Have you ever been in a position where you felt cheated by a trusted colleague or lost money due to a small business mistake? We kick ourselves because we should have “known better” or “trusted our gut”. Today, we live in a hyper-connected world, in which the “interwebs” has brought unimaginable conveniences. Unfortunately, there is a price for luxury, and we as small business owners and freelancers must be aware of the risks we face every day. Cyber attacks and data breaches don't just happen to the big guys like Target and the U.S Government. They can happen to you, too.
That’s why I’ve developed this blog series called Talk Cyber to Me: Conversations with Experts. Inform yourself, protect yourself, and don’t let yourself become a Cyber victim. Follow us on LinkedIn to educate yourself on these threats so you won’t be kicking yourself later.
In this inaugural segment, we were fortunate enough to have a conversation with Darren Guccione, CEO and co-founder of Keeper Security, Inc.
Here at Find Me Cyber, we like to keep things as simple and straightforward possible. I had questions, Darren had answers. Here is what he said. Five questions (in about)five minutes.
Many small business owners and freelancers do not know where to start when it comes to cyber security. What are your general thoughts on the problem?
Hackers and cyber thieves are increasingly turning their attention to small businesses because they have fewer resources to spend on IT security and little idea of how to stop an attack. They also are attractive targets because they serve as vendors for larger companies and can be leveraged to infiltrate them. This is called “island hopping” or “leapfrogging,” and was exactly how Target was breached via a third-party HVAC vendor.
There’s so much noise overall in the security market that it makes it difficult for small businesses and freelancers to know what’s a real threat and what isn’t, and where to make the right investments. Often, the most fundamental security basics get lost in all the noise, resulting in an expensive data breach that could have been avoided.
Great points, Darren - it does seem like there is a lot of noise out there, which can be overwhelming to small businesses owners and freelancers. What are some (relatively) simple ideas on how they can stay safe?
In my view, the security basics that small businesses and freelancers should implement include the following:
- Security Awareness Training:Businesses forget the importance of security education and awareness training for their employees. Training should focus on employee cybersecurity hygiene and best practices behavior such as not clicking on phishing scams or using public Wi-Fi.
- Strong Password Use and Two-Factor Authentication:3 out of 4 data breaches are due to weak passwords or poor password management (e.g. recycled passwords) and no matter how much businesses tell employees to avoid using Password123 or Password1, it still happens. The average person can only retain a few passwords so they default to using easy ones that are memorable yet easily guessable by cybercriminals. Businesses need to implement mandatory password resets either monthly or every 90 days and employ the use of password managers. In addition, wherever possible, two-factor authentication should be used (If you are wondering what this means - see the next question below).
- Encrypting Data:We constantly hear of data breaches where Personally Identifiable Information (PII) was not encrypted - OPM is the poster child. At this point, all companies should be encrypting data, especially those that must comply with federal regulations and payment card standards. Sensitive employee and customer data must be encrypted at all times.
- Patching Computer Software & Updating Mobile Apps: One of the easiest ways to get malware, viruses, spyware and other threats onto your laptop or mobile device is by ignoring software patches and software updates. Businesses must ensure employees are patching their machines every time a new patch is released, and enforcing security policies. Mobile operating systems and apps must also be updated, especially on work devices that contain sensitive data.
You mentioned “Two Factor Authentication” (or multi-factor authentication) – can you expand upon what that means?
Multi-factor authentication is a process where two or more independent credentials (e.g. something you know such as a password and something you are such as a fingerprint) are necessary to verify a user’s identity. The use of two-factor authentication (2FA) is definitely a growing movement as companies begin to grasp the severity of data breaches. Adding a process like 2FA to control access over the network layer will become the norm in a few years time. Another process we see going mainstream is the integration of security directly into the hardware and software layers of devices. If devices come pre-loaded with security applications, users will develop better security hygiene from the start rather than having to learn a behavior.
It seems like we store everything in cyberspace (Google Drive, Dropbox, etc…). What should freelancers and business owners think about when doing this?
Cloud-based services are a cost effective and efficient way for small businesses and freelancers to collaborate and store business content. Freelancers and business owners would benefit tremendously by adopting a service that is cloud-based because this allows for an easy way to manage day-to-day tasks, assists in growing your business faster and increasing profit.
The standards for a secure cloud service vary depending on its use, but there are three key requirements. First, a cloud service should have client-side encryption of data, which both protects files on the local hard drive as well as in the cloud. Second, a secure cloud service should offer multi-factor authentication (remember, we defined this earlier) to add an extra layer of access control for all users. Finally, a secure cloud provider should either provide data loss prevention tools to protect the stored data or allow an organization to extend its DLP protocols to the cloud. In both cases, the organization is alerted immediately the moment a user attempts to send sensitive files to an outside source.
In your view, what is the biggest risk to small business owners in 2016?
The biggest risk to small business owners in 2016 is uninformed and sometimes careless employees. Unless given proper training, employees are more often than not, oblivious to the risks they pose when creating and using passwords. Most individuals use simple passwords that are easy to hack, making small businesses more susceptible to data breaches. In addition, employees who aren’t educated about phishing and malware can mistake a fraudulent email for a real one and do significantly damage to a company’s server. The best thing for small businesses to do would be to train their employees on cyber-security best practices before a small mistake turns into an expensive fix.
(A quick note from Find Me Cyber - if you are a freelancer, you may be thinking….”hey, I don't have any employees, so I am not at risk”? That is wrong! You still use passwords, may store/maintain sensitive data and use the interwebs.)
Many thanks to Darren for his excellent insights! Stay tuned for our next “Conversation with an Expert!”
Are you a small business owner that has thoughts or stories to share on cyber risk? We would love to hear from you. Please follow us on LinkedIn to stay informed!
About Keeper Security: Keeper Security is transforming the way businesses and individuals protect their passwords and sensitive digital assets to significantly reduce cyber theft. As the leading password manager and digital vault, Keeper helps millions of people and thousands of businesses substantially mitigate the risk of a data breach. Keeper is SOC 2 Certified and utilizes best-in-class encryption to safeguard its customers. Keeper protects industry-leading companies including Chase, Sony, Siemens, Chipotle, Philips and The University of Alabama at Birmingham. Keeper partners with global OEMs and mobile operators to preload Keeper on smartphones and tablets. Learn more at https://keepersecurity.com.
About Find Me Cyber: I am a small business owner who recognizes the importance of being aware of cyber risk. The goal of Find Me Cyber is to do just that – educate and remind business owners and self-employed professionals of these risks and offer ideas for protection. Reach out at info at findmecyber dot com