will send all of your data over the Internet in clear and readable text. Anyone you share a Wi-Fi connection with can have complete access to the data you send over the network. Free apps like WireShark allow people to do just that.
5. Create unique and complicated passwords for each website
If your password is one of the top 10,000 used passwords (that list is from 2013, and it hasn’t changed all that much in the past year), it is time to change it. A weak password can be guessed by a computer in seconds. Whereas stronger passwords may take many years for a computer to crack.
A strong password helps a lot, but not if you use it everywhere. While some companies and websites protect their passwords like Fort Knox protected gold, others protect about as effectively as you protected your treehouse while you were at school. Even xkcd even has a relevant comic about this.
If your super-awesome-complicated password is compromised, nothing will stop the hacker from using it on all of your accounts. This holds especially true for your email password. Once your email is compromised, all a hacker needs to do is click the “forgot my password” link on various websites to gain access.
Some password managers exist to try to alleviate this password problem by storing (and in some cases, creating) your passwords for you, like a personal password journal some of you probably have. All those passwords are typically protected by a “Master password” that you must always remember (or else!). We are currently building one into Key that you’ll love to use and wonder how you got through life before it!
Some web browsers, like Safari, Firefox and Chrome, will store your passwords as well, but those password managers are usually restricted to the browser and difficult to use outside of that one browser.
6. Use two-factor authentication
Sometimes passwords aren’t enough. This is where two-factor authentication becomes the best way to protect your most secure assets.
You may have used this before without knowing exactly what it was, but after you type your password, you may have gotten a text to your phone with 6 random digits that you need to type to finish the verification.
This works because it verifies you with two factors of your identity, something you know (password) and something you have (phone).
While I personally use it everywhere it is available (making my login times ridiculously long), many small businesses will use it specifically for their email addresses to prevent the kinds of attacks I mentioned above.