Every small business faces unique difficulties in securing its data. This guide will help you determine your threat model and take the steps necessary to protect your company.
The Internet allows businesses of
any size to work and reach markets around the world. Unfortunately, this
potential for increased productivity and profitability is tempered by the
security risks that the Internet presents. The fact is that cybersecurity must
be a part of any business plan going forward.
This is meant to be a quick guide to help small
businesses begin to secure their data, although some of these steps may require
the assistance of a team of trained IT professionals.
Cybersecurity and data privacy are important for everyone
Data leaks have become more and more common, and not just tech companies have been affected. Plenty of more traditional companies, such as Mariott, have suffered massive leaks. Not only do these leaks erode consumer confidence, but they are beginning to incur financial penalties and regulations under the GDPR. While certain exceptions are made for small businesses in the GDPR, putting good cybersecurity and data protection practices in place will reduce your exposure.
As profit-seeking entities and organizations with a responsibility to society, small businesses must work to protect the data their customers have entrusted them with.
Learn more: GDPR checklist
Understanding your threat model
A threat model is a method of evaluating security and privacy risks in
order to mitigate them strategically. You can use it to determine your
business’s own cybersecurity priorities. Start by answering the following
- What kind of data do you process in your business?
- How is that data handled and protected?
- Who has access to that data and under what circumstances?
Answering these three questions will help you know exactly what data you have, where you keep them, and who has access rights to them. Drawing a diagram to visualize these relationships can be very helpful as well. For instance, perhaps you have data securely stored on a local, encrypted server, but then you realize that as the data travels over your business’s network that it is not encrypted, or that too many people have unnecessary access. Creating a threat model will help you identify where the data are vulnerable to hacks and leaks.
Now that you know the data you need
to safeguard and where the potential weak points are, you can start to put
processes in place to protect it.
Protect your network from cyber attacks
Your network is where your
business’s data lives. It must be secured if you are going to protect your
customers’ data, even if it requires technical assistance from professionals. To
get started, you must identify all the devices and connections on your network,
set boundaries between your company’s systems and outside systems, and create
controls that ensure that any unauthorized access to your network can be
stopped or contained.
Another vital part of protecting your network is maintaining the software of connected devices. You can help prevent attackers from installing malware on your company’s devices by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities. You should also use anti-virus software.
Passwords and authentication
Passwords are the first line of
defense on your all your company accounts. Make sure that everyone in your
company uses strong, unique passwords to secure their accounts and devices. A
password manager can help your employees generate and store passwords so that they
don’t have to write them down.
The second line of defense is two-factor authentication (2FA). This is a way to secure accounts with a second piece
of information, usually something you have with you on your person, like a code
created on an authenticator app or fob.
Tell your employees to avoid using public computers to access their company accounts because keyloggers can record and steal the login information and compromise their account. If your employees absolutely must use a public computer, tell them to be sure they log out of their account afterwards.
Many services (such as ProtonMail
and ProtonVPN) allow you to see when and from what IP address an account has
been accessed and log out of other sessions
Create a mobile device action plan
Mobile devices present significant
security challenges as they can hold confidential information or access your
corporate network and also be easily stolen or lost. Your cybersecurity plan should
anticipate these eventualities. So it’s essential to have your employees use
strong passwords to protect their devices and make sure they encrypt their data.
There are apps that allow you to wipe, locate, and potentially identify
the thief if a device is stolen. Also be sure to set up a procedure for
reporting lost or stolen equipment.
Practice email security
Email has become the primary way of handling a business’s
communications, from internal management to customer support. It is also one of
the easiest ways for hackers to get into your company’s database. It is crucial
you train your employees to be alert for phishing attacks,
in which the attacker tries to trick you into clicking on a link, downloading
an attachment, or giving up sensitive information (such as entering your
username and password into a spoofed webpage).
Use encryption as much as possible
Encryption is the process of converting readable information into an unreadable string of characters. Without encryption, anyone monitoring the Internet could see all the data being transmitted, from credit cards to chat messages. The vast majority of online services use some form of encryption to protect the data traveling to and from their servers. You should encrypt any data that your company considers sensitive.
However, only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption (E2EE). Often, there is an E2EE alternative to less private services. For example, ProtonMail is a private alternative to Gmail — and is HIPAA compliant. Instead of Google Drive, which can access your files, your company could use Tresorit. For notes, Standard Notes is one E2EE option. These services prevent anyone but the owner (and in ProtonMail’s case, the receiver of the email) from decrypting the file and accessing the data.
For instant messaging, there are a number of options —
Train your employees and manage access
None of these steps will have any effect unless the
employees of your company correctly implement them. Establishing clear, useful
guidelines that also detail penalties for violating the company policy is
crucial for any cybersecurity plan. All employees should be well versed in
standard phishing attacks, strong password best practices, encrypted services,
and whom they should contact if they encounter a problem.
To minimize risk, no one employee should have access
to all your company’s data systems. They should only have access to the
specific data they need to perform their jobs, and administrative privileges,
like installing new software, should only be given to trusted, key personnel.
Developing these systems and training your staff on them will be time-intensive, but your employees are your first and last line of defense against data leaks. Now that the GDPR has been implemented, businesses have had to be more forthcoming about data breaches, and the reports have shown human error to be the cause of more data leaks than malicious attacks.
We hope this guide helps you to establish a cybersecurity plan for your business. For businesses interested in a more thorough resource, the Federal Communications Commission has issued a Cyber Security Planning Guide which will cover much of the same ground in greater detail.
At ProtonMail, we believe that security and privacy are everyone’s responsibility. By following these guidelines and by using security-focused services, you can significantly improve your cybersecurity.
The ProtonMail Team
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
*** This is a Security Bloggers Network syndicated blog from ProtonMail Blog authored by ProtonMail Blog. Read the original post at: https://protonmail.com/blog/cybersecurity-small-business/