Giant data breaches at giant corporations make headlines just about every month. But small businesses have become the favorite target of hackers. Fight back: Defend your small business’s IT network by following our annual 11-point IT security checklist.
Maybe you saw the news a couple of months ago about Hennepin County’s email system being hacked and thought, “That’s a huge organization — my business is too small for hackers to bother with.” Trust me, hackers welcome that kind of thinking.
According to Verizon’s 2018 Data Breach Investigations Report, 58% of the organizations victimized by data breaches in 2017 were small businesses. And it’s easy to see why: Most small businesses don’t have the security resources and/or expertise of large organizations, so they’re more vulnerable.
Here’s more from the Verizon report that is significant for small business owners:
Over the years of working with our clients, TechGen has put together the following checklist. Some of this you may find overly techy. Whether you have in-house IT staff or an outside IT security specialist help you, the following issues should be addressed at least once per year.
Protect Your Small Business With These IT Security Best Practices
1. Scan network firewall and update security subscriptions
A firewall is basically a set of rules that dictate which types of traffic will be allowed into and out of your network.
- Check the rules for elements such as Remote Desktop Protocol (RDP) traffic to certain servers or internal computers, and non-secure traffic to internal web servers or phone systems.
- Update your security subscriptions regularly to help inspect traffic going in/out and block the bad stuff.
2. Review user accounts and security groups
Hackers gain access to networks through inactive accounts, often finding them by searching LinkedIn or other social networks to find people who have recently left organizations.
- Check all of your user accounts and disable any that are no longer active.
- Review your “security groups” — groups of users who have the same permissions and access to network resources — and make any necessary changes.
3. Run domain name system (DNS) lookup
The DNS is something like the Web’s phone book, storing information about IP addresses and domain names.
- Run a DNS lookup and make sure you have an SPF record. This record guards against spam and phishing emails that use “spoofing,” which misleads the email recipient about where the email came from.
4. Activate group policy lockout
A “brute-force” login is an attack in which a hacker tries repeated combinations for user IDs and passwords to get onto your network. Certain tools help attackers use multiple ID/password combinations in quick succession.
- Make sure the setting that locks out accounts after a certain number of attempts within a certain time period is activated.
5. Enable two-factor authentication (2FA) wherever possible
2FA adds a second layer of security to passwords, to make it more difficult for attackers to gain access to a network or a device. For example, in addition to entering a password on a laptop, a user is required to enter a code that’s texted to the user’s cellphone, or provided by an app.
- Make sure you’re protecting your email account with 2FA — Office 365 and Gmail support this.
- Audit your online accounts and turn on 2FA for any that support it. (Twofactorauth.org will show you those that do.)
6. Review/replace vulnerable legacy software and hardware
Older software and hardware are more vulnerable to security breaches than newer stuff. A typical setup is an old desktop PC running Windows XP running an old version of Adobe that you keep solely to run a printer.
- Review older software and hardware components if they’re connected to your network, and download security patches and other updates if they haven’t loaded automatically.
- Replace anything that’s no longer supported by the manufacturer.
7. Activate Windows 10 BitLocker
Encrypting your users’ PC hard drives protects their contents if they’re lost or stolen. It also helps fully erase data from hardware that you’re getting rid of.
- Turn on Windows 10 BitLocker (a free feature of Windows 10 Pro), which requires an admin account.
- Make sure your BitLocker Recovery Keys are backed up!
8. Check your data backup
This may be the most critical security measure, because if everything else fails, you’ll be able to scrub your network and devices and re-install your data. Be able to answer “yes” to these questions:
- Is your backup an automatic process?
- Have you performed a restore recently?
- Does your backup copy data off site every day?
- Is the backup data encrypted?
- Is it automatic? Is there an automatic off site copy? Is it working? Is the backup itself encrypted?
9. Install business-grade endpoint security software
Every desktop, laptop, and mobile device your employees use to connect to your network is an “endpoint” — and a potential security risk.
- If you haven’t already, install a business-grade endpoint security product — not just an antivirus program — to protect all of your systems.
- In addition to endpoint security software installed on your network, each remote device must have corresponding software installed and updated regularly.
10. Conduct security awareness training and testing
Keeping your business’s network and data secure is as much about people as it is about controls, settings and processes.
- Schedule regular security training for managers and employees. It’s smart to train new hires, but too often that’s the last security training they receive (until it’s too late).
- Test the training. For example, consider a training/testing program such as KnowBe4’s simulated phishing program.
11. Establish and enforce password policy
Password habits die hard, so weak passwords remain a primary security risk. Hackers know all of the tricks for creating easily memorized passwords, like using a row or column of keys on a keyboard. And they have software that finds these passwords in no time.
- Review your network users’ passwords, and if they’re weak or short, reset them.
- Use your operating system’s password enforcement settings to prevent users from creating weak passwords.
- Require passwords to be reset periodically — but not too often. (Annually is generally fine) Users who must come up with a new password every couple of months, for example, might try to keep passwords mostly the same by changing one or two characters. Or they might store their passwords somewhere off of your network, probably on a less secure device or in a private email account.
How to Use This Checklist: Next Steps
Tech people. We do love checklists, don’t we? But in this case, I’m not expecting you to go through this list and check off each item as you knock down each item, badda bing badda boom. Here’s what you can do with this information:
If you know what you’re doing, get these actions on a calendar now
If you or an internal IT staffer has the ability and administrative access to take care of these items, or some of them, put a due date on your calendar now for each item you plan to address.
Hire an outside firm to handle what you can’t
If you don’t have the knowledge or resources to address any of this, consider getting a professional IT security audit. You can use the checklist as a guide to see if the auditors address each of these areas. Or if you have an IT support firm already in place, hand off this checklist and let ‘em at it.
Perhaps the most important to-do for the checklist is to update it regularly. Computer technology and fraud threats change rapidly — your IT security program needs to evolve with them.
Your small business doesn’t have to be a pushover for cyber criminals. They’re just like many other kinds of thieves: If you put some basic protections in place, they’ll move on easier targets.