Small businesses, especially law and accounting firms that deal with sensitive data and financial transactions need to be concerned about cybersecurity. Cyber attacks are becoming more sophisticated and more rampant every day. Luckily, there are some very important – and often inexpensive – things every organization can do to protect themselves.
- MDM Solutions. If you have a BYOD (bring your own device) environment or allow access to sensitive data from portable devices, like smartphones, tablets, or laptops, make sure you have a mobile device management (MDM) solution in place. MDM software can manage, monitor, and secure a mobile device. More importantly, it has the capability to wipe a device remotely if it is lost or stolen.
- At Rest Data Encryption. Data encryption on hard drives is important so that if a PC, laptop, or portable hard drive is stolen, the data on it is unable to be accessed. The physical item is essentially rendered useless to the thief.
- Single Sign On. Single sign on allows users to use a single login and password to access all their business systems, easing the burden of password management. For companies, this translates to a single “gateway” for each user and also makes off boarding employees a much simpler process. Single sign on is often part of two factor authentication (2FA).
- Two Factor Authentication. You are likely already familiar with 2FA for access to things like online banking – requiring a pin code or other additional form of authentication besides a password. This can and should be extended to your email, line of business applications, cloud services, and remote access systems. If a password is leaked, the second factor prevents access to your firm’s sensitive data.
- Backups. Backups of your servers, applications, and even desktops and laptops need to be comprehensive and tested regularly. If you can’t remember the last time you tested your data restore and business continuity plans, then it’s time.
- Email Security. Email security must encompass more than the built-in spam filtering from your provider. Since mail is the fastest way into a company’s network and phishing is rampant, it is vital to have strong malware and content filters for both inbound and outbound email. To further combat phishing, a company should employ sandboxing where incoming attachments are held in a protected environment until it can be determined that there are no malicious code.
- Web Filtering. Many newer threats enter company networks from internet activity and can be prevented by web filtering technologies. These technologies filter at the firewall level, though special settings or licenses may be required, or with software from companies, such as Webroot and OpenDNS.
- Malware Protection. Most malware executes on a computer in a certain way. There is inexpensive – yet highly effective – malware protection software on the market, such as CryptoPrevent. It’s worth the small investment.
- VPNs, or virtual private networks, can be a funnel for malware. Through its intended function a VPN will allow malware from an infected home computer, for example, to spread to the corporate network. If your organization uses VPN it should be properly locked down to only allow necessary traffic to pass through.
- Education and Training. The weakest link in any IT environment is the person sitting at the computer. As the data that technology holds has become more valuable, hackers have become more creative. Employees need regular training so they know what to look out for. Testing should occur several times a year to ensure that employees are alert and to determine what additional or re-education is needed.
While this is not an exhaustive list, this will give your firm a solid foundation to ensure that your business is protected from a cyber attack. And remember, that the time and cost of implementing any (or all) of these tactics are still far less expensive than the cost of a data breach to your business.