Three Free IT Security Steps for your SMB
When we sit down with customers to have strategic discussions on their IT use and process, we often receive security questions and concerns, as data security is such a hot topic these days.
“How can I make my small business more secure?”
Many technology vendors will tell you exactly what you want to hear, professing a silver bullet, a singular solution that will solve all your IT security problems, but that’s just not the case. There are countless different threats to your business, and many of them are easily preventable.
And yes, you can buy a lot of great security products. We’d be happy to discuss why some of the leading options can really improve your security posture and decrease the likelihood of having a data breach. But remember, some of the best investments you can make in your business’ security aren’t always hardware or software. Rather, think about people and process in your organization.
So as we close down National Cybersecurity Month, here are three quick steps you can take as a small business owner to strengthen your IT security stance, without buying anything at all.
Talk to your staff about IT security often and train them
For new employees, include IT security training in their onboarding. A basic checklist could include showing a new employee what a spam email might look like and what types of emails you should be receiving from the business. It’s important to discuss what tools, applications, and subscriptions your business deploys and which ones you’ll never see. Then talk to employees about wire fraud and impersonation attacks. Tell them that the CEO will never email them saying they need help doing a wire transfer. Talk to your payroll staff about how payroll changes should be verified; make a policy to not accept changes to payroll deposit locations without a confirming phone call to a known number for that employee. These sound basic, but they’re important.
Having this conversation up front helps draw awareness to it immediately – not six months or a year later. This way, your staff understands the importance of their role in the IT security picture. From there, on a regular schedule, send your staff updates and tidbits on different security situations. These tidbits should come twice a year for all businesses but should be as often as quarterly or even monthly for regulated industries.
Security Topics can include the following:
Phishing attempts via email and phone. USB drive safety – not plugging in unknown drives. Policies regarding corporate data, specifically what devices and networks that data can be accessed from and which ones it can’t be connected to. And two factor authentication, (more on that shortly).
If this all sounds daunting, it’s not. Have your IT team leader or consultant perform a webinar on IT security and simply record the webinar to play it back to new staff. There are some fantastic in-depth training resources ITP can provide you, so don’t let your fear hold you back from doing something simple TODAY.
Set-up Two Factor Authentication
The next best solution you can deploy without buying anything new (most likely) is to turn on two factor authentication (2FA) in any of your core business applications. If you’re using a Cloud-based ERP, or if you’re using Office 365 for your email, or if you’re doing something like buying office supplies from Amazon frequently – you can and should enable 2FA through those services.
All 2FA means is you’ll have your username and password, plus something else to verify your identity. That ‘something else’ could be a text or phone call that provides a code, an app on your phone that rotates through various six-digit codes, or a message to a secondary email. Basically, you have to verify your identity through a secondary device/account, hence the term two-factor.
Most major web providers and platforms, even your Facebook account, will have a two-factor authentication option, and you absolutely should always turn it on.
2FA prevents people who gain access to your username or password from actually getting into those accounts. At some point in your business’ life, data will be compromised, and having 2FA enabled will slow down and even prevent hackers from accessing your employees’ account information. So even if your employees make the mistake of clicking on a bad link or fall victim to a phishing scam, your business has another, free, level of security.
Turn off all the ports outside of your Firewall
Understandably, this one requires a bit more explanation for the less-than techie business owner. Your firewall is the device in your network that separates the outside world from your internal world. In other words, there is a barrier between your public IP address and all your private IP addresses and devices inside your network. Your firewall is a critical piece of your network as it is the virtual front line of defense for your information.
When it comes to firewalls, what we often see is a prioritization of convenience (ease of access) over security. By setting your firewall so that no single IP address or port responds to the outside world, the odds of you getting found by a hacker scanning public IP addresses drops dramatically. Why? Because you’re not showing up on the radar. You’re wearing an invisibility cloak of sorts because your IP address will appear to have nothing going on. Now, what if you’re asking one of these “easier said than done” questions.
What if I have a remote access server my users need to use? Can I still run a web-based business application? And what if my external staff needs to access the our system?
All of this is convenience vs. security if you deploy the right process. Having your users execute a VPN (virtual private network) before they’re able to access internal systems, allows your business to avoid an open port that permits that external access. People often chose convenience when accessing internal systems, but that means your IP address is out there. Hackers scanning the web for potential victims can see your IP address’ location, what types of ports are open, what operating system is being used, and this information allows hackers to plan attacks quite easily.
To improve your security posture, set your firewall to “deny all” on your external ports. Your firewall will appear “closed” to anyone outside of the accepted users, which will go a long way towards increasing your security posture.
For employees, this means sacrificing some convenience. In some situations, this might mean deploying a VPN or expanding your current VPN’s reach. The cost of this step is negligible compared to the cost of a data breach. If you absolutely require a port to be open, you can also add an “accepted users” list to decrease hackers/scanners ability to access the port from the outside.
Connect with ITP for other Security Questions
No matter the security question, we’re available to talk it over with you. We’ll look to provide you with the solution that best fits your situation. The long and short of it, there are lots of tools in your tool chest. You already own or have access to many of them. We’d love to talk about how you can deploy them today to improve your security posture.
We want to stop your IT Security situation from keeping you up at night. Simply contact ITP and talk to our experts who can do a full security audit and we can help you sleep soundly knowing your security is in good hands.