November 8th, 2018
BIG cyber security best practices for small and medium-sized businesses.
Three truths and a lie, SMB (small to medium-sized business) edition: We’re modern, we’re fun, we’re not Cambridge Analytica and we don’t need IT support. We’re going to cut to the chase and just give you the answer—the lie is that SMBs don’t need IT support. However, we do understand why a lot of SMBs have that mindset. Traditional IT is expensive and, frankly, the traditional IT managed service provider isn’t that effective when it comes to being proactive about cyber security—but these are not an SMB’s only options when it comes to sustainable IT support. A lot of the time, you can keep your business and data secure by implementing some cyber security best practices. The rest of time, you can rely on Electric.
Cyber security is a very large umbrella—we’re, like, pretty sure it’s the umbrella Rihanna was referring to in that one song, you know, that song. Some elements of cyber security involve expensive software and/or hardware updates, while others can take weeks to implement. So, whether you’re working on implementing intensive cyber security standards or you are just looking for some quick implementations you can make, check out our list of cyber security best practices—before you even ask, this is an exact list we have sent to our paying customers and now we’re giving it to you at the once-in-a-lifetime price of ~free~.
Keep operating system up to date: Aside from releasing new features, OS updates often include security updates and/or security patching.
Keep application up to date: Similarly to updating your OS, application and subscription updates typically include security updates.
Use Anti-Virus & malware protection: Just be sure to not download them from an internet ad.
Plug in unverified USB drives: In the same vein as downloading sketchy malware protection, plugging in a random USB drive to your device could result in a virus, or worse, a security breach.
Install software without IT approval: A good rule of thumb is to get IT approval when downloading a new application or software because they may have it downloaded already (which will make your life easier) or they may advise you against it.
Use Anti-Virus & malware protection recommended by your IT provider: The key part of this ‘Do’ is ‘recommended by your IT provider.”
Click on suspicious email links: Phishing could have your device swimming with the fishes (dad joke). But seriously, phishing emails can prompt you to reveal sensitive information about yourself or your company under the guise of a real organization—just don’t be that person. In addition to phishing, suspicious links can also include viruses that will not only ruin your day, but sacrifice your company security.
Download applications from the internet: You’ve probably seen a similar warning from your computer any time you’ve downloaded an application from the internet and try to open it. This warning message pops up regardless of the application, it even happens when you download Google Chrome for the first time. That being said, it is up to you or your IT team to do some due diligence when downloading an application from the internet.
Use complex passwords including numbers & symbols: There is some merit behind the default WiFi password your ISP gives you—even if it does take you five minutes to type it in. Note: we recommend changing your default password as well.
Use a password manager (ie* 1Password): Tools like 1Password and LastPass are excellent when it comes to password management, they also have enterprise options that your company should definitely consider if there is a lot of user crossover.
Use dual authentication when accessing email accounts or banking apps on your phone: Two-Factor and Multi-Factor Authentication are trending in the world of cyber-security right now, and for good reason. This extra layer of security at the login stage gives your company a firm group when it comes to managing user access.
Use extremely simple passwords (i.e. 0000—looking @ you, Kanye): For reasons that should be obvious, avoid using extremely simple passwords—your childhood address + your favorite color is more secure than that.
Use the same password for multiple accounts: Okay, so we’re all probably guilty of this one. It can be annoying to have to memorize a dozen passwords, but this is why your keychain and password managers exist!
Write down passwords (i.e. post-it notes): Should you keep an updated list of your various login credentials? Yes. Should you keep them on a post-it note underneath your keyboard? Definitely not. Alternative locations to keep your passwords are in a password manager (clearly the buzzword in this post, #NotSponsored) or create a private/password-protected folder on your device. “But what if I forget the password to that?” Use biometric authentication (i.e. Touch-ID or Face-ID), however we can’t help you if you’ve accidentally cut your finger off...or your face, for that matter.
Speak passwords out loud when typing: Or send them in a Slack message, or email them, or text them, etc.
Set a screensaver to turn on after [blank] min inactivity: If you know you won’t remember to lock your screen every time you step away from it, go into the settings on your device and set a screensaver to turn on after a certain period of time passes.
Lock your screen whenever stepping away: If you’re a little more consciousness, make sure to lock your screen when you know you’ll be stepping away for an extended period of time.
Assume people with direct line of sight to your monitor are not looking: And no, we’re not talking about your boss watching you finalize your fantasy lineup.
Encrypt your computer hard drive, i.e. PC (BitLocker) and Apple (FileVault): If you don’t know the best way to do so, connect with your IT team.
Password protect documents with sensitive info: Using the cloud to manage your documents (i.e. Google Drive or Dropbox) and other sensitive materials makes it simple to manage user permissions. If your company doesn’t use the cloud, a password-protected folder containing your documents will do the trick, but this isn’t the best method when it comes to giving and taking away access from users.
