What are some of the most common mistakes small business owners make regarding cyber security?

The landscape of information security is no longer a teenage hacker sitting in a dark basement. Nation states and organized crime hire highly trained, competent hackers to look for unprotected machines and infrastructure worldwide. Information is valuable. A complete set of personal information sells for $75 to $500 per individual. Hundreds of thousands of these transactions occur every year, equating to big business for cybercriminals. Even if your organization is not a target for data theft, hackers will hijack technology resources such as processors, storage, RAM, and bandwidth, to perpetuate attacks against other targets, dragging your IT resources to a crawl. Small business is not immune, and an effective defense involves a layered approach. Common mistakes include:

• Believing a firewall and anti-virus are enough.
• Neglecting updates on equipment and software. Patching mitigates a tremendous amount of risk and should include all end-user operating systems, server operating systems, manufacturer firmware for all networking equipment and monetary transaction equipment.
• Password management. Do not leave default passwords in place. Do not use the same password for everything. Change passwords at least twice per year. Create strong passwords with at least eight characters upper and lower case, numbers, and special symbols. Do not use dictionary words. A tip for creating and remembering strong passwords is to use the first letter of words in favorite sayings, quotes, song lyrics, verses and add numbers or symbols.
• Connecting IoT devices to the same network as computers and mobile devices. Smart devices (also known as IoT or Internet of things) devices are experiencing a huge growth. These devices are always connected to the internet and often have very little security. A hacked IoT device can easily become a jumping point for the hacker to access the rest of your network. Do not put IoT devices on the same network as your computers and other systems that contain critical business information.
• Lack of awareness. Annual information security training for small business owners and employees can help mitigate the risks associated with social engineering attacks. An example of a social engineering attack is someone who calls and poses as a manufacturer representative or system user asking for passwords.
• Having the same people do IT and security. An information security professional outside the organization is more likely to provide objective, unbiased recommendations. One of the worst mistakes an organization can make is to add security to an information technology professional’s to-do list. An instant conflict of interest arises.
• Neglecting to hire someone to perform an annual penetration test. An annual penetration test by a Certified Ethical Hacker (CEH) or Certified Information Systems Security Professional (CISSP) details vulnerabilities. Annual tests can help a business save money in the long run by allowing a business to leverage the information to prioritize purchases and action items for security.

How do I keep viruses and hackers out?

Keep software and equipment updated, implement security awareness training for all employees, and have strong password policies. Hire a qualified information security professional to objectively assess the network, develop a security plan, and conduct annual penetration tests.

How to protect yourself against ransomware attacks?

In a ransomware attack hackers gain access to your computers, encrypt critical business data (in reality they encrypt all the data they find on infected computer, hoping some of this data is critical to your business) and demand a payment for decrypting your data. Follow these guidelines to help protect yourself.

• Use a backup service that continually backs up your files when they are changed, yet keeps track of the previous versions of all files.
• Pay attention to how long it would take to recover your data from a backup if you needed to. It is not enough to have a backup. You need to be able to get your data back quickly enough to resume your business operation.
• Maintain a high level of cyber security. Update software and firmware, use a strong password management policy, educate your staff, perform annual penetration testing.

What are Denial of Service attacks, and how can small business owners protect against these type of attacks?

A distributed denial of service otherwise known as DDoS is a malware attack directed at online services which aim is to overwhelm it with traffic from multiple sources and make it unavailable. These attacks are increasing in their number and size.

In September 2016 OVH, a French hosting provider, was attacked by hacked IoT devices using malicious code called Mirai. It was the first 1 Tbps attack in history. The problem lied in IoT data security which most companies push aside when creating their devices. Who could ever think that a smart thermostat could be used to attack websites or even huge hosting companies.

If you are responsible for cybersecurity in your company, you should know how botnets such as Mirai work. Here are few tips on how to straighten your network against DDoS attacks:

• Your should have extra hardware to switch to in case of attack.
• Install an automatic DDoS reduction system that will split all traffic and filter all requests from bots and compromised devices.
• Keep the most important data on premises. Storing everything in the Cloud could lead to losing the access to your data during DDoS attacks. Imagine loosing access to your data for days. For this reason many businessmen prefer to sync Android with Outlook business account using Cloudless syncing software like AkrutoSync.

What should small business owners know about being HIPAA compliant?

There are technical and nontechnical requirements for HIPAA. Read them carefully and hire a qualified information security professional for the technical part. Consider HIPAA a minimum requirement imposed by the federal government. By considering security an ongoing process, professionals automatically address compliance and account for changes within the regulatory framework.

What type of cyber security policies business owners implement for their staff?

A business loses a critical layer of defense when skimping on policy. At a minimum, policy should include:

• Annual security awareness training. Every employee is the first line of defense against social engineering attacks. Attackers will find the easiest way in and it may not be through the network.
• A process to remove credentials for former employees. Disgruntled former employees are a threat to the organization.
• Strong passwords.
• Mandatory patching of all equipment and software.
• Annual penetration testing which includes social engineering.

Secure handling of documents, especially anything with passwords or encryptions.