Q&A

Cyber Security for the Small Business

A. You’ve got plenty to worry about! You don’t have to be big, just available. The principal goal of most cyber-attacks is to plant malicious software (malware) on any available computer. The most common “vector” for this infection is through “Social Engineering” (More on this later). Once in place these hackers can:

  • Add your computers to a network of “bots.” Your computer is now a slave that can be exploited and even sold to other hackers to perform other attacks or act as an illegal server.
  • Use “key logging” software to capture information like your banking user name and password, email account passwords, or Point of Sale information from credit card swipes.
  • Perform random “cyber vandalism.”
  • Hold your system hostage by encrypting all of your data.

A. Plenty. Add up the potential losses from:

  • Hardware and software replacement costs
  • IT Expert labor
  • Cyber Liability (PCI, HIPAA compliance)
  • Lost business
  • Lost Credibility

A. Not by a long shot. Today’s hackers use “zero day” attacks to take advantage of security holes before Microsoft, Apple, Android and antivirus publishers can catch up and send out security updates.

A. No, look out for:

  • “Vishing” (Voice Phishing) attempts. This social engineering scam preys on our willingness to plug personal information into a touch tone phone.
  • Wireless Hijacking
  • Mobile phone loss
  • Laptop and Tablet theft

A. Stop using the Internet! Or if that’s not practical, stay vigilant and follow these best practices of IT Security Awareness:

Security Awareness: Best Practices

Systems Best Practices

  • Use a good, business-class internet firewall (Cisco, SonicWall).
  • Install properly licensed business-class (not home or free) anti-virus on all devices and keep it up to date. If you have multiple devices, consider a web-managed antivirus (like Avast!).
  • Apply all security patches ASAP for Microsoft and others (Adobe, Java, Apple, Mozilla, and Google Chrome).
  • If you have Windows XP or Windows Vista machines, retire them immediately. There are no new security updates for these operating systems.
  • If you use wireless, use strong passcodes and change them periodically. If you provide wireless to customers or guests, set up a “guest” wireless network separate from your business machines.
  • Protect your mobile devices with anti-virus, a locking screen saver and mobile device protection services.
  • Backup, Backup, Backup! Make frequent backup copies of important information and programs. Rotate backups off-site or to the “cloud.”
  • Don’t forget physical security. Lockup and protect your valuable IT equipment.

General Best Practices

  • Practice strong password security. Eight or more characters using a mix of upper and lower case, numbers and special characters. Don’t share passwords between social and financial accounts. Consider “pass phrases” as a way to remember.
  • Protect your credentials! Avoid sticky notes hidden under the keyboard. Don’t use password vaults with simple password access.
  • Don’t mix business with pleasure. Use business machines for business and avoid social sites and personal email.
  • Use separate administrator and user accounts. Login with administrator credentials to install new software, but user credentials for daily use.
  • Avoid “found” memory sticks. Hackers load memory sticks with malware and leave them around for you to find.
  • Train and retrain yourself and your employees on what to watch for.
  • Write it down. Formalize your business security policies and make sure everyone knows them.

E-mail Best Practices

  • Do not open attachments unless you are 100% certain of: 1) the sender, 2) the purpose of the attachment. When in doubt, pick up the phone and call.
  • Never click embedded links in messages without hovering your mouse over them first.
  • Look for “fake” domains. Note that www.microsoft.com and www.support.microsoft.software.com are two different domains (and only the first is an actual Microsoft site).
  • Always check the e-mail ‘From’ field to validate the sender. This ‘From’ address may be spoofed.
  • Do not “unsubscribe” – it is easier to delete the e-mail than to deal with the security risks.
  • Do not respond to spam in any way. Use the Delete button.
  • Do not open any e-mail attachments that end with: .exe, .scr, .bat, .com, or other executable files you do not recognize.
  • Always check for so-called ‘double-extended’ scam attachments. A text file named ‘safe.txt’ is safe, but a file called ‘safe.txt.exe’ is not.
  • Alert co-workers and friends of suspicious emails.

You don’t want to see this!

Can you spot the clues in these Social Engineering emails? What can you do to verify?