Times have changed. Today, information is a currency unto itself. And using stolen access to small office networks can often be just as valuable as the data that might be stored there.
Unlike larger corporate networks, many small businesses don’t have the budget to afford full-time IT person to keep a network secure. Many IT security concerns get overlooked. Mix all the above and it becomes easy to see why small offices with 20 employees or less are among the top soft targets that are ripe for hackers and cybercriminals.
Physical security is just as important as network security. Even the best computer security becomes useless if a bad actor gets physical access to the machine. Most small offices are reasonably secure with decent locks and an alarm system. The problem is that the keys and codes never change, regardless of employee turnover.
- If possible, use an alarm code that is at least 6-digits long.
- Change your alarm security codes every 12 to 24 months. Most small offices never change their alarm codes until they get ripped off – without any sign of forced entry.
- Rekey your office locks every three to five years, sooner if you have high employee turnover.
- Any mission-critical computers with sensitive data (e.g. – customer information, inventory, production files, financials, websites, etc) should be kept in a closet or office space with a lockable door. This includes network equipment such as cable/DSL modems, routers and firewalls. All it takes is five minutes and an ounce of moxie to remove a piece of equipment that can shut an office down indefinitely – sometimes permanently.
Enforce stronger passwords. Without a well-defined IT policy, most small offices allow staff to choose passwords that are easy to remember – and hackers can crack them in minutes. Staff should choose passwords that fit the following criteria:
- at least 12 characters long,
- uses upper and lowercase with one or more numbers and special characters,
- does not use proper names or words from the dictionary,
- unique (as in not used for anything else), and
- stored only in a Password Manager app (e.g. – KeePass, 1Password, LastPass, etc).
Never write down passwords on Post-It notes; for hackers this is like putting your house key under a fake rock on your front porch. A good rule of thumb to follow: any password that is written down or in print should be considered as good as hacked.
Set up a guest WiFi network. Most wireless routers have an optional guest wireless network feature. This should always be enabled for the following reasons:
- The guest WiFi provides visitors access to the Internet without giving them access to other computers on your main network.
- Any infected laptops or devices on the guest network cannot infect computers on your main network.
- Under optimal conditions, anyone with your wireless password can sit up to 1000 feet outside your office and use a laptop or smart device to access your network. Visitors with guest access cannot come back to snoop around on your main network.
Some guest WiFi access can be set to automatically turn off after business hours. Make sure the guest SSID name and password are different than your main wireless network.
Let staff check their personal business on their own devices. BYOD (Bring Your Own Device) policies allow employees to connect their smartphones, tablets and laptops to the office guest WiFi network. By letting them handle personal affairs on their own devices this greatly reduces the chances of accidentally infecting company computers. The BYOD policy provides a clearly-defined set of rules, standards and penalties for this privilege. These rules should be easy straight forward and easy to follow.
Subscribe to an endpoint security protection provider. A basic antivirus is not enough. Seek out an endpoint solution that can handle PC, Mac, and smart devices. Along with scanning files and emails, this should also scan any USB flash drives or SD cards that get inserted into any office computer.
Subscribe to a third-party spam filtering service. Although most Internet Service Providers have some form of spam filtering in place, they can’t keep up with the tsunami of junk email. By subscribing to a third-party spam filter, incoming email gets checked through their service first then forwarded to your company inboxes. This greatly reduces the amount of phishing emails that employees may get fooled into clicking on.
Accessing the business network from outside the office should always be done over a VPN connection. Short for Virtual Private Network, a VPN creates a secure Internet tunnel from your computer or device to the office network. This prevents hackers from stealing passwords from employees connecting in over public WiFi networks.
Check your backups by testing them regularly. Data breaches, disasters and virus outbreaks on the office network should be treated like catching the common cold – sooner or later it will happen to you. Solid backups are your only true protection against potentially losing everything.
Don’t use vector-based company logos in PDFs available on your website. Vector-based logos are made of paths, allowing them to be scaled to any size without a loss of quality. Raster-based logos are made up of dots and quickly lose image quality if the size is manipulated. A savvy adversary can lift a vector company logo out of a PDF and use it to forge exact copies of your print letterhead, company emails and even company ID badges – anything with your logo on it. By using raster logos (high compression JPEGs, PNGs, etc) this makes forging your company materials more difficult.
Finally, Treat all your data as valuable. To a seasoned hacker on the hunt, data comes in two types: data to exploit and data to steal (and sell). Even the most innocent information can be parlayed into playing a role in cracking into your network. Take nothing for granted… and shred everything once it has outlived its usefulness.