We often talk with small business owners that know they aren’t spending enough time and effort on Cybersecurity, but it’s simply not a top business priority. We get it. When you are focused on sales and delivery before your business is in high growth mode, and you are far off from hiring an IT expert to manage your digital footprint.
At the same time, most of these leaders know they need to do something that goes beyond the basics like anti-malware and firewalls. Where does one start to get a good footing and assure themselves they have done more than 80% of other companies their size? Trust us, you do want to get in the top 20% because the bad guys are going for the easier target.
Here are the top 5 projects you can kick off in short order that are your biggest bang for your buck.
1. Password Managers and Multi-factor Authentication
By far the biggest gap we see is the lack of a password manager. We all know your employees, management, vendors, and customers are using shared passwords. This is the biggest risk in information security by far.
Let’s be clear, good security policies are not in direct conflict with office productivity. In fact, a good security practice should actually improve your efficiency. In this case, using a password manager can save you a huge amount of time (and direct costs) by simply reducing typing passwords and the inevitable issue of forgetting your passwords and going through the pain of resetting.
Using a good multi-user password manager also means that you can share accounts with vendors and customers and turn off access immediately when the relationship has ended. Two of the best are LastPass and 1Password.
One last thing on this topic, you will be forced by major technology and finance providers to use multi-factor authentication soon, so you might as well turn it on when you have free time. You don’t want to be forced when you try to login to your bank to perform a time-critical transaction.
2. Web Site Security
If you still have the web developer down the street hosting your web page in his basement or GoDaddy is hosting because that’s where you registered your domain, it’s time to move.
Old web servers or WordPress versions that are rarely updated WILL be hacked if it’s not already owned. There is nothing more embarrassing than finding out you were compromised and your site was defaced after that coffee with your new prospect. Of course, the worst-case scenario is customer data was leaked and you don’t even know. This one attack could bite you, not tomorrow, but months or years from now. Your online reputation is critical.
Migrating to a provider that forces security updates or manages in the backend is an absolute must. Most can get away with Wix, Squarespace, or if you need more customization, leverage a top tier WordPress provider like WPEngine. If you are using WordPress, implementing WPFence and/or Cloudflare are also good ideas to block the tons of hackers looking for easy prey.
3. Security Awareness Training
Accidentally or not, employees represent the single most important point of failure in terms of actual security breaches. Similar to updating hardware or operating systems, you need to consistently update employees with the latest security risks and train them on how to recognize and avoid them.
There are a ton of free tools out there to easily perform this training. One of the bigger ones is KnowBe4. You can send out lessons via email for phishing, password management, social media attacks, and many others. Then you can rollup the results and know who your weak links are and ensure they spend more time practicing good security hygiene.
4. Cloud-Based Email and Identity Management
If your email provider is Rackspace or an on-premise Exchange server you have a huge gap in your environment. There are really only two viable options for your business today. Microsoft Office 365 or Google’s GSuite.
Let’s not forget, availability of business-critical applications is a key part of Cybersecurity. Running a complex email platform is not trivial and it should not be trusted to those that consider it a side business.
Identity management (standard company user accounts) is also an important part of your security posture which these providers bring to the table. You need to be able to easily and quickly turn off accounts when needed and these two email providers can also be your Single Sign-on solution. Gsuite has a leg up here since most cloud apps allow seamless account creation with your Google business account.
5. Customer Privacy Compliance
Where is your customer data? A spreadsheet on your employee’s laptop, your marketing tool, Quickbooks, and/or Dropbox? Probably all four and more. We know you want to be a good steward of this PII (personally identifiable information) data because it’s simply good business, but you may have to worry about the legal obligations. If not now, it’s around the corner. GDPR requires technology and operational changes to protect data if you have customers in Europe. Starting on January 1st, 2020 if you have customers in California you have many of the same requirements with the California Consumer Privacy Act (CCPA.) Multiple states are also introducing similar legislation along the same lines. It’s best to chat with an expert soon to see what changes you need to make to securing and sharing customer data.