This is the second part of the series of articles on cybersecurity for SMEs. In the first part, we have discussed how to start your cybersecurity work by determining your vulnerabilities and protecting your devices. In this part, we will talk about protecting your data.
No matter what type of business you run, your data is at the heart of your business. Without the contact information of your customers, your inventory, your property data and all the others, you simply would not be able to function as a business. You can lose your data in many ways. Your equipment may be damaged or broken, hackers can break into your system and steal them, or you may be affected by a natural disaster. Therefore, your goal should be to insure against data loss by taking precautions against the worst possible consequences.
1. Implement a procedure to back up critical data
There are two types of backups. When you perform a full backup, you make a copy of all the selected data and transfer it to another device or media. On the other hand, with an incremental backup, you simply add the data created since the last backup of your system.
The simplest and most effective method is to combine the two. Perform a full periodic backup and an incremental backup every day. You can also do a full backup every night after hours. You must verify that your backups are working properly: it would be catastrophic to lose all your data and to find that your backup systems are not working. You can do this by restoring a test portion of your data to a new location. This will ensure that your backup systems are working, and you can identify any problems during the backup process.
There are several ways to back up your data. You can put them on a physical device, such as a USB flash drive or a second hard drive, or place them in a shared folder on your network. You can also keep backups in a secure offsite location. However, backing up your data to a specific physical location will not be helpful in the event of a natural disaster or theft. We strongly recommend that all companies invest in a cloud-based backup system – You can read the next section for more information.
Where do I start?
- Evaluate the data retention policy of your company. Are all your key data saved? If so, where do you keep this data?
- Work with your system administrator or IT team to set up a weekly backup plan.
- Test your backup system to verify that it works.
2. Encrypt confidential business data stored on the cloud
Today, many organizations retain most, if not all, of their data on a cloud-based platform. It can be a cloud-based storage system like Dropbox, or a SaaS (software as a service) platform like Salesforce. Because of the name of this system that translates as “cloud,” we tend to believe that our data is kept in an abstract virtual space. In reality, this simply means that your data is not stored on your hard drive or local network, but on remote computing facilities provided by your cloud service. It is therefore essential to carefully review the various security measures put in place by your cloud provider, and to verify that your data is protected to an adequate level.
There are several approaches you can take to ensure that your files on the cloud are secure. The simplest and safest approach is to encrypt, or encrypt your files manually, and a number of programs can help you do it. This means that you do not depend on the security of your cloud provider, and that you can use it without worry. Just make sure you do not load your encryption keys.
However, it is important to carefully consider your storage options on the cloud. There are more and more suppliers on the market, and some of the smaller and lesser-known ones offer more effective safety features than the big brands. Some of these services will automatically encrypt your files before they are uploaded to the cloud.
Where do I start?
- Evaluate the important data of your company. How much is stored or backed up on a cloud platform, and is this platform secure?
- Examine different cloud platforms and look for a level of security that best meets the needs of your business
3. Protect your passwords
The most common way to authenticate the identity of those who access your network or important data is through a password. Unlike other advanced authentication systems such as smart cards and fingerprint readers, passwords are useful because they cost nothing and are easy to use. However, passwords are also exposed to attack. Hackers have developed sophisticated and automated tools that allow them to decrypt simple passwords in minutes. They can also use various fraudulent methods to access your company’s passwords, for example via a phishing attack.
Passwords can become ineffective for a variety of reasons. We often fail to protect our official documents with a password, which means that anyone sitting at one of your office computers can access these documents. To avoid forgetting their passwords, many employees write them down in plain sight. And most importantly, people tend to use weak, easy-to-remember passwords, use the same password everywhere, and never change it. All these errors leave the door open to hackers.
These seven steps to create a strong password will help you prevent hacking attacks:
- Create different passwords for different services
- Regularly change your passwords
- Choose a strong password
- Opt for two-step verification
- Disable autoComplete for usernames and passwords
- Use a password manager – an application or program that stores all of a user’s passwords securely
- Never send your password by e-mail and do not communicate it by phone
It’s critical to educate your staff about the importance of strong passwords if you want your passwords to be key tools in your cybersecurity arsenal, rather than a hacker door open.
Where do I start?
- Have all employees check their passwords with a password measure tool. If their passwords can be hacked in minutes or even hours, have them replace them with a more secure option.
- Enable two-step verification for all employee accounts, where possible.
4. Establish authorizations
If you think of the number of people who have access to your company’s confidential information, it is probably too high. Take steps to restrict access to your system. Only personnel authorized to manage your system and install software must have administrator accounts.
