By Earl Gregorich, Co-Chair America’s SBDC Cybersecurity Task Force
Cybersecurity is a term we hear a lot these days. It brings a wide range of reactions, from fear to eye-rolls to curiosity. For small business owners and those who work in entrepreneurial circles, cybersecurity just seems expensive and too complex to tackle. But what if we removed “cyber” from the word for a moment and just thought of it as security? Security is a lot more approachable and while it still has a cost associated with it, there is a better understanding of why “security” costs are justified. So, let’s take a walk through a small business and consider how we might see a few things differently if we focused more on security and less on cyber when protecting the digital assets within the company.
The next time a visitor arrives at your small business, take note of the process and path they take to arrive at your doorstep. Was there someone to greet the visitor or unlock the door for their entry? Did the visitor have to identify themselves or sign in? Were they escorted to your office or just allowed to find their own way? Were they left in a conference room by themselves? Was there a computer in the room with them or maybe a network access point? Could they get on your wireless network?
Visitors should always be greeted and made to sign in after identifying themselves. Depending on their purpose or who they are visiting, you may want to check their credentials. Anyone who is not an employee should be escorted and accompanied at all times, especially if a computer or network access is available to them. And, offices and conference rooms should never have wireless access credentials openly displayed for visitors to see. Pretty standard stuff, right? Yet most small businesses overlook at least one of the security processes above. Also, note how none of these steps require technology or specialized skills, yet they all improve security, cybersecurity that is.
During breaks or lunchtime, take a walk around the office. Are there workstations, laptops, and other devices left with active files or work sessions on the screen? Do you see thumb-drives, tablets, or cell phones left unattended? What type of paper documents are openly displayed on desks that might contain customer, company, or employee information?
Devices should be set to automatically lock after a period of inactivity. Storage media and portable technology should be locked up when not in use. Finally, paper is data and it should be safeguarded just like digital data. Again, none of these preventative measures require an IT specialist, just a culture that promotes good security practices.
Walk the Line
When is the last time you had to put your hands on the technology that keeps all those computers and devices running? If your systems are running well, it has probably been a while. We are talking about all those wires that crisscross through the ceiling and plug into those boxes with all the “blinky” lights on them. In the biz, we call them network cables, routers, and switches but this post is all about keeping cyber out of the picture. Follow those wires to the boxes with the lights. Take note of where they are. Can employees and visitors access this equipment? Would you know if something was out of order or a thumb drive was plugged in that shouldn’t be?
The technology that keeps everything running in your business should be secured in a locked area. Only individuals who NEED access should have keys to that area. The equipment should be set up in an orderly fashion so it is easy to identify if something is missing or has been added. You might even consider taking a picture of the front and back of your devices so you can compare what they looked like the last time you checked on them to now.
None of the actions outlined in this post have cost the business owner anything. They have all been procedural and they all can be done by anyone. No technical degree is required. However, your last step should be to look out at your employees and ask yourself how prepared they are to identify and react to a possible threat. Have you done all you can to train them on the most likely threats? Do they know what to do if they click on a link in a phishing email? Have you established policies and guidelines to create a culture of diligent, security-minded workers?
People are the weakest link in any security scenario, especially cybersecurity. If you want to improve your chances of avoiding a hack, you have to give your staff the tools to fight. Creating a culture that incorporates the practices above is a good start. Combining these non-technical practices with common, low-cost protections like multi-factor authentication, solid passphrase management, and a good backup system will put you in a great position to mitigate most of the cyber threats facing small businesses. Training may cost you a bit of time and money but it is a good investment.
While most of this post provides no-cost, low-skill suggestions to keep your business secure, you will eventually need to incorporate more technical assistance. The network of Small Business Development Centers across the United States and its territories are prepared to assist you in your fight against cybercrime. Let us help you do a walk-through of your business and recommend technical resources when appropriate. Contact your local SBDC office and use the online resources at AmericasSBDC.org to get started today!