FCC Issues Cyber Security Recommendations for Small Business

Protect Your Data

Protect Your Business From the Bad Guys

Great to see. The FCC has released a series of ten cybersecurity tips for small businesses. These days, businesses of all sizes are able to compete even against much larger businesses. They can do this because there are a variety of resources and business models available to them that were often only available to, or practical for, much larger companies. You can lease infrastructure, tools and systems that you once would have had to be much bigger to even think about.  You can get software and other automation that has the same functionality as a big business. You can outsource functions giving your business much more reach.  The opportunities are almost endless.

With great opportunity also comes risk. It doesn’t have to be huge risk, but it’s risk nonetheless. At any given time your business, no matter what kind it is, could be handling reams of confidential customer data.  Credit card numbers, personal information, potentially harmful information.  Things that wouldn’t be good for you or your customers if it got out or was in the wrong hands.  Large companies spend millions on security, encryption and many others tools to help them protect customer data and their own infrastructures and, as we have seen from Target, Sony, Home Depot and many others there is no shortage of corporate hacks.  Even with their vast resources and expertise, they have difficulty protecting these data.  Your business might not be quite the target that they are, but…

It turns out that large businesses aren’t the only ones. In fact, small businesses are common targets and are less likely to take the necessary precautions. They often don’t have the expertise or resources to protect themselves. Yet, in the case of a breach a small business could find themself on the bad end of a lawsuit, need to pay for monitoring for exposed customer information or even cover credit card losses.

As small business owners, we need to protect ourselves and our customers. Enter the FCC with a set of recommendations to help you protect your business from hackers and other bad guys. Let’s go through those recommendations now and what you can do to protect your business. Maybe we will even throw a few others in there for good measure.

1. Train your employees in security procedures – Many breaches are facilitated by poor adherence to simple security practices. Just by educating our employees, and ourselves, we can help keep those mistakes to a minimum. These practices need to be enforced and employees need to know how important these are. Here are a few of the basic practices that you can adopt and train your employees on to keep safe:

  • Keep passwords secure – It seems like we have passwords for everything these days. With different requirements, reset timelines and any number of other barriers we have to pick all sorts of passwords. It can become impossible to remember them. Your employees should be discouraged from writing passwords down, especially in open spaces (how many office cleaners, contractors and clients go through your office?). Passwords should not be common words. One technique is to use a passphrase and replace common letters with symbols. An easy to remember phrase can become difficult to hack or guess. Here are some techniques for secure passwords. There are applications out there that will store your password (for example, Avast includes one in their upgraded packages that allow you to store your passwords with one master password. It’s a double edged sword. It’s good to not write them down, but not so good to have them all exposed at once. Rather than give you the generic answer of making up ridiculous 32 character passwords that are unique for every site, changed every 30 days and completely random…which would be very secure since even you couldn’t get into your accounts, I’ll recommend you do what’s necessary to make it practical, difficult to hack but manageable.
  • Use Encrypted Connections – When entering a password or other private information into a website, make sure to use a URL (the thing in the top of the browser starting with http or, in this case, https) and the padlock indicating it is secure. Otherwise, your data is going over in clear text and someone can listen in.
  • Protect Customer Information – Establisch policies for protecting customer or client information. It should be locked up when not in use with limited access to only those who need it to do their jobs. Don’t save data you don’t need and make sure not to write down credit card and other key financial information.
  • Follow Your Mobile Action Plan – We’ll go into more detail below, but any employee who accesses company information on a mobile device, including emails and texts, needs to follow your mobile action plan whether using a company device or their own. This includes phones, tablets and laptops or any other device that they can carry out of the office.

 

2. Protect information, computers and networks from cyber attacks – Keep your operating system up to date with security patches. Make sure to do the same with the web browsers and any firewall or anti-virus software that you use. Run regular antivirus scans. Also make sure the software that you use scans for malware (bad stuff that brings up ads, tracks you, etc.)  Set-up your company computers so that the antivirus runs automatically and prevent employees from disabling it.  By the way, be careful about mandating the antivirus scan at a particular time, especially if you have a sales force.  I worked with one company that forced a scan every Wednesday at 1pm EST regardless of what it was doing.  More than once they would be demonstrating software to us and the computer would come to a screeching halt as the mandatory anti-virus scan took off on its merry way.

