The Internet allows businesses of any size to work and reach markets around the world. Unfortunately, this potential for increased productivity and profitability is tempered by the security risks that the Internet presents. The fact is that cybersecurity must be a part of any business plan going forward. This is meant to be a quick guide to help small businesses begin to secure their data, although some of these steps may require the assistance of a team of trained IT professionals.
Cybersecurity and data privacy are important for everyone
Data leaks have become more and more common, and not just tech companies have been affected. Plenty of more traditional companies, such as Mariott, have suffered massive leaks. Not only do these leaks erode consumer confidence, but they are beginning to incur financial penalties and regulations under the GDPR. While certain exceptions are made for small businesses in the GDPR, putting good cybersecurity and data protection practices in place will reduce your exposure.
As profit-seeking entities and organizations with a responsibility to society, small businesses must work to protect the data their customers have entrusted them with.
Learn more: GDPR checklist
Understanding your threat model
A threat model is a method of evaluating security and privacy risks in order to mitigate them strategically. Different kinds of organizations will have different kinds of threats and vulnerabilities. You can use it to determine your business’s own cybersecurity priorities. Start by answering the following questions:
- What kind of data do you process in your business?
- How is that data handled and protected?
- Who has access to that data and under what circumstances?
Answering these three questions will help you know exactly what data you have, where you keep them, and who has access rights to them. Drawing a diagram to visualize these relationships can be very helpful as well. For instance, perhaps you have data securely stored on a local, encrypted server, but then you realize that as the data travels over your business’s network that it is not encrypted, or that too many people have unnecessary access. Creating a threat model will help you identify where the data are vulnerable to hacks and leaks.
Now that you know the data you need to safeguard and where the potential weak points are, you can start to put processes in place to protect it.
Protect your network from cyber attacks
Your network is where your business’s data lives. It must be secured if you are going to protect your customers’ data, even if it requires technical assistance from professionals. To get started, you must identify all the devices and connections on your network, set boundaries between your company’s systems and outside systems, and create controls that ensure that any unauthorized access to your network can be stopped or contained.
Another vital part of protecting your network is maintaining the software of connected devices. You can help prevent attackers from installing malware on your company’s devices by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities. You should also use anti-virus software.
Passwords and authentication
Passwords are the first line of defense on your all your company accounts. Make sure that everyone in your company uses strong, unique passwords to secure their accounts and devices. A password manager can help your employees generate and store passwords so that they don’t have to write them down.
The second line of defense is two-factor authentication (2FA). This is a way to secure accounts with a second piece of information, usually something you have with you on your person, like a code created on an authenticator app or fob.
Tell your employees to avoid using public computers to access their company accounts because keyloggers can record and steal the login information and compromise their account. If your employees absolutely must use a public computer, tell them to be sure they log out of their account afterwards.
Many services (such as ProtonMail and ProtonVPN) allow you to see when and from what IP address an account has been accessed and log out of other sessions remotely.
Create a mobile device action plan
Mobile devices present significant security challenges as they can hold confidential information or access your corporate network and also be easily stolen or lost. Your cybersecurity plan should anticipate these eventualities. So it’s essential to have your employees use strong passwords to protect their devices and make sure they encrypt their data. There are apps that allow you to wipe, locate, and potentially identify the thief if a device is stolen. Also be sure to set up a procedure for reporting lost or stolen equipment.
Practice email security
Email has become the primary way of handling a business’s communications, from internal management to customer support. It is also one of the easiest ways for hackers to get into your company’s database. It is crucial you train your employees to be alert for phishing attacks, in which the attacker tries to trick you into clicking on a link, downloading an attachment, or giving up sensitive information (such as entering your username and password into a spoofed webpage).
Use encryption as much as possible
Encryption is the process of converting readable information into an unreadable string of characters. Without encryption, anyone monitoring the Internet could see all the data being transmitted, from credit cards to chat messages. The vast majority of online services use some form of encryption to protect the data traveling to and from their servers. You should encrypt any data that your company considers sensitive.
However, only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption (E2EE). Often, there is an E2EE alternative to less private services. For example, ProtonMail is a private alternative to Gmail — and is HIPAA compliant. Instead of Google Drive, which can access your files, your company could use Tresorit. For notes, Standard Notes is one E2EE option. These services prevent anyone but the owner (and in ProtonMail’s case, the receiver of the email) from decrypting the file and accessing the data.
For instant messaging, there are a number of options —
Train your employees and manage access
None of these steps will have any effect unless the employees of your company correctly implement them. Establishing clear, useful guidelines that also detail penalties for violating the company policy is crucial for any cybersecurity plan. All employees should be well versed in standard phishing attacks, strong password best practices, encrypted services, and whom they should contact if they encounter a problem.
To minimize risk, no one employee should have access to all your company’s data systems. They should only have access to the specific data they need to perform their jobs, and administrative privileges, like installing new software, should only be given to trusted, key personnel.
Developing these systems and training your staff on them will be time-intensive, but your employees are your first and last line of defense against data leaks. Now that the GDPR has been implemented, businesses have had to be more forthcoming about data breaches, and the reports have shown human error to be the cause of more data leaks than malicious attacks.
We hope this guide helps you to establish a cybersecurity plan for your business. For businesses interested in a more thorough resource, the Federal Communications Commission has issued a Cyber Security Planning Guide which will cover much of the same ground in greater detail.
At ProtonMail, we believe that security and privacy are everyone’s responsibility. By following these guidelines and by using security-focused services, you can significantly improve your cybersecurity.
The ProtonMail Team
You can get a free secure email account from ProtonMail.
We also provide a free VPN service to protect your privacy.