Say what you will about our Washington gridlock, but at least the House finally made some progress on one issue that's relevant to your small business: cybersecurity. H.R. 5064, better known as the Improving Small Business Cyber Security Act of 2016, passed the lower house last April.
- Allowing the Department of Homeland Security to send cybersecurity information to small businesses.
- Creating a call center to help small-business owners prepare for cyberattacks.
Unfortunately, that may be where the good news stops. Mark Grabowski (@ProfGrabowski), an associate professor specializing in Internet law and digital ethics at Adelphi University (@AdelphiU), says he's not overly optimistic about the bill becoming law.
"The Senate must also approve it and, ultimately, the president must sign off on it," say Grabowski. "GovTrack.us, an independent website that tracks Congress, right now gives it a 36 percent chance of becoming law."
So where does that leave you, the small-business owner? Probably looking after your own cybersecurity for now. Here are some tips from cybersecurity experts to help you out.
How to Identify Your Cyber Threat Profile
"Many small businesses just assume that they’re not targets for hackers when actually over 60 percent of all breaches are at the small- to medium-size business level," says CIO and chief security fanatic at BSSi2 Nick Espinosa (@NickAEsp). "Why? Because these businesses tend not to be as invested in cybersecurity infrastructure as larger corporations."
On the one hand, that makes small businesses easy-pickings for a hacker. But Espinosa says cybercriminals might also be attracted to your connections.
"Small business tends to cater to larger business. It could be an accounting firm contracted by a larger corporation, a parts supplier or even some kind of support service," he says. "Everything is connected today, so if a small business doesn’t want to lose clients and reputation, building a threat profile and then executing on a plan to implement cybersecurity defense is critical."
Espinosa recommends having a cybersecurity professional assess your risks. They'll typically start by evaluating…
- Your current technology.
- Your current security policies.
- The averages skill level of the users.
- Your business's operations and clients.
The takeaway: "By knowing the threats to their clients, a small business can better prepare for possible attacks," says Espinosa.
Best Security Practices for Your Passwords
You probably already know that you need strong, hard-to-crack passwords (e.g., "password" does not count as a strong password), but that's just the beginning. Haber recommends you follow these four basic rules, too:
- Never reuse the same password between work and home.
- Never reuse the same password for financial institutions and social media.
- Never reuse the same password for an administrator account at work as your standard login.
- Never tell anyone your password. If you need to share it, change it when the other person is done using it.
Moreover, Grabowski reminds small-business owners to password protect all of their technology – computers, cell phones, and Wi-Fi included.
The takeaway: Require your employees to make strong passwords and to change them regularly. It makes it much more difficult for hackers to get into your systems.
How to Guard Credit Card Information
Not every business has a point of sale terminal, but if yours does, Haber says it's time to upgrade to the kind that accepts EMV chips.
"This will prevent potential skimmers and remove the liability from your business if the device is compromised," he says.
For more on that, check out "The Small Business Guide to the EMV / Chip Card Liability Shift."
Haber adds that you should never photocopy, handwrite, electronically key in to a terminal, or manually copy credit card information. While this is common practice for phone orders, keystroke loggers and other hacking tools can scrape manually entered information for later attacks. Instead, he recommends investing in a secure online payment platform like PayPal.
The takeaway: Updated hardware and software is key to making sure your customers' credit card information is safe.
Bonus tip: Grabowski points out that small-business owners also make online purchases. He recommends frequently reviewing your bank and credit card statements to check for irregularities.
Basic Data Protection
Grabowski says you can protect important files, such as tax returns and financial records, by encrypting them and backing them up regularly. He also says you may want to store your backups in another location.
However, if your business handles especially sensitive data, like mortgages, Haber says you may want to consider a managed service provider.
"Hiring an MSP with the expertise to advise and correct these security problems will potentially prevent a breach and augment your staff with the latest best practices to combat modern cybersecurity issues," he notes.
The takeaway: Sometimes it makes sense to call in an expert. Evaluate your risks and decide how important it is for your business to get its cyber practices right.
Hackers are a real threat, but they aren't the only one. Get more protection tips in "4 Risks Less Sexy than Cyber Security that Matter More to Your Business."
About the Contributors
By the time Nick Espinosa was 12, he was building computers and programming in seven different languages. At 19, he founded Windy City Networks, Inc. After 15 successful years, Espinosa joined forces with BSSi2 in 2013 as the CIO and chief security fanatic. As an expert in security and network infrastructure on every platform, he has consulted with clients ranging from a few computers to the Fortune-100 level. He received the Editor's Choice Award for his outstanding contributions to the #1 bestselling computer and technology book Easy Prey and writes a regular column on security, technology, and the future for SmartFile.com.
Mark Grabowski is a tenured professor specializing in Internet law and digital ethics at Adelphi University in New York, and he's an adjunct professor of communications law at National University in California, where he teaches online. He also consults small businesses on communication and information technology needs, such as media relations, intellectual property law, and cybersecurity issues. For more info, visit markgrabowski.com.
With more than 20 years of IT industry experience, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees strategy for both vulnerability and privileged identity management. In 2004, Haber joined eEye as the director of security engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune-500 clients. Prior to eEye, he was a development manager for Computer Associates, Inc., responsible for new product beta cycles and key customer accounts.