3. Provide firewall security for your Internet connection – Firewalls are software that protect your network from illicit traffic in or out of your computer or network. Think of it as a software padlock on your computer network. This can be software that’s on your computer itself or on the part where your network talks to the Internet or both. It’s designed to identify and block suspicious network traffic. These days, many anti-virus software applications come with firewall software. I’ve personally used ZoneAlarm. They have free and paid versions, depending on what features you need. If you travel, I’d recommend both a hardware driven firewall on your network in your office or home office that all your computers can sit behind as well as one on your laptop so that it is protected out of the office. Hotel, airport and other public networks are open and the bad guys can sniff out your private information or find their way into your computer (I was once able to sift through someone’s hard drive without any hacking whatsoever – I found it completely by accident). The firewall software on your computer helps keep you better protected. Windows now comes with a firewall as well, which is generally pretty good, though I find it tougher to navigate when I want to make a change. I’ve found ZoneAlarm very easy to navigate, though it’s sometimes too easy to allow an intrusion that you didn’t want. Overall, it’s good though. Firewall software can create a hassle when trying to connect to wireless printers, scanners and other devices that you legitimately want to connect to. You can either hire an expert or work your way through to fixing it. Often the internet can help you.

4. Create a mobile device action plan – In addition to them ruining family meal times, many of us couldn’t run our businesses without our mobile devices. They are how we stay in touch, write emails, review documents and sometimes even give presentations. They’re incredibly convenient. We can now take our businesses with us wherever we go. Our employees are constantly contactable and clients can reach us anywhere at any time…come to think of it, maybe they’re not that great… Of course, that convenience isn’t just ours. This also means that thieves can share in your convenience. Sometimes, it’s not even thieves, we do it to ourselves, as US Healthworks and others have found when laptops were left behind inadvertently. How many times have you been at the airport and heard the page for Mr. or Ms. Jones to come back and reclaim their laptop? I wonder what data was on it that would have exposed their company. It’s all too easy to leave a phone, tablet or laptop behind. Here is some general guidance that your mobile policy should follow:

  • Apply Liberally – This policy should apply to any device with company data (including email and text) that can be easily carried out of the office. This includes, but, as my attorney would have me say, is not limited to, phones, tablets, laptops, phablets, watches or any other mobile device that can be lost, stolen or left behind outside of the office.
  • Follow the basics – Every device should be protected by a password or passcode. If you can turn on your device and access the information without a password or PIN, then it’s not secure.  Enforce having a password or PIN (depending on the device).
  • Encrypt the Data – Did you know that if your hard drive or other storage isn’t encrypted, that thieves can usually pull out the storage device and read your files even without a password? This isn’t so easy on phones and tablets, but can be done. Encryption scrambles the contents so that without the right stuff when reading the storage, it’s useless (kind of like my handwritten notes, I’m the only one who can read them – sometimes.)
  • Be Able to Remotely Wipe – Most email platforms these days will allow an Administrator to remotely wipe a device that has been lost or stolen.  This means that, literally, with the push of a button, the device is wiped of data. When you implement an email system, make sure that it has this capability. Then, make sure every employee who has company email on their phone understands that you can and will wipe their device if it is lost or stolen. It’s good practice to have them sign something to make it traceable and crystal clear. Require them to report a lost or stolen device as well. If they do lose one, then you should remotely wipe their device, which will usually wipe their entire device of both company and personal data. It actually protects them too, but many people feel a bit like Big Brother is watching. This is one of the best protections for you, your business, your customers and even your employee. Do it as soon as you learn of the device missing by the way. This only works if the device is on the internet. Often, without extra software, this will not work on laptops by the way. A laptop is a fully functional mobile computer.
Keep your data secure

An Administrator Can Wipe a Device of Sensitive Data

 

 

 

 

 

 

 

 

 

 

 

  • Limit Access – Only employees who need to have mobile access should have it. Don’t allow someone who doesn’t need it to carry around company information. If nothing else, let them have their time off.

 

5. Make backup copies of important business data and information – This is a great recommendation for business continuity.  Losing the wrong data could wipe out your business. As with so many of these recommendations, there’s more behind it. Here are a few things to know:

  • No Backup Scheme is Perfect – You will likely lose some data. It’s often the most current (and therefore most painful). Just know that going in and do everything you can to keep that risk to a minimum.
  • Backup Offsite – On-site backup is fine too, but if your office burns down or the thieves take off with your backups too, this just isn’t helpful. There are a number of afforable, reliable off-site solutions out there. Some of the ones that I have used include Dropbox, Carbonite and Backblaze. Make sure that they store your data using encryption (you’ll see that a lot related to security.) This is where many will object to Dropbox, which isn’t truly a file backup system.  It’s designed to allow file sharing. I count it because it makes copies of your files offsite. They are technically encrypted but there’s a catch. Encryption works by scrambling data in a set way that requires a “key” (like with a lock) to descramble the data. In order to share data across multiple devices and users like Dropbox, that key needs to be on every device and with every user using that data. So, it’s encrypted but more easily exposed.
  • Keep Versions to Avoid Backing up Bad Data – Make sure that any software you use allows you to get files that have been deleted from the set along with older versions of files. Sometimes, if a hard drive is going bad, it may corrupt the data. The system doesn’t know that and can back up the corrupted data. When you go back to use the backup, it’s not usable. Make sure you can get at older versions and deleted files for a period of time. This is a common feature and helps give you a bit of insurance for lost data in your backup.
  • Back it all Up – If you use multiple devices or have office-wide storage (often on a device called a NAS or Network Attached Storage) where files are stored on a centralized computer or hard drive, make sure you are backing those up too. Some software will do that and some will not. Make sure it’s all backed up. Of course, they’ll charge you more for a plan that backs up NAS, external drives, etc.
  • Test Your Backups – It is way too easy to back stuff up and forget about it, until you need something and realize that you never actually turned it on, it failed three years ago or what have you. Once a quarter, pick a newer file and an older file and try to restore them and make sure they are there and work as you expect. If you backup multiple devices or computers, try a couple from each computer. You want to test this before you need it. It’s worth the time.
  • Automate It – Whatever you do, don’t try to save money by creating some scheme where you copy files periodically or something like that. You’ll get busy and forget and the last backup will be from three years ago.

