Small businesses play a vital role in America’s economy, employing more than 50% of the working population1. As a business grows, so does the volume of data critical to its operation. Given this correlation, how does a growing business secure their critical data (client information, personnel records, etc.) without investing overwhelming amounts of money for equipment and the personnel to operate and maintain it? More importantly, how can security concerns be addressed without hampering day-to-day functions, especially for employees that may not be technically savvy?
Regardless of the size of a business, the first step to securing critical data is educating employees. Each person that is granted access to data must understand both the sensitivity of the data as well as the impact of losing or exposing it to malicious actors. Employees must understand that there is always a threat of data being lost or stolen. The magnitude of this threat will vary for each business, but the size of the company is not always an indicator of the likelihood that they will be targeted by hackers. Malware rarely discriminates, and even non-targeted access to a particular company’s network may be a big gain for criminals. Consider the possibility of a group of hackers who specialize in identity theft gaining access to a company’s payroll data. Given access to this information, every employee becomes a likely victim. Businesses must also consider the possibility of data loss/exposure due to insider threats (a malicious employee) or lost/stolen equipment.
Once a business can qualify the threat and impact of data loss, their management and technical staff must cooperatively implement measures that will decrease their vulnerability. There are a myriad of commercial security solutions available that can help achieve this, with the unfortunate downside of cost: they are often expensive to license, and may require a full-time IT staff to properly implement, monitor, and maintain them. Fortunately, there are also many solutions and best practices applicable to small businesses that do not require significant resources, and can produce a level of security that is both satisfactory and practical.
When attempting to secure a small network, the biggest return on investment is achieved from the simplest action: ensuring that software is always kept up-to-date. This is a policy that should be implemented company-wide and requires minimal effort from employees. Many software programs offer an automatic update feature–at a minimum, most can alert users when updates are available. Similarly, each computer should be running up-to-date antivirus software. There are hundreds of antivirus solutions available at a wide range of price points (including free–a business does not need to spend a large amount of money for competent antivirus software.) Avast, Avira, Comodo, and Microsoft offer free antivirus products that can be easily downloaded and installed. If a business has at least one technically-savvy employee, they should be able to configure antivirus products in such a way to achieve the desired balance between security and usability.
Cloud infrastructure is not just a buzzword–lower costs and higher reliability are encouraging businesses to outsource many of their software needs to decentralized providers. As a result, sensitive data is not always stored locally on computers with a company’s facility. Many small businesses now use services such as Google Apps or Microsoft’s Outlook. com for company email and storage. These are perfectly valid solutions for reliability and maintenance concerns, but the data that is stored in cloud services is only as secure as the passwords used to protect it. A recent attack against Adobe’s web site allowed hackers to retrieve encrypted usernames and passwords for many of their customers2. While the stolen passwords were encrypted, simple passwords can easily be cracked with brute-force password guessing software. It is imperative that employees use complex passwords that can not be easily guessed by potential attackers, and that the same passwords are not used for critical and non-critical accounts. Passwords should generally be no less than ten characters and include upper and lower case letters, numbers, and special characters. Regardless of how well an email provider protects their servers, if someone can easily guess a password, then data will be compromised.
Implementing a strong password policy is as important for connected devices as it is for online accounts. If an employee uses a phone, tablet, and computer to access their accounts, these devices should each be protected with strong passwords as well. To provide an extra layer of protection against unauthorized access, many online services offer two-factor authentication which utilizes physical tokens or specialized mobile apps in addition to requiring a password. Even with these mechanisms in place, employees must consider the possibility of losing a laptop or phone. Regardless of whether or not a device is protected with a strong password, physical access to the device makes it feasible to bypass these mechanisms and access data on the device3. A business can guard against this type of data loss by encrypting all data on their devices. There are a myriad of full-disk encryption solutions out there that are both easy to implement and transparent to users. A quick internet search will teach users how to use Microsoft’s BitLocker, Apple’s FileVault, or the open source TrueCrypt to protect the files on their computers and devices.
It is imperative that employees use complex passwords that can not be easily guessed by potential attackers, and that the same passwords are not used for critical and non-critical accounts.
problem; it is equally important to ensure that data is still available to a business if one of their devices is lost. It may not be practical for a small business to invest in backup servers (both onsite and offsite) to keep copies of their data, but there are many cloud backup solutions that will ensure that a lost laptop does not mean that data is gone forever. Amazon, Google, Dropbox, and others provide data backup solutions that will protect against data loss for a nominal fee.
Coupling employee education with pragmatic technical solutions will help businesses ensure their data is protected from unauthorized access and loss. Businesses must be willing to dedicate modest time and resources to initiating each of these solutions, but once they are in place, they require minimum overhead to maintain. The cost of implementing rational and secure data policies and practices will forever outweigh the risk of becoming a victim of data loss. Is your business ready?