Small business owner, you’re not paranoid—everyone really does seem to be out to get you, judging by recent cybercrime reports.
According to the U.S. Secret Service and Verizon’s forensic analysis unit, in 2009 27 percent of corporate-data breaches involved companies with 100 employees or fewer. In 2010, their analysis put that figure at 63. The most recent data, for 2012, found that a whopping 85 percent of all data breaches targeted small companies, with some 96 percent of those hacks deemed to be “not highly difficult.” Small businesses’ computers are so enticing to criminals that they’re now a go-to crime target. In fact, law-enforcement experts recently told the Wall Street Journal that the number of U.S. bank robberies has decreased as thieves have moved on to easier prospects, like hacking into small companies’ financial networks.
In part, this growing number of breaches at small businesses is a result of criminals discovering that many have very weak security due to limited budgets and small or no technical staff. The cost of all of this cybercrime has been hard to measure—many victims are unaware that they’ve been breached. Security software maker Symantec pegged it at $388 billion worldwide in 2011, though those figures have faced scrutiny.
What can you do to start making your enterprise a harder target? Here are some of the easier steps that experts say you can implement to make your office’s technology a tougher nut to crack.
1. Watch your point of sale systems. In the Verizon report, food, beverage, and hospitality businesses sustained more than half of all the reported attacks in 2012. The reason: Hackers around the world have been finding IP addresses that stem from remote credit-card readers and determined that many have easy-to-crack passwords. With numerous staffers needing such codes to process payments, passwords are often written right on the machines—so that even passing customers can see them. Once cracked, POSs have been used to steal customers’ credit card information and resell it on the black market. (The Verizon team was so alarmed, they made a clip-and-save note that customers can hand to waitstaff with their cards—Page 62 of the PDF.) Be sure to re-set the password after installation on all of your Internet-facing devices, change them frequently, and never use them to browse the Web.
2. Be smart about WiFi. At the office, stop broadcasting your WiFi network ID and protect it with a strong password. This will make the network more difficult for bad guys to spot and can even help keep them out if they find it. Companies that have guests can invest in affordable dual-network routers and create an unprotected guest network. If you’re on the road and have to use public WiFi, like at Starbucks, McDonald’s, or a public library where it’s impossible to control the network, consider using VPN to secure the connection between your computer and the office.
3. Erase your photocopy machine’s memory. Now this is scary. If you lease a photocopier, multipurpose fax/scan/copy combo, or just bought your own, it turns out that these machines have quite a memory—since the early 2000s, everything printed gets stored on the hard drive of photocopy machines. (Watch this CBS News investigation.) If you’re leasing and switch one out for an upgrade, you should know that many of these multi-function peripherals (as they’re known) are often resold overseas, containing a log of every document you ever printed, faxed, or copied. Even if it is scrapped, you can still pull out the hard drive and download all information within, which could include Social Security numbers, medical information, employee records, and who knows what else. Consider (again!) strong passwords for users, securing network access to the machines, and keeping the hard drive from copiers you’re trashing.
4. Shred everything.
5. Install security software on everything and update regularly. It’s not just PCs and laptops that you need to worry about: Tablet computers and smartphones also need protection. (Forget the myth that Macs are safe from being compromised.) Deploy antivirus software on all of your devices and ensure that everything, servers included, is configured to automatically check for updates daily and keep definitions current. And sign up for the FBI’s email alerts about new online scams to stay informed.
6. Know who you’re dealing with. Got a service person working inside your business or near your technology? Be sure to make a copy of their credentials, get their photo, and don’t hesitate to verify their identity with their company. Establish a sign-in process for visitors that need access to secure areas (e.g. computer equipment rooms), keep a trusted escort with them, and, sad to say, watch out for impersonators of authority figures. Never allow customers to use your computers, laptops, tablets, or cellphones.
7. Argh!x99, those passwords. Change them once a month, don’t repeat them, and individualize them for each machine.Strong passwords have upper and lowercase letters, numbers and punctuation marks, and don't use common names, dictionary words, your children or pet’s names—or anything easily discovered in a Facebook profile. Think about two-step authentication, which would turn text messages into a verification-code token.