Companies can also be lax by allowing multiple staff members to share a username and password. This practice prevents you from determining how, or and when, a violation occurred in your system. Assign a personal account to each user with permissions specific to their work. If you use Windows, you can assign different levels of authorization to users based on their functions within your organization. If a staff member is away for a long time or has left your company, terminate your access and authorizations as soon as possible.
Where do I start?
- Work with your system administrator to assess the level of access for each staff member.
- Modify your permissions so that each staff member only has access to the software and settings required for their duties.
5. Protect your wireless networks
Hackers can also get into your system via the wireless Internet network in your office. Since Wi-Fi networks use a radio link instead of cables to connect computers to the Internet, hackers only need to be in the radio range of your network and use some free software to get into the network. Intruders who can access your network can steal your files and damage your systems. Wi-Fi devices include security features to prevent this from happening, but most of them are disabled by default to ease the installation process.
If you are using a Wi-Fi network, make sure that these security features are enabled. You can also restrict wireless access to office hours so hackers cannot get into your system overnight. And you can prevent passers-by from accessing your connection by restricting Wi-Fi access to specific computers through access points.
Where do I start?
- Ask your IT manager to verify that the maximum level of security features of your Wi-Fi network are enabled, and that Wi-Fi access is limited to business hours.
6. Surf the Internet Safely
When you and your collaborators browse the Internet, your activities are followed in many ways, subtle and imperceptible. These activities can then be aggregated by third-party agents without your consent. For example, inadvertently, your employees can navigate dangerous websites that steal your company’s data. And your personal or business information may be compromised if it is entered on websites via an unencrypted connection.
The best way to encrypt your connection and ensure the privacy of your company and your employees is to install a VPN. A VPN, or virtual private network, hides your company’s IP address and encrypts your browsing data. They also ensure the anonymity of your browsing, an important feature if your company frequently searches its competitors or if your aggregated browsing history may reveal proprietary information to your competitors.
The disadvantage of using a VPN is that the monthly subscription to reliable and feature-rich VPN services is quite expensive. As a result, many people and businesses choose to use a free web proxy as an alternative. The problem is that we do not know who is exploiting the proxies available for free online. These may be hackers themselves, or various public or private entities that use the proxy for intelligence gathering purposes. Although a proxy hides your identity and activity on the sites you visit, it can potentially see everything you do online. This is one of the reasons why we recommend investing in a VPN rather than a proxy, for truly secure navigation.
Where do I start?
- Consider subscribing to a VPN service that offers enterprise solutions.
7. Protect confidential data created by employees remotely and on the move
Many small businesses employ remote workers to perform a wide range of tasks. Thanks to the Internet, it is easy to collaborate with people from all over the world. Employing remote employees has many advantages: you do not need to hire an employee to perform a specific technical or monotonous task, and it also means that you are expanding the number of qualified candidates. However, remote work has some cybersecurity pitfalls. You may have implemented all of the protections described above, but a number of them are ineffective if your confidential data is accessible to remote collaborators operating outside of your organization’s secure network, especially if use a public WiFi access point .
A mobile device management solution, as described in section 2.D, can help you manage your remote employees and your employees who are travelling in the course of their work. It’s even more important to make sure that if remote workers access confidential business data, they do so through your secure corporate network with a secure connection.
Windows offers a remote desktop connection feature, but that is not enough in itself to secure your data. If you work with remote workers and your data can not be exposed to potential leaks or theft, it is a good idea to set up a specialized VPN that allows remote users to connect to the corporate network since using the remote desktop connection function can be complicated. Therefore, we recommend that you discuss this with your IT manager to see if he or she can organize the configuration of a specific VPN for your office network.
Where do I start?
- Evaluate your remote work policy. How do your remote employees access company data, and is this data confidential?
- Talk to your IT administrator to set up a secure and secure solution that allows your remote workers to connect to your office’s private network.
8. Protect your customers’ data
It’s one thing if confidential business data is lost or stolen. But it is another if the data of your customers are compromised, because you expose yourself to serious legal consequences. Therefore, the confidential information of your customers must be treated with the utmost care.
Generally, customer data passes through several points. If you operate an e-commerce site or accept payments through your website, the first transit of confidential information (including names and credit card details) is made from the client’s web browser to the server. The best way to protect this data is to make sure your website uses an SSL certificate and HTTPS protocol, at least on pages that collect confidential data. You can check these Cheap SSL Wildcard Certificates providers. This will ensure the encryption of your customer’s data when they transfer from their server to yours. If you are transferring customer data to the company, all the security features described above must be applied,
Where do I start?
- Contact your e-commerce provider or internal developers to verify that credit card information and other confidential information is collected in the safest possible way.