Let neighbors use WiFi: The only time we’ll tell you not to be neighborly, unless your neighbors also let their dog relieve itself in your yard. You never know if they have an Mr. & Mrs. Smith situation happening behind closed doors.
Use a mobile hotspot for connecting computers: Using a mobile hotspot may drive up your phone bill (you can always expense it) but it’s a lot more secure than the free WiFi on the MTA.
Use VPN services which encrypt traffic: Using a private network will work to secure your data but using a VPN service to encrypt traffic is an extra layer of security that could potentially make all the difference in the case of a data breach.
Use public WiFi (i.e. Starbucks): We understand how tempting it can be to connect to Starbucks’ Free Google WiFi, but if you’re working on company information that could be considered sensitive, use a VPN or a mobile hotspot.
Set specific permissions for access required by coworkers: If sharing your device with coworker is unavoidable, make sure to set specific permissions—are they allowed to make edits? Leave comments? Download documents? Determine these permissions before giving a coworker access to your device.
Give coworkers access to your computer: Trust no one. Sometimes smart people do dumb things. Sometimes it’s on accident, sometimes it’s not.
Give coworkers full access to data if they aren’t on the same team: One example of this would be to share access to one document within a Team Drive folder rather than grant access to the entire folder.
Backup your data: An absolute no-brainer. If your devices are lost, stolen, or damaged, backing up your data can save you from a lot of stress and a lot of additional work.
Use continuous backups: Continuous, automatic backups can be life-savers because, honestly, who’s remembering to perform a manual backup?
Use dual backups (i.e. locally and cloud-based): If your business existed before the advent of the cloud, or you choose to locally backup your data for other reasons, we highly recommend backing up your data both locally and cloud-based—if you have to choose one, choose the cloud.
Protect data against any any unauthorized or illegal access by internal or external parties: This is a broad statement, but a lot of it comes down to common sense—and following every other best practice on this list.
Not have a backup: Why restore to factory settings if you don’t have to?
Only have a local backup: While we recommend backing up your data both locally and to the cloud, if you’re going to choose just one, don’t choose a local backup.
Not have a continuous backup (manual): Absolutely no one will remember to manually backup their devices/data. Well, some people will but you probably won’t be one of them.
Have inaccurate data or data that is not kept up-to-date: This may consume some time, but letting inaccurate, outdated data pile-up will only make your job harder.
Store data for more than a specified amount of time: According to the European Commission, best practices regarding data are to store data for the shortest time possible—this period should take into account the reasons why your company/organization needs to process the data, as well as any legal obligations to keep the data for a fixed period of time.
Transfer data to organizations, states or countries that do not have adequate data protection policies: Do your due diligence when you’re transferring your data to an organization outside of your own.
Distribute data to any party other than the ones agreed upon by the data’s owner: It’s not hard to not do this, just saying.
Use a complex passcode or biometric authorization: Make sure to enable biometric authorization on your devices when possible i.e. Apple’s Face-ID or Touch-ID. No passcode will ever be as complex as your face.
Enabling the phone or tablet tracking features so you can quickly locate your device if it is lost. (i.e. Find my iPhone): There was once a time when technology did not allow for this. Now it does. For Free.
Enable device to erase if too many incorrect passcode attempts are made: This may sound extreme, but if you’re harboring some sensitive information on your device, it may be an option to consider. Just make sure you regularly backup your device.
Leave devices unattended: You know when you’re in a Starbucks and you ask a stranger to watch your laptop while you use the restroom? We’ve all done it, but don’t do that.
Leave devices unsecured: We will never understand people that don’t have a passcode on their device. It’s like you’re asking for your iPhone to be stolen.
Use simple pass-codes i.e. 0000, 1225 (@ Kanye, again): Not to beat a dead horse, but try to avoid using simple pass-codes that follow a pattern, national holiday or last four of your SSN.
Give away old mobile devices without doing a full wipe: Considering selling your old iPhone that was once connected to your business email on Ebay? Make sure to wipe it first—you could also be saving yourself from embarrassment without even realizing it.
Access sensitive data on your mobile device using unsecured wireless network: While opening an email and/or email attachments while using public WiFi can happen to anyone without even thinking about it, being cognizant about things like this and working to avoid them can benefit your company’s security in the long-run.
What does Electric and most items on this list have in common? They’re no-brainers. When it comes to securing your company’s data and devices, Electric takes care of everything from monitoring Firewall, Filevault, Gatekeeper, SSH, and any antivirus installed on employee computers to recommending and implementing security policies across email, Slack, and company cloud drives—such as two-factor authentication (2FA & MFA), file sharing policies, monitor permissioning changes, etc.