 

6. Control physical access to your computers and create user accounts for each employee – Lock up your offices when not in use, have the computers lock themselves after a period of time and password protect all of them. Each user should have their own account and password to anything that they need access to. I’ll add a couple more to this. Don’t give someone access to something that they don’t need to access. If you do have centralized file storage, like we talked about above, then limit access to those who need it. This not only protects the files but reduces the chance of accidental deletion or changes. One last one that I’ll add, and many hate this. Limit Administrator privileges. These are the privileges that allow a user to install things on their computer. Every user should have their access limited to what is necessary to access files and applications, which should usually be more limited access. If they may some day have the need to install software, then create a separate administrator account with a different password. This includes you! This keeps viruses, malware and other applications from installing stuff on your computer (they borrow the user’s privileges). My clients have paid me more money than they should have to uninstall browser search bars, random applications and other stuff that they accidentally installed on their computer. This stuff is often collecting data about the users. Yet the client insisted that the users needed Administrator privileges. It’s more of a hassle but much more secure. Think about how often you need to install something. It’s not all that often and you can take the time to login as another user to do it.

7. Secure your Wi-Fi networks – I can’t tell you how many times I have been traveling and been able to tap into a company’s wi-fi network to check my email. Just got right on. It’s not a big leap from there to get into their network. That also means the network isn’t encrypted (there’s that word again) and a talented hacker can “sniff” the network traffic to siphon off data, passwords and other harmful information. Here’s some specific advice:

  • Encrypt It – Your wi-fi network, if you even have to have one, should be password protected and encrypted (see a pattern yet?). As a small business, I’d recommend at least WPA-2 encryption (it’s an option on smaller routers.) There are better encryption schemes out there, but you very well may not be investing in the equipment to use those encryption schemes.
  • Change the Name – Every wireless network has a name called an SSID (Service Set Identifier if you care). Don’t make the name something obvious like “Smith and Jones Attorneys Come Steal our Data”. Make it something that’s not so easy to pick up. In fact, it’s often possible to hide the SSID so that it doesn’t show up on a list of networks. This makes connecting the first time a bit more difficult but if you’re willing to learn how to do that, it’s a small bit of extra security. Please note, this is not a security feature by itself. You can find these networks if you know how. It does help keep random people or devices from connecting.
  • Caution for the Guest Network – Many routers come with a guest network option. This is a great convenience for customers and clients. Make sure that it’s completely segregated from your internal network and that it can only reach the Internet. Password protect this too, even if you post the password in your office. This keeps your neighbors from using up your bandwidth. You may even want to change the password periodically. It will get out.
  • Test It – Using a device that has never used your internal wireless network (or that you have caused to “forget” the network) try to log in and connect to anything and see what happens. If it’s set-up correctly, it should ask for a password that you wouldn’t have if you didn’t run the company. Maybe even have a fried to try to break-in for you.

8. Employ best practices on payment cards – If you accept credit cards, then you need to be very careful about how you protect that information. There is a whole industry dedicated to being Payment Card Industry (PCI) compliant. These are the rules set down by the credit card companies to reduce breaches. If you don’t follow them, you can lose your ability to process credit cards and can even be on the hook for any losses. There are lots of resources and expertise out there and it’s worth seeking some out if you handle a lot of credit cards or have unique needs, or just want to be diligent. Here’s a good overview for small business compliance with PCI. In the meantime, here are a few high-level recommendations:

