Small and Medium Business Security Guide
Reading Time: 12 min
80 %
from cyber attacks are caused by weak passwords or easy to guess
43 %
from cyber attacks are focused on small and medium businesses
59 %
companies have shut down every month due to IT security issues
Your business must remain your business
Every day we take action to protect ourselves and our business, we make sure that every year we have health insurance, insurance for our home, insurance for our car, and insurance for our business.
As we apply all the steps outlined in the previous paragraph every day, we should make sure that we protect the information stored on servers, laptops, or phones within the company and that is exposed to the online environment.
We've created this guide to provide you with basic information about securing your digital information and best practices to protect your business and your employees from cyber attacks so that your business remains yours.
Privacy
Keep your friends close, and digital information as close
Take the protection of your business seriously - don't divulge passwords or keep information about your business or customers on devices that aren't part of your company's portfolio.
Managers need to have privileged access to other employees by the nature of their position and decision-making power over the company and employees.
Avoid installing applications on computers that give standard users the same privileges as administrators. Additionally, for each application that has access to confidential information, the password and username should be different, or if you use Microsoft accounts to sign in to more than one device, we suggest activating the second mobile authentication factor. or a secondary password known only to your employees.
Digital information stored on servers, computers, or mobile devices is just as important as physical information on paper. You should be very careful about which employees have access to these resources and especially what rights they have to those digital resources. Restricting your access reduces the risk of that information being deleted, infected or disclosed to third parties.
Take responsibility for informing employees and business partners about the confidentiality of information and restrictions on including it in contracts, email correspondence or any subsequent digital communication. Empower your employees by conducting training on the security and privacy of digital information within the company.
Passwords
Sunscreen protects us from the sun, passwords protect our digital information
We know very well that protecting ourselves from the sun is essential. You should apply the same rule when it comes to protecting digital information online.
If you own a business, it's important to educate your employees about securing information inside computers, tablets, and mobile devices. Using separate and complex passwords for each device is the equivalent of using a sunscreen.
Simply put, passwords should be a complex string that is difficult to guess and of considerable length, preferably over 15 characters.
Passwords are what help us protect our digital information and prevent access to documents by third parties such as hackers or organizations that seek to sell this information to your competitors. Passwords should be used in conjunction with dual authentication systems such as mobile phones to ensure that information is accessed by us and not by hackers who may impersonate us.
As passwords can be stolen by hackers quite simply make sure that inside the company you have solid antivirus and firewall solutions that can identify malware, spyware or ransomware.
Awareness
Be vigilant at every step
Just as you keep up with the daily news, so should your employees keep up with the ways to protect the information and identity of your business partners.
Being smart in the digital world means being aware of the risks you and your employees, co-workers, business partners, family and friends face.
Being aware of the dangers of the digital world also means talking to your company's IT team. At the end of this article you will find some questions that you can ask the team or company responsible for your infrastructure.
Awareness also means being vigilant about the messages received and here we refer to:
- phishing emails or text messages asking you to enter your username and password on sites that look legitimate, they are just faithful clones of the original sites, the ultimate goal being to extract sensitive information about online accounts on which you own
- emails and spam messages that offer you fake promotions or ask you for various financial statements related to your company that seem to come legitimately from the financial accounting department or from the CEO of the company.
We suggest that you always be vigilant of emails received, phone calls received for promotions, or discounts for certain services without your prior request. Always check by phone with the right person whether or not certain financial information has been requested by the real person and it is not an attempt at fraud.
However, if you later notice that you have provided username, password, or financial information, please contact your organization's IT department immediately, change your password on all devices, and alert the bank where you opened your account if you have used or disclosed company credit card information.
Another tip we would like to mention is that when browsing the internet make sure that there is a padlock next to the uploaded web address. If you click on that padlock, you will see that the accessed web address is secured and verified by an internationally recognized entity.
Also, when uploading web pages directly from your email address, make sure that the web address does not contain additional characters, and try your best to opt out of this method and upload sites by manually entering the page name.
