Cyber Security Basics for Startups and Small Businesses
In today’s digital age, cyber threats come in all shapes and sizes. They are ever-evolving and becoming complex. The evolution and sophistication of cyber threats are a cause for alarm for company executives, who cannot realistically prevent every single incident of cyber threats. From a small business to a multinational corporation, cyber threats are real and occurring almost every single day. These cybersecurity breaches leave behind a trail of great financial losses and serious damage to a company’s reputation.
In large companies, the CEO and the CSO are working around the clock to establish essential cybersecurity risk management programs to help them keep up with latest trends in cybersecurity, to manage risks, and to detect cybersecurity incidents before they infiltrate their IT systems.
On the other side, small businesses with limited cybersecurity expertise and resources can reduce cyber breaches by adopting cybersecurity basics. It is reported widely that cyber criminals target companies of all sizes, and small businesses and startups are a major casualty. These companies lack the necessary IT expertise and have limited budget to allocate funds for cybersecurity risk management. Instead, they tend to rely on staff who know little about cybersecurity threats and trends.
This blog addresses some cybersecurity basics that small business executives can adapt to help their companies reduce cyberattacks and safeguard their data across multiple devices, browsers, networks and on the cloud.
Protect Company Files and Devices
The ease of connectivity, mobility and carry-your-own devices puts companies at greater risk of getting hacked. Reports of ever-increasing cases of data breaches and malware, and the growing sophistication of the cybercriminals, should be major wake-up calls for company executives to implement cybersecurity tools to safeguard their data and networks.
Small businesses should implement encryption as part of their security policy. Encryption is the use of algorithms to transform sensitive information so that it is unreadable to unauthorized users. Here is a good example: credit card information collected from customers is encrypted into unreadable cipher text. This process prevents unauthorized users from accessing the credit card information stored on companies’ server, cloud storage or other networks. If companies’ devices are hacked, encryptions prevent the hacker from reading the hacked data unless they have gained access to the decoder key. If the email or data transfer to the cloud is intercepted, encryption keeps it safe.
Laptops, tablets, smartphones, removable devices and any other media that contain sensitive devices and cloud storage should always be encrypted. Information transferred to the cloud should be encrypted before storage.
Companies should require passwords to be used on all laptops, tablets and smartphones. Those passwords should not be shared or stored in unsecured networks, and they should be changed at minimum every 90 days. There is a diverse argument of what makes an effective password. The widely accepted norm is that a password must contain a phrase of more than eight (8) characters with a combination of numbers, symbols, upper and lowercase letters. But this norm is now seen as less effective. Longer passphrases with unrelated words tied together for at least 25 characters are more effective because they are harder to crack and easier to remember. Mostly, hacked related breaches are reported to be as result of stolen and/or weak passwords.
Use Multifactor Authentication
Companies should consider the use of multifactor authentication as part of their security policy. Multifactor authentication adds a layer of security to protect companies against data breaches or compromised credentials. With a high level of compromised credentials available to attackers, password-based security alone is no longer effective. Requiring extra information or factors before people can access networks, servers and other sensitive applications is a more effective means to prevent cyber attacks.
A properly implemented multifactor authentication may ask the user for:
- What the user knows, such as username, password, PIN or security questions.
- What the user may possess, such as smartphone, passcode or smart code
- What is connected to the user biometric, such as fingerprints, retina scans or voice recognition
Update Apps, Software and Devices Often
Ever-evolving cyber threats are forcing software and hardware developers to make security and performance enhancements update periodically. This calls for companies to adapt a security policy that allows updates to run automatically.
Secure Companies Data and Files
Important files and data should be backed up in an offline external hard drive or in the cloud. Sensitive information collected on paper should be stored in a secured location. Access to secured locations should be limited to people who have been granted permission or clearance. The company policy should make it clear that employees are not permitted to copy any company information onto their unsecured personal devices.
Protect Companies Wireless Network
Secure the Router
To protect your wireless network, change the default password to a complex passphrase that contains a mixture of unrelated words, upper and lowercase letters, symbols and numbers. This prevents hackers from accessing your wireless network through a quick search for network equipment vendors’ default passwords.
Change the default Service Set Identifier (SSID) to prevent the hacker from cracking the WPA security and compromising your company network.
Use a router that offers WPA2 or WPA3 encryption. The use of encryption protects information sent over the network from malicious cybercriminals who may want to spy on companies’ activities.
Set up a guest network so your company does not share the complex passphrase with everyone that visits your business location.
Secure Access Points (APS)
Access points have a reset button that an attacker can press to restore factory default settings, allowing anyone to connect to the network. To prevent this from happening, secure all the access points distributed in your company, limit access to access points and ports, and disable any unused ports.
Use WPA2 or WAP3 with 802.1X Authentication
802.1X authentication is ideal for wi-fi security as it authenticates every user. Each user will have their own password and username, which makes it easier to manage and terminate that information in case the wi-fi user leaves the company or loses their laptop or smartphone.
Train Company Staff
What makes an effective cybersecurity management is the people, the processes and the IT systems. Companies can have topnotch IT systems security but become a target of cyber attacks if they have neglected to train their staff about cyber security threats, risks and cyber security risks management. Most cybersecurity incidents arise from phishing emails targeting employees. This leads to cyber criminals taking over the employee’s account or gaining access to sensitive data.
For companies to implement effective cybersecurity management tools that safeguards their data, people must be trained on the current trends of cyber threats. They must be made aware of various forms of cyber attacks and be given tools to help them understand what they can do to prevent their companies from cyberthreats. Companies should implement processes to help employees manage companies’ information and IT systems security from internal and external threats. Lastly, because cybersecurity is complex and constantly changing, they should train their staff regularly.
Visit www.mercynjengacpa.com for more articles on this topic. As always consult a competent professional expert.