Eleven Cybersecurity Habits For Small Businesses
By Rolling Stone's "Hacker Who Cared Too Much"
Small business owners face a cybersecurity landscape that is frightful, if not terrifying. The largest governments and public companies fail to navigate it unscathed with billion-dollar budgets, so what is a small business to do?
I am Martin MartyG Gottesfeld. Rolling Stone calls me The Hacker Who Cared Too Much, for my “Crusade to Save Children.” Allegedly, I am part of what Stephen Colbert calls the “global hacker nerd brigade known as Anonymous.”
“Anonymous is a hornet’s nest.” —Stephen Colbert.
Most important to small business owners, the Justice Department told the Supreme Court that I “orchestrated one of the largest [distributed denial-of-service attacks (DDoSes)] ever conducted, in terms of traffic volume.”
Suffice to say I know a thing or two about cybersecurity. I was also a client-facing I.T. engineer serving organizations from the very small to the Fortune 500. My time billed at hundreds of dollars per hour, but consider this a free public service announcement. MartyG Reports offers this information without any warranty of any kind, express or implied. What follows is not intended as comprehensive. If you suspect you are a victim of cybercrime, you should take immediate actions outside the scope of this document to preserve evidence, mitigate risks and ensure continuity. State and federal laws may also require disclosure of cybersecurity incidents.
Though the headlines are disconcerting, most common cybercrimes are easily avoided. Financially motivated cybercriminals, for the most part, do not pursue particular targets. They cast wide nets seeking the lowest-hanging fruit. Hence, an ounce of prevention is enough for most businesses to avoid falling prey entirely. Here are, in my opinion, the most important habits to protect a small business. I hope that you already follow many of these, but I suspect that most small business owners will find some they had been missing. No such list, however, should ever be considered complete.
• Do not be naive and wait to find out the hard way.
Most have heard of the Nigerian Prince scheme. If you have not, then you need to start frequenting reliable—even if politically slanted—sources of breaking cybersecurity news. No, Kim Kamando does not count. You need sources that do not take endorsement deals and that publish 24-7 to a different kind of audience. And, no, MartyG Reports does not count either. We make no effort to be a comprehensive cybersecurity news source. That is beyond our capabilities without a staff of hundreds and a worldwide presence.
Further, even if already wary of the Nigerian Prince, you may find you miss important developments absent a deliberate effort to include cybersecurity in your news consumption. Did you hear about the Call of Duty worm two days ago? If not, you are not the high-hanging fruit that you may wish to be.
• Keep your workstations and other devices updated.
Microsoft, Android, Apple, anti-malware and other updates may seem like a nuisance, but they are the single most essential technical step to protect a small business. Do your updates promptly unless you have an articulable business reason to delay a particular update, such as migration costs or functionality concerns.
Those who are weeks or months behind on updates are generally the most vulnerable.
• Browse, email and answer calls astutely.
That free video site may be a disaster waiting to happen. Be sure you do not get more than you skirted paying for.
Be leery of emails from unknown senders, especially emails with links or attachments. And be wary if a known entity asks via an electronic medium that you provide information it already should have or should not need, or for you to do anything outside the ordinary course of your business together. A simple phone call to ask, “Did you send me this email?” may avoid irreparable harm, both for you and for your business associate.
That said, government agencies generally do not initiate contact over the phone for financial matters. The I.R.S. never calls you first about a tax issue. If the situation is new, novel or otherwise sparks an emotional response on your end, do your research before you give sensitive information over the phone or agree to send money.
The general rule remains: if something seems too good or weird to be true, it usually is.
• Use good password practices.
Use strong passwords everywhere.
But never use the same password for multiple accounts. Those who use their Gmail passwords for everything, for example, may find their email addresses and passwords on lists circulated by cybercriminals. Once that happens, cybercriminals use automated tools to try those email addresses and passwords to log in at common sites that do not uniformly require two-factor authentication (see below), e.g., Facebook, LinkedIn, and Bank of America. Again, they are not targeting individual persons, they are reaping the harvest of the low-hanging fruit.
If this happened to you, you may ask how your one password to everything ended up listed on the dark web. You may never know because it could have been compromised at any one place, like that quick, cheap pizza shop up the road where you created an account for that one order. But once your password was compromised somewhere it was compromised everywhere.
All this said, the average person has a hard time memorizing one strong password. So how do security experts memorize 27? We don’t. We use a password manager. One strong password, which I do memorize, unlocks the password manager itself. In turn, the password manager generates a unique, random, strong password for each of my accounts, but I do not have to memorize each one.
