They say opposites attract. Although my husband and I have many important things in common, we are complete opposites in one area. He’s a “risk taker,” and I’m... well, not so much. Rather than being labeled as “risk averse,” I prefer the term “caution giver.”
ADVERTISEMENT |
I’m a federal employee. I come from a long line of public servants. I bet that my ancestors probably worked in the service of the king or queen, or at least the local earl or baron, before they came to the United States. My husband is different story. He’s a small-business owner. Whereas I tend to worry and ask a lot of what-if questions, he likes the challenge of being in command and building his business.
In my role leading NIST’s Cybersecurity for Small Business Outreach, I’ve met many small-business owners, and most have similar personalities to my husband. They have incredible drive and an unrelenting spirit. Small-business owners see opportunities where caution givers like me only see risk.
It might be in your nature to be a risk taker, but cybersecurity is one area where you need to listen to the caution givers. Many small businesses might not have the resources to employ an entire IT security team, and that makes them especially vulnerable to attack. Not to fret, though (leave that up to me); there are some simple things you can do now to help manage cybersecurity risks to your small business.
Train your employees
Employees at every level must know the company policy on computer use. Review the policy regularly for updates and make certain it is accurate, clearly understood, and posted for all to see.
Are the employees allowed to use social media on their work computers? Social media is a great way to interact with your customers and grow your business, but hackers can also use it to do social engineering, potentially fooling your employees into giving away information that they could use to hurt your business’s reputation or even steal from you.
Are employees downloading and using applications on their work computers? Free games may be fun to play during a lunch break, but what else is going on? Hackers can gain access to computer systems via games and “free” applications you find online. Allow employees to install applications only when they need that application to do their work and it is from a trusted source.
How do employees handle information that may be sensitive to the business, such as tax or payroll information? Enforce a rule to never send sensitive information through unencrypted email.
Aside from these proactive steps, train employees on what to do when a security incident occurs.
Stay up to date
Even the best software isn’t perfect, and hackers are constantly looking for ways to exploit those imperfections. Thankfully software designers and security researchers constantly work to correct imperfections and plug the holes in their products; be sure to update your software regularly.
Install and activate software and hardware firewalls
Firewalls can block unwanted traffic such as malicious emails or browsing to “blocked” websites. Install a hardware firewall between your business’s internal network and the internet.
Secure wireless access point and networks
If your business uses wireless networking, make sure that you change the administrative password that was on the device when you bought it. Set the wireless access point so that it does not broadcast its service set identifier (SSID).
Only access wireless networks that you trust and are certain of their security. That free Wi-Fi in the coffee shop may be convenient, but is it secure?
Require individual user accounts and strong passwords
Each user should have an individual account and password. Do not share passwords with anyone including other employees. Administrative privileges should be limited to a few employees. Your employees should have access only to those systems that they need to do their jobs. Limiting administrative privileges will prevent them from installing unauthorized software. Require your employees to use strong passwords and train them on how to create a strong password.
Set up web and email filters
When you are selecting an email provider make sure they offer filtering for inappropriate messages. Use web browsers that allow web filtering to keep your employees from accessing malware-infected websites.
Make full backups of important business data
Do a full, encrypted backup of every computer and mobile device at least once a month. Do this shortly after a complete virus scan. Store your backups away from the office in a protected place, so that if something happens at the office, your data are safe.
Be cyber-aware
If you are a small-business owner, you may be a risk taker, too. Take it from a caution giver: There are some risks you shouldn’t take—no matter what. Being careless with cybersecurity is one of them. If you’re looking for a more detailed cybersecurity model, check out the NIST Cybersecurity Framework and the report: “Small Business Information Security: The Fundamentals.”
And be careful out there!
First published on NIST's Taking Measure blog.
Add new comment