Securing the data network and equipment
Always secure your devices when walking away from them
Just as you make sure your home or office is protected from external pests, so should your company. Make sure you invest in antivirus solutions and firewall systems that are updated every day, and also make sure that your company's operating systems receive regular security patches.
Did you know that today's mobile devices or tablets have access to sensitive information within your organization? Make sure that these devices are protected by a PIN, and if these devices are part of the company's portfolio, make sure that they are protected by antivirus and VPN solutions in cases where these devices have access to the Internet via WiFi systems at airports. cafes, etc.
Educate your staff about devices attached to company laptops, especially USB sticks that may contain a number of viruses or malware that can encrypt information inside these laptops.
Try to educate employees not to alienate the company's laptops or other devices to other family members because they can easily infest these devices by the nature of their activities.
It is preferable to use specialized companies to secure your data network and to perform automatic server backup procedures, password security procedures, databases, etc.
Backup
Make sure all critical systems have a backup
As I said at the beginning of this article, we insure our car, house, goods with a high value every year, but how many of you secure your digital information stored on the company's servers?
When we refer to the backup of our business we refer to the backup of financial documents such as invoices or balance sheets, e-mail documents, documents stored on the data server, the database or even the whole company website.
With these backups you can avoid unpleasant situations such as cyber attacks, problems with server storage disks, deletion of data by mistake or malice of one of the employees, etc.
One last piece of advice regarding the systems that keep these backups would be for these copies to be both on offline physical support and in the cloud, secured by an encryption cipher of at least 256 bits.
The most common cyber attacks
Adware
Computer installed software designed to provide advertisements or other types of messages for the purchase of goods or services.
Spyware
Software installed on your computer that extracts private information without the user's consent.
Virus
Malware programmed to infect computers and spreading itself. Viruses can cause malfunctions in computer programs.
Scam
Defines procedures by which users are tricked into providing private information to third parties via email or phone calls.
Malicious Software (Malware)
It is a general term used for applications that aim to encrypt, virus, install trojan applications or spyware applications.
Worm
It defines viruses that replicate without user intervention and remain stored in active memory.
Ransomware
Ransomware software is software that encrypts all information on your computer's hard drive, then displays a message through which the user is redirected to pay to decrypt this information.
Phishing (email/website)
Emails aimed at installing malware applications, performing banking operations or extracting private information that will be used later to access the company's internal resources.
Trojan Horse
Hidden code inside the source code of programs or files that seem legitimate, having the function of installing malware applications when running them.
Cryptolocker
A particular ransomware that, once installed on your computer, will encrypt and block access to all files stored on your hard drive. A message is then displayed for payment for the code that can decrypt those files. Please note that the payment made does not guarantee the generation of the decryption code.
Keylogger
A program installed on your computer that stores and then sends to a e-mail address a log file with all the messages, passwords, and characters you typed on your keyboard.
SPAM
Unsolicited emails. Most SPAM emails include ads, messages that describe easy ways to get rich, or that you've won a particular prize or item. As a general rule, if that message sounds too good to be true, then that message is false.
Scareware
Malware that displays messages threatening to have your computer infected and claiming money for viruses.
Man In The Middle
A man-in-the-middle person interferes in communications between 2 or more people in order to alter or redirect data traffic to it in order to steal private information.
Drive-by Download
A process by which a computer becomes infected by simply accessing a site that is already infected with malware.
Zombie or Bot
Defines an infected computer, later called a zombie or bot, that is remotely controlled without your consent or used in DOS or DDOS attacks.
Watering Hole
Malware installed on legitimate sites and trying to compromise the computers that access that site.
Catfish
People who create fake profiles and try to attract other people in romantic relationships, the ultimate goal being to steal financial goods.
We hope the information in this article has been helpful to you, and if you have questions, projects, or have a detailed discussion about how to protect yourself from outside cyber attacks, you can do so using the contact form.