Cyber security is the new buzz phrase we all hear about. There are federal agencies involved in this area. There are military people involved in this very area both in offense and defense. Anyone who is paying attention to the news has heard the phrase. What does that have to do with the average small business owner who provides goods or services? The answer is a lot.
First, let me confess, I am no expert in this field. I did consult some experts to gather the information I needed for my own practice and found some interesting tidbits. There are laws governing this area for businesses.
If you Handle Financial Information, There’s a Law for That
First, any business that deals with financial information is required by law to have a written IT Security Plan and a Data Breach Response Plan. Now before you click off thinking, “I’m not an accountant so this doesn’t affect me,” wait just a minute. Do you do payroll? Do you keep employee information on your computer? Do you use e-mail marketing? If so, read on. Even if you are simply connected to the Internet, read on.
The Internal Revenue Service has issued written guidance in Publication 4557. This is aimed at firms that prepare returns or represent clients, but the guidance contained therein is very useful for all businesses. Reviewing these items can help you keep yourself safe from malware (attacks to destroy your system) and ransomware (attempts to encrypt and hold your data for ransom), the two biggest threats in the cyber world.
Interestingly most attacks on computer systems happen because of a phishing e-mail. You see an e-mail with a link and click on it, or your employee gets a link and clicks on it. It may look legit, but it probably isn’t. When an e-mail comes in with a link, look closely at the return address. Is the email from the vendor’s domain name or is it a Gmail or Hotmail account? Does it look like something that would come from that company? One trick of the bad guys is to use a header that looks right, but there is one or two characters off, or the return address had another country’s suffix. Hint: If it says it is from the IRS, it is a fraud. The IRS doesn’t send unsolicited e-mails.
If it does appear from your bank or a trusted vendor, don’t click the link. Rather open the browser and type in the webpage or pull it from your saved links, such as www.bookstaxesatl.com, log in and then see if the requested activity is required. The link embedded in the e-mail may take you to a site designed to capture your information.
Given that employees are often the weak link in the cyber security plan, in addition to training, restrict access to the various areas of the network and its software. A maintenance tech in the back doesn’t need to be able to pay bills or set up users. The front counter clerk has no need to access payroll in most cases. Keep employees access limited to the minimum access they need to do their job and nothing else.
Other excellent protection methods include using unique, long and strong passwords. According to the experts I consulted, 14 to 48 digits including special characters, mixed case, and numbers all make hacking more difficult. Back-up your data daily using encryption technology and take the back-up off-site. Use good malware and ransomware scanners. There are several out there and the cost is cheap insurance. Make sure to keep them updated.
Keep your computers behind locked doors if possible when not used. Have all computers password protected and lock them up if stepping away even for a minute. You wouldn’t leave the cash draw open while you went in the back, the computer Is more valuable. Along those same lines, be sure your wireless networks are secure. If you don’t know how, hire a consultant who does.
Cyber Insurance. Is There Such A Thing?
Buy cyber insurance to protect your business if there is a breach. The insurance company will pay for credit monitoring for a year if there is a data breach among other protections. You don’t want to be on the hook for that cost. If you have any doubts about the security of your system, hire an IT firm that specializes in cyber security issues. Not all IT firms have this expertise. Many firms will supply the hardware and help set up your network, but they may or may not be currently competent in cyber security. Ask lots of questions.
Working with competent security personnel, planning and training all who have access will go along way toward keeping the bad guys out and allowing you to conduct business.