How to transition from consumer to small-business computer security
How is the average small business like a cybersecurity home consumer? They’re similar not only in the kinds of threats they face, but also in the resources and tools they need to defend themselves.
When my co-founder, Nipul Patel, and I started Townsquared in the summer of 2013 to better connect local small businesses to one another, our bank, Wells Fargo, insisted that we use a hardware dongle called an RSA key to prove our identities every time we wanted to wire cash to our contractors.
The unique six-digit code the key generated—a security technique called two-factor authentication—verified that I was exactly who I said I was. I must confess that before we went down the startup road and opened our first corporate accounts, I never would have considered using the key.
Now two-factor authentication is available for most major Internet services, including those provided by Google, Facebook, Apple, Microsoft, and Amazon, and security experts strongly encourage consumers, small businesses, and major multinational businesses to use it as a primary defense against account hacking and hijacking.
Account hacks aren’t cheap. A veritable army of unseen adversaries targets small companies and costs them hundreds of millions of dollars, according to the FBI.
Most small businesses—especially true mom-and-pops, with very few employees—are really just superusers of consumer cybersecurity tools. They generally don’t have enough resources to support security-focused employees or consultants. Yet they face very real dangers. In fact, 60 percent of small businesses that suffer a security incident are out of business in roughly six months, according to the National Cyber Security Alliance.
Just like someone choosing antivirus software or a home router, they have to make smart decisions about the tools that they use. They need to ask the right security questions of vendors that offer them services.
Last month in San Francisco, Townsquared sponsored a panel of security experts that included Allison Miller of Google; Debra J. Farber of the privacy firm Orinoco; and Jessy Irwin of Mercury Public Affairs. The discussion ranged from cybersecurity best practices to recommendations on how to teach those techniques to companies with only a handful of employees.
Here are five of their most thought-provoking computer security ideas for consumers making the transition into the small-business world:
- Create multiple user accounts: Many small-businesses owners, implicitly trusting their employees, give them the same usernames and passwords for business-critical machines. But having different log-ins enables them to easily track, manage, or cut off individual access, the latter of which becomes particularly handy when an employee leaves the company.
- Use different devices for home and work use: Small-business owners often use the laptops and smartphones they rely on at work for personal use at home. Our panelists had a simple message for those folks: Consider the risk to your company, if your child uses the device to download an app that looks like Pokemon Go but is actually malware in disguise. [Podesta phishing image here]
- Provide employee training and resources: Some of the most impactful data breaches (such as the Democratic National Committee hack) started with phishing emails. While these emails are increasingly tough to detect, there are often telltale signs that the senders of such messages aren’t genuine. The National Cyber Security Alliance have some tips for sussing phishers out, and the National Institute of Standards and Technology recently published guidelines that small businesses will certainly find helpful. The bottom line: Never trust links!
- Protect your accounts and passwords: Log-in protection today stretches well beyond RSA SecurID tokens. You can program your online services to send text or push notifications to your smartphone every time someone tries to sign into your small business’ Facebook page or Twitter account.
You can update your password often and use password managers to keep track of the changes across devices. Such programs can also generate random passcodes for each account and then securely store them. Password reuse and credential-stuffing attacks exploit the bad habit of using the same passwords across a many accounts, regardless of complexity.
- Update, update, update: The security teams responsible for your device operating systems are constantly finding and fixing new security vulnerabilities. It’s important that you update your computers, phones, and the apps and software that run on them in a timely manner. As they patch vulnerabilities, they often send out updates that manifest themselves in pop-ups on your laptop, or alerts that ping your smartphone. For instance, recently Apple updated its mobile operating system in a way that stops attackers from hacking some iPhone, iPad, and iPod Touch Wi-Fi chips.
There’s no way to avoid device security issues. But small businesses that, like Wells Fargo did years ago, take proactive steps to secure them will be able to reduce their risks, much as consumers do.