I’ve worked with many small businesses over the years, and it’s probably fair to say that most view I.T. expenditure as a necessary evil. While a growing number of e-commerce businesses take greater care, small business security is often woefully neglected.
Small business security statistics
The cost of allowing unwelcome guests into your business computers can be crippling if data stored under the Data Protection Act is compromised.
According to a 2013 government commissioned survey 87% of small businesses had suffered an online security breach in the previous year with the worst cases costing the company anywhere between £30k and £65k.
A recent report from BIS suggests that 59% of consumers avoid shopping online with SMEs because of fears over cyber security. 82% of consumers say they would buy more from SMEs if these businesses were better at demonstrating their security.
Incredibly, most businesses fail to implement the most basic of security policies. This is a shame because most of the measures that vastly reduce your exposure to risk are completely free.
Updates and AntiVirus
For the risk of turning blue from saying it so often – patch patch patch! Make sure that your PCs are configured to automatically install security updates. If you are still running Windows XP, then upgrade it as soon as possible because on April 8th 2014 Microsoft stop supporting it with security updates.
Oh, and make sure you have some form of anti-virus software installed that you keep up to date. There are plenty of excellent free anti-virus packages out there, and even the paid packages are only around £25 a year.
Your computer can become controlled by hackers simply by visiting a malicious website, so failing to keep things up to date really is foolish.
Wired over WiFi
Always use a wired connection if possible. It’s much harder to physically install a wire tap in your network than to park outside and listen into your WiFi network with a laptop. Any unhappy member of staff may give your WiFi password to away, and you have practically no way of detecting eavesdroppers. If you really must use WiFi then make sure that WPS (the quick press button setup functionality of your router) is disabled, and that you are using WPA2 WiFi encryption with a strong connection password.
Passwords on Postit Notes
It would be funny if it weren’t true, but I’ve seen this recently in a customer’s office. To add insult to injury the password was a dictionary word, so would probably have been cracked in a few seconds anyway. I’ve even seen a password dymo-taped to the top of a monitor in a hotels reception area, where just about anyone could see it. Clearly, passwords are nothing more than a nuisance to many business owners.
Secure your PC’s Boot and BIOS
When a computer starts it carries out some self tests before searching for storage devices to boot from. While floppy disks are a thing of the past, the danger of live-booting with CD/DVD disks, or a USB key still exists. If an attacker can reboot your PC from a CD or USB key to run his own operating system then he can read your internal disk directly, bypassing your passwords. This kind of access allows backdoors like Konboot to be installed that allow subsequent access to be obtained more easily.
To prevent this kind of attack, make sure that your PC’s BIOS is set to only boot from the internal hard disk, and that the BIOS is protected by a password. These two steps alone will mean that even should an attacker get in front of your PC, then short of attacking it with a screwdriver or walking out with it stuffed inside his coat, he’s not going to get in.
Regularly check physical security
Like the vast majority of small businesses, your PC is probably sat under or on top of your desk. Are the public able to access the machine – even for 10 seconds? So when did you last physically check your business PCs for signs of tampering?
Keyloggers like the one pictured can be installed and removed again in seconds. While they are connected, they record every single keystroke on your computer. Some are capable of connecting to your own WiFi network (easy if you left your WiFi password on a Postit note – see above) to betray your confidential information to the outside world.
Physical security is as important as digital security. Unless you can lock your PCs in tamperproof cages/cases, then you should regularly inspect their connections for signs of tampering.
Employee exit policy
When employees leave, or are suspended, then limit your exposure to risk by changing passwords on any services to which the employee had access. For example, company email accounts, Google Apps, supplier accounts etc. You certainly don’t want your ex-employee venting on your Twitter or Facebook account. And you certainly don’t want an unexpected delivery from one of your suppliers!
These four letters cause the hearts of many IT managers to sink. Bring Your Own Device is a growing phenomenon in many industries. Allowing employees to connect their own devices to your network presents a very real risk to confidential business data. Implementing BYOD while maintaining small business security challenges even seasoned IT professionals. To imagine as a small business owner you will be able to do any better is naive at best. Imagine
It is therefore best not to allow your employees to connect their own laptops, phones or other devices to your network. Again, if you use WiFi, and your employees know the network password then you should implement mac filtering if possible to help prevent connections from unrecognised devices.