11 tips to keep cyberthreats at bay
Small business owners may think they’re safe from malware attacks, but they’d be wrong. According to recent Keeper Security and Ponemon Institute research on cyberthreats, 67% of small- and medium-sized businesses experienced a cyberattack in 2018. Many of these are businesses with less than $1 million a year in revenue.
Attacks range from phishing and social engineering scams, which target email and can include rogue links and attachments, to viruses to full blown ransomware threats in which hackers steal data and demand payment for a decryption key to restore the data. In fact, on Oct. 14, Pitney Bowes, which provides ecommerce, shipping, data and mailing services, was hit by a ransomware attack that encrypted information on some systems and disrupted customer access. And CNN recently reported that this year alone there have been 140 attacks targeting public state and local governments and health care providers.
“Ransomware is the scourge of everybody’s existence,” says Joe Stoddard, principal of Mountain Consulting Group, a 25-year SMA-certified systems implementer focusing on operational best-practices for the building industry. Stoddard offers the following suggestions for keeping your business safer:
Start with email
It can’t be said enough: Use strong passwords. Eight characters (and longer is better), a mix of upper and lowercase letters, numbers, and special characters. Don’t use words or phrases that can be hacked – Password123 is an obvious one. Says Stoddard, “Every character you add to a password’s length grows the amount of time required to crack it exponentially.”
One of the best things you can do is set up two-step verification for all password changes and other sensitive data. Account updates always have to be verified a second way — typically a code sent to your mobile phone.
“Don’t open email from strangers” is incomplete advice says Stoddard. The next attack will probably come from a look-alike email address that you or your staff think you recognize. For example, with the right typeface, beerbrewery.com and beerbrevvery.com might just trick your eye. “Hackers know how to get your attention.”
When it comes to links, Stoddard says to roll over them with your mouse before you click. “That way you can see if what you think is intuit.com isn’t really intuit.co.ru — from a Russian hacker.”
The main thing is to stay skeptical, Stoddard says. “If something doesn’t look or smell right, it’s probably a scam. Hackers are trying to get you 24-7-365 and use every devious tactic imaginable. Some percentage of people will get sucked in.” And remember that “no reputable site will ever contact you with an unsolicited email, text, or voicemail asking you to enter sensitive information directly on a webpage or into an email.”
Keep up with maintenance
One of the best ways to keep cyberthreats away is to work in the cloud. But you’ve still got to keep up with maintenance on your local computers. Stoddard routinely finds clients have some stray software that’s still “floating around on their Windows™ PC that’s not being backed up.” QuickBooks™ desktop (the on-premise versions), CAD systems, and other database software may not yet be in the cloud.”
Those are still susceptible to threats. (QuickBooks Online software is cloud-based, but is a different product.) And, he says, “Even if you think your computers are not “networked,” they are still connected to each other through your router (WiFi or wired), and as such can still spread malware from machine to machine. If you leave a hole in your setup, chances are something will crawl through it and bite you.”
Back up files daily, offsite, to a secure location. “If you have real offsite backups, a malware attack will be a nuisance but not a catastrophe,” Stoddard says. While an external hard drive or thumb drive is convenient for a quick fix, it’s not good enough. “You don’t want your backups to burn down with your building or be stolen with your laptop.”
Back up databases
Windows™ can’t copy in-use files, and databases are always in-use. Microsoft Exchange/Outlook, a CRM like ACT! or Goldmine, and QuickBooks ‘company’ files require special handling. “There are subscription services such as Carbonite and Iron Mountain that specialize in background database backups,” says Stoddard.
Try Dropbox, a cloud-based system that creates a mirrored copy in the cloud of what you’ve produced on your desktop computer. The files can be shared easily with others if you want. “But don’t try to use a free account for your business. Purchase Dropbox Pro or another of the company’s for-pay plans,” Stoddard says. “See which paid plan meets your needs in terms of features, storage space, and length of time files are available.”
Keep your computers up-to-date. If you’re using Windows™, update all older versions of the operating system to Windows 10. Past versions are no longer supported by Microsoft — and FYI, support for Windows 7 is slated to end January 14, 2020 — meaning that although it will keep running on your computer, there will no longer be security updates available for it. “It’s almost impossible to completely turn Windows 10 updates off,” Stoddard says. “And, on balance that’s a very good thing.”
Subscribe to a comprehensive online anti-malware service and turn on the automatic updates. Stoddard currently uses Malwarebytes.com ($40/yr/user), which catches all types of malware, including ransomware. “It’s transparent – does an excellent job but doesn’t get in your way.” AVG, ZoneAlarm, and Bitdefender are other popular options he’s used.
For more small business cyber security information and resources visit the Small Business Administration’s cybersecurity overview; the Federal Trade Commission’s Cybersecurity for Small Business and the U.S. Department of Homeland Security’s Assessments: Cyber Resilience Review. Use Snopes.com to find out if something you’ve received is a scam.