Are you ready for this year’s National Cybersecurity Awareness Month in October? The 2019 theme is “Own it. Secure It. Protect It. #BeCyberSmart.” While digital scams are frequently in the news, many small and medium-sized companies have not caught up with sufficient investment in cybersecurity. Here in Colorado, our Department of Transportation suffered a large ransomware attack in February 2018.
PB&T cares about the security of our customers and the community. We created this cybersecurity guide to help your Colorado business review and improve cybersecurity best practices among your employees.
Best Cybersecurity Practices for Businesses
As a small or medium-sized business with local ownership in Colorado, you may feel somewhat immune to the risks of hacking, ransomware, and data theft. After all, why would a sophisticated hacker make the effort to break into your systems when there are many bigger companies to target?
Unfortunately, small businesses are often easy targets because they haven’t invested as much in network security. According to The Ponemon Institute’s 2018 report on “State of Cybersecurity in Small & Medium Size Businesses,” cyber attacks on SMBs (Small & Medium Size Businesses) have increased by 6 percent in the report’s respondents, from 61 percent in 2017 to 67 percent in 2018. Data breaches also increased by 4 percent from 2017-2018 in total respondents. Companies that experienced a cyber-attack or data breach spent an average of $1.43 million to repair the damage.
Here are the most important takeaways to put into practice at your SMB:
- Employees and contractors need training and education to avoid putting the company at risk of a data breach or ransomware attack. Whether through mandatory online courses or an in-person workshop, the people who work for you should be your biggest cybersecurity assets.
- Beef up security on company mobile devices. Laptops, tablets, and smartphones are especially vulnerable to cyber attacks when used off-site. Invest in the latest security protections for business-issued mobile devices. Employee training is also helpful in this regard, as well as the creation of a policy for using mobile devices (including not accessing business applications on personal mobile devices).
- Hiring in-house cybersecurity and IT experts is never a bad investment. Many SMBs may not have the budget for a complete IT team. Start, then, with at least one in-house employee. You could also outsource your network security needs to a third-party company.
- Use single sign-on (SSO) and a strong password policy to protect and simplify access to company data. For example, the conventional wisdom on passwords is shifting from a policy of changing them frequently to creating a strong password from the beginning and not changing it unless there is a reason to believe it has been compromised.
- The features that make for a strong password include length (aim for at least 12 characters) and a variety of character types (upper and lower-case letters, numbers, and symbols). You want to avoid using dictionary words while still ending up with something you can remember. A common trick is to think of a sentence and then make your password from the first letter of each word. For example, “I got my first car, a Ford Mustang, at age 16” would become IgmfcaFMaa16. If you want to get even fancier you could replace the ‘I’ with a ‘1’ and add a symbol like ‘$’ or ‘#’ at the end.
What is Cyber Security and What Does it Protect Against?
Now that we’ve covered the best general practices for improving cybersecurity at your small-to-medium-sized business, let’s take a step back to understand exactly what cybersecurity is and how it will protect your important data and trade secrets.
To put it simply, effective cybersecurity is really about cyber “hygiene.” Your best protection against malware and computer viruses is to keep your security software, web browsers, and operating systems up to date. Don’t ignore update notices and protect all of your devices, including mobile, with anti-virus software.
Think of the steps you take to protect your physical workplace from intruders. Do you keep your office door locked, for example? Apply the same precautions to your digital assets and data, which nowadays are often more valuable than any piece of furniture or equipment a thief could steal.
Identifying Potential Scams
Finally, think of cybersecurity as a constantly evolving concept, just like the Internet itself. Follow blogs like “Tech@FTC” to stay apprised of the latest scams and attacks as well as the best protection methods.
Mobile & Online Security Tips for Businesses
- Take advantage of two-factor authentication. Wherever possible, control access to the device itself plus the data stored on it by using a password plus another form of verification, such as a text message code.
- Conduct regular audits of your mobile fleet. This consists of tracking the number of devices your business owns, categorizing their use, and making sure software updates are performed on time. You could also create a survey for employees to fill out about their use of company mobile devices. For example, a person who travels a lot may end up frequently using public wifi, which is especially susceptible to hackers. Thus, that employee might need extra layers of security on their laptop. For example, you could use Mobile Device Management (MDM) software to manage and protect your mobile fleet.
- Limit the usage of company-owned mobile devices to work-only applications. Employees might like to use one phone for both business and personal needs, but downloading non-business apps onto a business mobile device poses cybersecurity risks.
Creating Internal Security Standards and Practices
Along with mandatory training, the most important thing you can do to get your employees on board with cybersecurity best practices is to create a risk-mitigation plan for the company. Here’s what that could consist of, with links to examples of each:
- An Acceptable Use Policy that outlines rules and best practices for using the company’s IT resources such as the internal network and the Internet.
- An Access Control Policy establishes standards for employees’ access to the company’s data and information systems. It can also provide guidelines for password complexity, workstation security, and the procedure for removing access when someone leaves the company.
- A Remote Access Policy to dictate how employees connect to the company network from off-site locations.
- An email/communication policy oversees employee use of email, chat technologies, and even blogs and social media.
Recognizing Trustworthy Download Sources Online
“Phishing” attacks consist of email and social media messages that masquerade as legitimate communication from an individual or a business you may be familiar with, such as your bank or cable company. They often include malicious links or requests for your account and login information.
As cybercriminals become more sophisticated in their scams, every employee must be vigilant in recognizing and avoiding phishing attacks. HR and Finance department employees are particularly vulnerable to phishing attacks because they control sensitive information such as employee W-2s, company bank accounts, and more.
Reporting Scams & Fraud
If you find yourself the victim of digital fraud, you should contact your local police department as well as Colorado’s Office of the Attorney General. The Attorney General’s web page on Digital Fraud has educational resources and contact information. You can also sign up for fraud alerts.
If the cyber-attack compromised financial information, you’ll also want to contact your bank and any other financial institutions you have accounts with right away. At PB&T Bank, we are committed to protecting our customers from potential risk and fraud. If a breach occurs, we’ll work with you to resolve the problem as quickly and easily as possible. Take a look at our Internet Banking Awareness and Education page for additional resources. You can also contact us with any questions.