When it comes to information security, we’re seeing the same mistakes over and over again.
Even if your business is a small bakery, it won’t get far without a computer. At the very least, selling and buying these days is not possible without a computer, so not having at least one is unimaginable — not to mention mobile devices, which are not just ubiquitous but essential. Therefore, anyone starting a business had better be able to handle modern technology. Here we discuss the most common cyber mistakes we’ve seen from budding business owners.
1. Passwords on sticky notes
Funny — ironically funny — but still unfortunately true: Passwords to all kinds of resources shared across organizations often end up scribbled on sticky notes and stuck to employees’ displays, where any casual office visitor can see them. The consequences depend very much on what resources the password unlocks — your website host, the accounting system, or the computer that stores the customer database — but the typical result of such carelessness is stolen information or money.
Solution: Ensure every office computer and every employee’s computer and mobile device is protected with a unique password. Use a password manager to avoid weak, reused, and forgotten passwords. Users of our solution for small offices can use the same license code to activate our password manager as well.
2. Shared passwords
Another thing about passwords: Keep them private. When some employees have more access rights than others, they sometimes share, for convenience or by necessity. “Hey, Chris, I’m in bed with a cold. Would you send a file from my computer to the boss? Here’s my password.” Later, Chris quits in anger, and even if her password is revoked promptly, she knows the other guy’s login credentials and can wreak havoc.
Solution: Emphasize the importance of password security to staff, and use two-factor authentication wherever possible.
3. Simple passwords
If the password to your accountant’s e-mail is password123 or the like, cracking it on a simple home computer takes about six seconds. Something like MyPaSsWoRd123 takes two days to crack, and that’s not at all secure either. However, even something like P’@’s’s’w’0’r’d or something like that would take more than 10,000 years to crack (at least, without access to data-center-level computing powers). A cybercriminal trying to brute-force that password doesn’t have that kind of time to spare.
Solution: Passwords also have to be different from one another, which makes them just about impossible to remember. Employ some sort of mnemonic rule or install our password manager and forget it all with a clear conscience. Truth be told, even complex passwords can be leaked, so you should turn on two-factor authentication everywhere you can, which offers you protection in the event of a leak.
4. No backups
Your databases, your accounting records, your all-important tables, and your other indispensable documents are stored somewhere, be it on a personal computer, on a server, or someplace else. To be safe, copy them regularly to another location as well; then if a hard drive dies, or a server is compromised, your files should still be safe. Your website needs regular backups as well.
That said, making backups is a drag, and easy to put off. You really need to make backups, though, and often. No one expects an emergency, but one day, the janitor will pull out the power strip, or the hard drive (and the account system database on it) will break down, or malware will lock your critical files. Will this happen tomorrow or in one year and thirty-three days? No one knows, but we’d bet whatever the “something” is, it’s not something anyone anticipated. Your current janitor may be very careful, but what about his eventual replacement? Accounting may have all new computers, but every hard drive has a life span. What if a pipe bursts right above your server room? The point is, you can prepare for all sorts of possibilities, but no one expects the unexpected.
Solution: Back up important data and update all firmware and software regularly, which at least will minimize the number of holes in the system and software through which someone uninvited can get into your network. Use a dedicated backup solution. If you already use a Kaspersky Small Office Security, then you already have a secure backup automation utility as well.
5. Forgotten access rights
Employees and companies often part ways on less than the best of terms. If a website developer, for example, quits in a huff, they could potentially delete parts of the site. Access revocation is a critical part of any separation, but even before that, limit employee access to those resources they need for their work.
Solution: Whether a member of staff quits, changes position or is asked to leave, immediately assess their rights and revoke or transfer as necessary.
6. Default settings
Even a bakery needs a router. Did anyone set yours up properly? In lots of cases, an ISP employee’s priority is just to get you connected, so they key in the ISP’s settings and call it a day. But default administrative login and password combinations leave your network essentially open. Getting hacked and being added to a botnet is not the worst that could happen. For example, someone might install a sniffer — a tool that scans all of your traffic at which point no complex passwords will save you. In a nutshell, it is vital to change the default settings on routers and other network devices and it is just a good thing to do so for every other device.
Solution: Set up your router and network appropriately. It’s not a fun task, but it’s quick. At a minimum, change the administrator name and password, but also take a moment to make sure your network uses WPA2 encryption and disable remote management of the router, and check for (and install) any available firmware updates.
7. Lack of antivirus protection
It’s tempting — and popular — to think you’re too small to be a target. Other delusional excuses include: “I’m smart and safe, so nothing bad will happen to me”; and “I have a Mac, so I won’t get infected.” Being smart and using a more secure system targeted by fewer malware programs is good. But all of your employees should be smart and safe — and malware is only one of many dangers. At the very least, consider phishing, which is every bit as risky to Macs as it is to Windows, not to mention immensely popular with scammers attacking organizations.
Solution: Install and configure a strong and reliable security solution such as Kaspersky Small Office Security. Set it up to check for and automatically install updates. This solution specifically designed for small businesses has an antiphishing module that will help you avoid Web pages aimed at stealing your login credentials and other data.
8. Uninformed employees
The first step is understanding that you have a problem; employees who aren’t well-versed in modern security protocols are unlikely to advertise the issue — if they’re even aware of it. So, good job identifying a big problem! However, unless you pass your knowledge on to everyone working alongside you — in an understandable and actionable way — one of them will end up being the weak link.
Solution: Train existing employees, and new ones as they arrive. The basics of safe digital literacy include not opening e-mail attachments from unknown senders, not following links without checking their targets, using reliable cloud services with two-factor authentication for sensitive data, not downloading software from unreliable or illegal sites, and so on. No time for training? Use an automated learning platform.