Small Business and Security
Security in Small Business is one of the things I will always focus on. It’s taken so lightly, and most small businesses don’t think they’re at risk. “Why would someone want MY stuff?” Quite simply, you’re an easy target, and you may not know about the little gems you hold in the vault of your business archives. If you’re doing business with partner organizations, you could be the “gateway” into their system without knowing or understanding this. You don’t have millions to spend on security, so you’re an easy mark. The moment you’re sure it won’t happen to you, it will.
So what do you do? You don’t have the budget to be a virtual Fort Knox. You don’t even know if you’re at risk. At Tech Officers, our philosophy is that if someone wants something bad enough, they’ll get it. No matter WHAT security measures you take or the millions you spend, if criminals wants it bad enough they WILL figure out the flaw and get in. If you’re a fan of the TV show Mr Robot, you saw the complexity of how Elliot and crew “got in” to a major corporation. While this is a dramatization of a hypothetical situation (some would say not realistic), the show illustrates just how simple and easy it is to access a company’s network by simply leaving USB sticks in the parking lot or passing out CD’s on the street corner.
This is when I go back to my Sarbanes-Oxley days and MITIGATE the RISK! How? You first need to perform due diligence when it comes to IT security (have a firewall, secure passwords, standard stuff I’ll cover later). But let’s focus on two things you can do now to mitigate your security risk.
Encrypt your “Data at Rest”
Imagine someone breaking into your home, running to the Master Bedroom, and seeing a jewelry box full of aluminum foil bracelets and bead necklaces. Who wants that? They would probably skip over your “treasure” for something else of value or just move on. Encrypting your data is a similar concept. You make your “treasure” the biggest stinky pile of garbage that someone would never touch. “At Rest” refers to data that’s stored (you’re not sending it to someone – “data in motion” is covered under other security practices). And yes, we’re talking about using a strong encryption key (a password for your encryption). If you’re a Mac user, FileVault 2 is the easiest way to encrypt your machine. For Windows users, you can use BitLocker as a quick and easy solution. Just be careful to not lose the encryption key/password. If you do, there’s NO way to recover your data. Which brings us to your backups.
Backup Critical Data (AND Encrypt it)
Someone got in. They took your “garbage” that was encrypted. Now you need to notify everyone you’ve done business with, your clients, your vendors, your mother, your best friend’s dog.… You get the idea. But what if you had an intrusion of another sort? What if a key employee downloaded an unsolicited resume from an email, they opened the file, and all of a sudden you have what’s called a zero-day exploit on your hands that has now just encrypted your office files with a nice message saying, “Pay us or lose your data!” Did you back up your data?
While some would argue that a backup isn’t a security item, and I agree that backups are part of a comprehensive plan for IT in business, I want to point out that I’m specifically talking about mitigating risk as it relates to security. If all else fails, if you have a backup of your data, at least you can fail-back to that point in your business life. We’re seeing more and more instances of CryptoLocker and the like, so your backup is a great way to protect against this type of attack that your anti-malware program didn’t catch.
Probably the biggest IT mistake I see when walking into a small business for the first time is that there are no backups. Not even an attempt. Ho hum, it won’t happen to me. And then there’s a fire. There’s a break-in, and your key machine was stolen. There’s a malware outbreak that encrypts your files. One of the best things you can do to prevent the loss of your business (and I mean, you go out of business if you don’t have backups) is to make sure you have backups. Whether it’s a free or low-cost online service, DropBox, Google Drive, or copying key files to a portable drive and taking that home, it’s CRITICAL that you make backups of your key data. While you’re at it, make sure that the data you’re backing up is encrypted. Remember the point above about encrypting your data? This includes backups.
Start with these two simple points to begin mitigating your security risks and securing your small business. Encrypt your data that you store and backup/encrypt your critical data. Start simple and work your way from there. There are loads of resources online to help you, including resources from the FCC. And if you’re too stressed to deal with any of this, feel free to give us a call at 415-963-9900. Until next week, I’m wishing you a productive and prosperous week!