Helping small to medium-sized businesses (SMBs) increase the security awareness, and overall security, of their employees is an ongoing goal of ours. Our mobile device management solution, Sky Work, will come into play, but it is not the only thing you need to protect yourself, your employees, your business, or your customers. Those pretty important people, right? Let’s protect them!
This article will tackle the issue of small business security by looking at securing:
Each one requires different approaches, and each one builds on the other. You can’t do one and expect it to handle the other two issues, you need a holistic approach to security and this article will teach you.
People: protect your SMB with education
Absolutely no tool invented can make you safe if your employees don’t use it, know how to use it, or don’t see the importance of always using it. We call this a “problem between the keyboard and the chair”, and only education can solve this problem.
An effective and ongoing cyber security education plan is essential, just as any other loss prevention or workplace safety strategy. This includes basic documentation of your cyber security plan, such as those found in the SBA’s Cybersecurity portal.
There are fun ways to do this, such as this game from Elevate Security:
Breaking away from lectures and handouts, and doing something active, helps instill a sense of responsibility into each employee. They need to know they have to make responsible choices with their:
- Use of strong and diverse passwords
- Clicking on emails, links, and downloads which could be phishing scams
- Giving away of data to the wrong people
- Use of multi-factor authentication (MFA) on services which allow it
- Backing up of data securely in case devices are stolen or subjected to ransomware
- Authorization of software updates from trusted sources
If employees feel these things are only IT’s job, they’re wrong. It is everyone’s job to be responsible for their actions online. If they refuse to adapt and do not listen to training ask yourself if this employee is more valuable than the security of everyone else you work and do business with. Many companies make repeatedly not following security policies a dismissible offence—and for regulated industries poor security policies can have serious implications for the company.
Is your employee base larger and getting everyone together is hard? Try including videos in every company newsletter or email blast. They don’t have to be boring, even a video like this can help keep security top-of-mind:
Curate a variety of videos for distribution over several months. Sharing YouTube videos is a minimal time investment for you, but high-value for your employees. They will like being told to watch YouTube at work for once!
Other ideas that play to having more fun rather than having more work? Display tweets from thought leaders in the cyber security industry. Here are a few I respect, and a broader list of experts here:
For those asking what SIM swapping is, it's when someone tricks or bribes someone at a mobile phone provider/store into transferring your cell service to a new SIM card/device they control. Allows interception of text messages, phone calls used for two-factor authentication.— briankrebs (@briankrebs) August 30, 2019
There are many more ways to communicate cyber security training information in ways that are a bit more dynamic and exciting.
Networks: firewalls, VPNs, and anti-virus for your business
Your first step in actual digital security tactics is having a firewall set up on your company network. The goal of a firewall is to block unauthorized access to your network. There are three important considerations here:
- Installing firewall software on every computer
- Using hardware firewalls on every connection point
- Setting up software firewalls on the computers of remote employees
Hardware firewalls on all access points is usually where most companies end their firewall practices. The strategy of using firewalls on each computer, and for remote workers, is instead of having one gatekeeper controlling access and defending people, everyone knows deadly styles of kung fu and can protect themselves.
VPN use for your business
VPNs were invented for remote workers to have encrypted access to work networks. Their greatest benefit is how they encrypt traffic on networks the people can’t control—such as a coffee shop, restaurant, airport, or other public WiFi—so traffic cannot be intercepted and read by attackers.
The VPN industry is full of marketing about how great their product is, I know this well because I used to review VPNs for a living, so be sure to read several reviews before buying one. PC Mag is always a good place to start for anything techie. Tom’s Guide is also a good resource to check as well.
VPNs are essential for remote workers. No one wants to have their data stolen at the local coffee shop they like to work from. Hackers target locations like coffee shops in the hopes of getting data from specific employees they have tracked as visiting there.
There is no getting around the fact that a little bit of antivirus software—even the free varieties—can do a lot to protect your business from malware which can:
- Steal personal data from machines
- Capture anything typed into a keyboard with a keylogger
- Turn your whole network into a “bot” which can send out spam and DDoS attacks
- Cause random windows to pop up on machines which lead to more malware
- Include ransomware which demands money to release files stolen with encryption
Yes, many computers come with antivirus software on them already. Windows has Windows Defender, and Macs are well known for their Gatekeeper security. Settling for what is included simply isn’t enough for a business. Your customers don’t expect that ‘good enough’ is good enough for them. Investing in commercial antivirus software is crucial for all businesses.
Hardware: use mobile device management
Now that you have secured your people and your network it is time to secure your devices. All too often someone takes their machine home with them, but it gets lost or stolen along the way.
A mobile device management system (MDM) will allow you to:
- Locate: See where the device is physically located. This allows you to get the device if it is in a known-to-be-secure area.
- Lock: If the device is close you can go get it, but if the device is a little further away and still in a secure area it can be locked.
- Delete: For those times when a device appears to have been stolen an MDM will allow you to delete all data on the device. For those times when a device is BYOD, only the work data can be wiped as well if the owner thinks they can still recover the device.
One of the most common hacks is simply stealing a device and extracting data from it. This can be devastating if the computer belongs to someone with sensitive data.
Sky Work for MDM
A tool designed to do all three of the tasks above is Sky Work. We have designed our product with these key features:
Each feature offers increasing security to users. Those in fields of with slightly lower security needs can use the base MDM and be mostly secure, with Secure Documents with Sky Docs perhaps being used by C-level users. Those in sensitive industries, such as law, pharmaceuticals, or anything with proprietary information, will need the MDM, Productivity Apps, and Secure Documents to truly lock down their work and communications.
Multiple lines of defense protect your SMB
You can’t rely on one person, one system, or one piece of hardware or software to protect your business. Hacking isn’t that sophisticated and usually just involves trick and a little laziness on the user’s side:
This wasn’t science fiction. This is completely within the realm of any hacker. It isn’t as sexy as a movie about hacking with cute CGI and hackers spouting one-liners, it’s just a terminal and code combined with an exploit as simple as someone wanting free WiFi. This is reality. This is how hackers exploit users and networks to steal data, money, and time from you.
Your business and its customers deserve:
- Proper training for all employees from the bottom up
- Software and hardware which have multiple layers of protection for your network
- Device management which will protect individual devices against theft
These three aspects of security are the basis for any business, regardless of their industry or size. Start making your plan this Cyber Security Month before hackers start making their plan for how they will exploit your weaknesses.