  • Follow the Rules – Know the rules and follow them. It’s as simple as that. There are a number of free and paid resources out there. If you handle credit cards, it’s worth getting the expertise to help.
  • Isolate Processing – Limit the places where you process cards. Try to dedicate a computer or get a dedicated terminal for processing cards. Don’t surf the internet and process cards on the same computer.
    * Use a secure connection – Never, ever, ever send a credit card number of an unencrypted connection. For websites, this means that the URL (the www address) starts with https and you should see a lock or other indication of a secure connection in your browser. For example, here’s what Chrome looks like: Google chrome scurity indicationYes, even Google uses a secure connection. Internet Explorer should show something like this:Internet Explorer Security Indication
  • Shift the Blame – I use this heading jokingly, but leave some of the compliance to the experts. You can hire companies like Stripe or Braintree to process cards. You or your customer will still need to enter the number into a secure site, but they’ll handle storage of the card and processing. It’s worth the cost. This then lowers your liability because you then fall to a lower level of PCI compliance. Definitely shop around, the level of service and costs vary wildly. Many of these are negotiable depending on your amount of business and any other relationships you may have with the institution (many banks will process as well).

9. Limit employee access to data and information, limit authority to install software – I actually already covered a lot of this up above but it’s worth reiterating. Don’t give someone access or privileges that they don’t need to do their job. Also, limit everyone’s (including yours) ability to install software. If they need to, give them a separate administrator account to do so that they only use for that purpose.

10. Passwords and authentication – I’m always torn here. I know what the official guidance is and I struggle to tell folks that it’s all realistic. In short, you need to pick sufficiently long and complex passwords to make them tough to guess, protect them from prying eyes and change them regularly, ideally every three months. That’s all well and good. The challenge comes in that we all have so many passwords these days that they become very difficult to keep track of. I’m practical enough to know that sometimes it can’t be avoided. Below are some practical recommendations. Do your best to stick with what I said above, sufficiently complex, change them occasionally and protect them.

  • Avoid Common Passwords, even as part of your password – According to Gizmodo here are some of the most common passwords that we see: 123456, password, qwerty(the top right hand row of the keyboard), football, etc. In general, try to avoid words at all. Consider a phrase, or the letters from a phrase in odd combinations and with special characters. For example: iHcp@55wptKsu! for “I hate complicate password policies that keep showing up!” Phrases are more complex and once you have them down, they are easier to remember.
  • Don’t Use Date of Birth, Social Security Numbers, etc – Don’t use numbers that someone can guess from you. You’d be amazed at what they can dig up.
  • Don’t Share Your Password – Don’t share it with everyone and everyone in the office needs to have their own accounts with their own passwords.
  • Consider MultiFactor Authentication for Key Systems – These are becoming more common. This is a scheme where you use more than just a password to sign into your account. Common versions use an automated phone call or text message with a unique code that you enter or a FOB (a small device) with a constantly changing number that you input. They are designed so that if your password is lost or stolen, then your account is still secure.
Improve security with multi-factor authentication

GMail Can Have Two Factor Authentication

It’s great to see more attention being paid to small businesses and their security. Small businesses are increasingly becoming exposed to hacks and other intrusions. We have a responsibility to our clients, customers and employees to keep all our data secure. This is a great list with a lot of great advice. I’d like to add a few other things to it. I think they’ll help make things even more secure and provide you with some good structure for your business.

A Few Extra Recommendations

11. Know Your PII – PII is Personal Identifiable Information. It’s information that someone can use to impersonate another person or use to find out more about them. Common elements are dates of birth, social security numbers but even things like addresses can be a risk in the wrong hands. Know what PII your firm handles, educate your employees about PII and make sure that you have measures in place to protect it.

12. Be Careful What You Install – Ever install something and suddenly you have a browser toolbar or something else that you didn’t expect? Get that off of there! If you didn’t want it, then get rid of it. You have no idea what it may be tracking or what other mischief it may be up to. Be very careful.  Here’s a great article on some things to avoid or do.

Avoid Installing Junk Software

An Example of a Legit Package that Installs Stuff You Don’t Want

13. Hold Your Vendors Accountable – If you hire anyone to work with your data or your clients’ data, hold them to the same standards that you use. Make it part of any contract. They are just as responsible as you are and, maybe more importantly, since they are working on your behalf, they may cause you to have some liability risk for their actions as well.

14. Document Your Policies – Write it all down. This will help you to make sure that you and your team (including vendors) understand your procedures and that you can stay consistent and improve them over time. Provide everyone with copies of the procedures and hold employees accountable for following them.

15. Stay Educated – Keep yourself up to date on what’s going on in the tech industry and security. It seems like once a week a new story is coming out about how we might be at risk. Just like you do with your chosen area of expertise, stay up to date. If you aren’t inclined technically, enlist the help of someone who does understand Internet security and who can help you out. You want to understand what is being done in your business at all times.

 

Stay Safe Out There

Security is everyone’s responsibility. There is no perfect system, but with some diligence and well-considered policies and procedures, we can hope to improve our chances of being protected.

Subscribe to our mailing list

Want to keep up with our products and services? We'd love to have you as part of the team.

* indicates required

Powered by MailChimp

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + 2 =