Five simple, inexpensive ways small businesses can improve cybersecurity

Companies of all sizes have been victims of cyberattacks and hacks. Small and mid-sized businesses are increasingly targeted and cybersecurity isn’t just an IT problem, it’s a risk management issue. And buying more hardware or software won’t solve the problem. When smaller companies start thinking about how to address cyber- or data security, they frequently get overwhelmed at how complicated and expensive the solution seems to be. They often just throw up their hands and end up doing nothing at all.

Ideally, a company should take the time and invest in resources to assess its risk, develop response plans and train employees. This does take time and money. However, there are some relatively easy steps that companies can take to improve their security – steps that are not expensive. 

Here are five things any company can do to make it harder for hackers to get into your data:

1. Strong password practices

According to SplashData,  a provider of password management software, the three most common passwords for the last several years are:  123456, password and 12345.

Poor password practices make it that much easier for hackers to get into a company’s network or email. Every company should require its employees to change passwords regularly, and use strong passwords. Passwords that use a combination of numbers, symbols, upper and lower case letters (such as 3@k89%FrE!9#dp), or a phrase (Weloverockyroadicecream!) are much more difficult to break than commonly used passwords.

Also, companies should remind employees not to give out their login credentials to anyone else, even if asked, or to leave that information in plain site on their desk or computer. There are more sophisticated solutions to password protection, such as multi-factor authentication, but these steps will go a long way toward protecting your systems.

2. Control access to data

Not everyone in your company needs access to all of the systems and data that you have. Do sales people need access to personnel files, or do operations people need access to accounts receivable information? Probably not.  In addition to knowing what data you have, limit access to those employees who need access. That makes it harder for a disgruntled employee to steal data they should not be able to see, or for someone with sloppy cyber habits to allow someone unauthorized to gain access.

3. Update and patch third-party software

When you receive notice of an update or “patch” to a software application you use, don’t ignore it.  Make sure you install it promptly; these updates and patches often contain defenses to malware and other potential intrusions that the software provider has come across since the last update. 

4. Use virtual private networks (VPNs) for remote access

If any of your employees work remotely, or link to a public Wi-Fi network (think Starbucks), they should have a VPN, or virtual private network installed on their laptop, tablet or smartphone. A VPN provides a secure path through the web and protects your activities from anyone trying to get in. Ten to 15 years ago, VPN programs were hard to use, but there are a number of relatively inexpensive VPN applications that you can download to your laptop, tablet and smartphone. The one I use costs only $99 per year for two devices.

5. Train your employees regularly

More than 75 percent of hacks come through some action by an employee, usually as the result of phishing, the practice of sending an email from an apparently legitimate source, usually another company. The email tries to unearth information from the recipient, such as login information or credit card numbers. Sometimes the email may have an attachment, and when the employee clicks, malicious software (malware) enters the company’s network and does bad things. Employees should delete such emails without opening the attachment.

Another type of phishing email appears to come from someone with the employee’s company, even someone such as the CEO or HR director, asking for employees’ W-2 forms, or from the CFO asking the employee to wire a sum of money to some bank account.  You should train your employees to question these emails and even call the supposed sender to confirm. It is also important that the senior people in your company are supportive of this, and know that employees have been trained to do question such emails. Train your people to become good “cyber-citizens” and support a culture of data security!

Companies can take much more comprehensive approaches to data security, including assessing risk, creating and implementing cybersecurity and incident response plans, and training employees. The steps just outlined, however, are an easy and inexpensive way to start down the path of protecting your data and lowering the risk of an attack.