Password managers work on mobile devices and synchronize, safely, using technologies like Google Drive, without letting Google know the actual passwords. I recommend against letting Google, Microsoft or other companies directly manage your passwords—they have breaches and the occasional nefarious employee, and present other concerns. I use a password manager that shares my data with no one, that allows me to take an offline backup of my encrypted password database, and one that, I know, the feds tried but failed to break. (I will not name it, but I have left enough hints.)
Where possible, do not share accounts. Have your vendors set up a separate, named account for each employee who needs a particular resource. If you must share an account—Twitter, for example—limit your sharing of its password to the employees who absolutely need that particular account. See also, below, Handle departing employees gracefully.
• Beware of “security questions.”
“Security questions” are, by far, my least favorite security practice. In which town were you born? Where did you go to school? On which street did you grow up? The answers to these and most other “security questions” are easily attainable, often from public records. Do not let what happened to Sarah Palin happen to you. When she was running for vice president, someone easily found the answers to her security questions.
Where you can, use two-factor authentication, see below, instead of “security questions.” If a site absolutely requires “security questions,” look for questions whose answers would not be available through public records or common knowledge. If the site has only bad “security questions” to choose, and they are mandatory, seriously consider using a competing site or send its security team this article. I will gladly disabuse them of their faulty notions about “security questions.”
• Use at least two-factor authentication.
Use two-factor authentication in places that support it. Where you do enable two-factor authentication, use the feature, if available, to print a set of backup two-factor codes. Do not save the backup list to your computer or cloud accounts. Print it and place it offsite, somewhere you trust and can easily access it, but where, if found, its finder will not know what it is or what to do with it.
It is especially important to enable two-factor authentication on your primary email address. If cybercriminals compromise that, they can use the “Reset my password” feature on most sites to email password-reset links to your inbox, having already taken control of it.
• Know where, and with whom, your information sits.
Avoid placing sensitive information in too many hands. When cloud providers are compromised, customers’ data is generally breached. Imagine doing everything right, but your business information still gets compromised, not because you or your employees screwed up, but because your cloud storage provider used a third-party tool that was penetrated.
If a vendor has a bad security history, vote with your feet.
Make sure mobile devices with sensitive information are encrypted with strong passwords and are set to lock themselves automatically.
And if you have business information sprawled out in places you cannot monitor, rein it in.
• Control access to your networks and computers.
If your Wi-Fi password is the address or name of your business, change it to something that meets strong-password criteria. Typing it into new devices might be an occasional pain, but it is far better than the alternative.
Never give non-employees your Wi-Fi password. If you need to provide guests Wi-Fi, use a segregated guest network to do so.
Do not, e.g., leave your computer logged into QuickBooks when you go out to lunch. Set your computer to lock after a few minutes of inactivity. And, you can always use Windows Key + L to lock your P.C. before leaving it unattended.
See also, below, Handle departing employees gracefully.
• Take comprehensive offline backups and test them.
“Never underestimate the bandwidth of a station wagon full of [backup] tapes hurtling down the highway.” —Andrew Tanenbaum, 1981.
So, the ransomware thugs got your data. They want $5,000. You, however, run a small bakery and, fortuitously, the data they got does not include anyone’s credit cards or other sensitive information. But you do need your QuickBooks files.
Or, you kept all your important data on your laptop and its hard drive now smells like the child-labor soldering shop in the country from which it came (a country we all know, but which I will not name).
The good news is you have an offline backup that you know to be recent, healthy and complete, sitting somewhere safe at this very moment, right?
RIGHT?!
• Make sure your employees’ practices are sound.
So, you’ve read through this list, an assured smile on your face, knowing that you’ve checked all these boxes. Wonderful.
What about Ted, your sales guy? You know, Ted, who has all your customer data on an iPhone that he unlocks with 1-2-3-4-5? The customers may love Ted, but he or someone like him can absolutely sink your battleship.
Before Ted’s iPhone gets pickpocketed on a business trip, make sure he and all your other employees are following the same good practices that you are.
• Handle departing employees gracefully.
Someone is moving on, or, awkward, it’s time to fire someone. Have a checklist before the big moment so that you are sure you get back all the business assets and keys to the kingdom: laptop, mobile phone, tablet, thumb drives, keys, numeric codes to locks and other devices, passwords, corporate cards, etc.
Then, once the person has left, change all the passwords and codes that person used, including Wi-Fi, the office security system, accounting software, online banking and other online accounts.
Think of it this way, you are actually doing your departing employee a favor. I used to hate it when I left a company and soon after a former colleague told me that no one had changed the passwords. If anything had happened I would have been the prime suspect. Put your and the person’s minds at ease by lovingly precluding future doubts.