Tips to Secure your Small Business

DISCLAIMER: IF YOU HAVE HAD A BREACH DON’T ALERT ANYONE, DON’T USE AN IT DEPARTMENT THAT AREN’T TRAINED IN SECURITY, DON’T ANALYSE YOURSELF OR CHANGE ANY VOLATILE DATA AND CONTACT A SECURITY/DIGITAL FORENSICS FIRM IMMEDIATELY!

IT security is no joke. According to the Federation of Small Businesses owners lost 800 million GBP to cybercrime. The cost of preventing this colossal amount would have been a fraction of this loss. Some fixes need special consultancy and training such as penetration testing or if a breach has occurred digital forensics techniques may be required. Prevention is better than the cure. Many fixes are simple and don’t require much in cost and effort from you or your IT department.

I have summarised some tips below to help secure your small business.

Top Security Tips Summary

• Use Anti-Virus/Firewalls/Anti-Malware/Active Monitoring This can be free for your small business so there is no excuse. Comodo is a great antivirus and can be used legally for small businesses. Sophos provides a great free firewall for small businesses as long as you keep the rules up to date and configure it correctly! Much active monitoring software exists, take a gander at Variato for example.

• CCleaner By Piriform is worth having it allows admins to wipe disks that may hold IP so they may be recycled (Don’t wipe or reuse ex-employees data. Look at this article so you can find out why!). This is important as you don’t want insiders using data recovery software to find artefacts. It can also function to delete internet history and can wipe free space so old data can’t be discovered so you may not want this to be present on employees systems.

• Shred Unwanted Documents You may want to use a digital shredder

• Secure Your Website This can be done by patching, updating and ethically hacking to test the site to test the site’s security. Update the backend of your site and schedule regular tests. Test the applications on the site, design them with security in mind.

• Backup Be sure to back everything up off your network before an event occurs. Make backups of servers and computers using Clonezilla, a free cloning software. Backup your website and if using WordPress use plugins such as ‘All In One WP Security & Firewall‘ that has built-in scanners and firewalls. Backup your assets the old fashioned way to cheap readily available external USB disks. Make sure these are encrypted, you can add encryption and passwords for these using Veracrypt. Store backups safely and if needed in a safe with limited access. Making regular backups that can be readily restored means your business can get up and running should ransomware or other threats strike. Your assets will be protected and the crash or hack will be a minor setback. It is important to save and cherish your intellectual property but keep it off any networks.

• Due Diligence Consider employee background checks as can be carried out by companies such as Tendo Solutions.

• Conserve Ex-Employee Data Be sure to preserve ex-employees hard disks in case of IP theft or unauthorised activity that you may need to use against them in the future. Consider a forensically imaging the disk and having a full computer forensic analysis on the data. You may need to hire a computer forensic expert to do this.

• Use Strong Passwords Don’t use default passwords on devices, change the passwords on routers and similar. Use password creation websites such as Password Generator to generate a strong password. Don’t store passwords on post-it notes attached to your monitor!

• Implement Two-Step Authentication Try to use an email service such as Gmail Business that has two step authentication where you can link a mobile phone with an account and use this device to generate a code after you enter a password as another layer of security. Even if some gets hold of one of your employee’s password while doing business in Hong Kong they can’t get into your account without the Authenticator application linked to a particular phone.

• Mobile Phone Security Try to have all your employees phones preconfigured with encryption, a decent password and an anti-virus.

• Virtual Private Network Try to have a VPN app installed and running at all times to protect your data while browsing on unsecured WIFI on a mobile phone or computer.

• Encrypt Whole Disks Protect movable assets such as laptops by using Veracrypt to encrypt the disk before you even get to the Windows login, you could even us Bitlocker already built into Windows.

• Training You employees need training in threat awareness and online security.

• Look For Software and Hardware Keyloggers or Recorders Sometimes rogue employees may attach hardware devices to log keystrokes or indeed install software in order to do so. If they can do this they access to your passwords and activity.

• Phishing Train your staff on phishing awareness and even try and bait your staff to see if they fall for spoofed emails or similar.

• Restrict ‘Bring Your Own Devices’ This policy is risky as you have no way of knowing the integrity and security of your employee’s devices. Give staff their own devices preconfigured.

• Updates Keep your software up to date and patched. Nothing is more useless than anti-virus that is 4 years out of date!-virus that is 4 years out of date!

• Guest Networks Your companies WIFI and the network may be secure but plenty of juicy information can be sniffed using a man in the middle attack in the canteen on level 0’s free unsecured WIFI network. Again use a decent VPN.

• Restrict Software Allowing employees to download software that hasn’t been vetted by anti-virus software or the IT department is a recipe for disaster.

• Maintain Logs and Store Them Backup your server and other logs, encrypt them and keep them somewhere safe for a possible future analysis.

Thank you for reading. No single technique or guide will totally secure your business.

Please like and share this article.

Regards,

Alistair Ewing