10 Questions to Ask When Creating a Cybersecurity Plan for Your Business
Cybercriminals are increasingly preying on small businesses, which often lack the expertise and resources to adequately protect themselves. Last year, companies with one to 250 employees were the victims of more than 30 percent of all cyber attacks, according to Symantec's 2013 Internet Security Threat Report. That's a threefold increase since 2011.
With larger companies increasing their protections, small businesses are now the low hanging fruit for cybercriminals," says Julius Genachowski, chairman of the Federal Communications Commission.
But your company doesn't have to be vulnerable if you simply take some basic protective measures. Here are 10 key questions to ask when securing your company from cybercriminals:
1. Should I install antivirus software?
Installing antivirus software and keeping it updated is a must for business owners, says Brian Underdahl, author of Cybersecurity for Dummies (Wiley, 2011). Antivirus software detects and removes malware, including adware and spyware, and filters out potentially dangerous downloads and emails.
Underdahl says he uses CheckPoint Software Technologies Ltd.'s ZoneAlarm Extreme Security 2013, a comprehensive antivirus software security package. It costs $54.95 for one year and $84.95 for two years. Other popular, effective antivirus options include Bitdefender Small Business Security ($150 for one year) and Webroot SecureAnywhere Antivirus 2013 ($39.99 for one year).
2. How should I handle suspicious emails from known and unknown senders?
Never open or reply to an email that seems suspicious, Underdahl says, even if it appears to be from someone you know. And after opening emails, don't click on suspicious links and attachments, he says. If you do, you could fall victim to email-borne financial and identity theft threats, including "phishing scams." Phishing emails, which appear to be from trustworthy sources, such as a bank or an online merchant you have done business with, attempt to acquire private data, including bank account and credit card numbers.
Also, recommend to your employees that they set their email client preferences to show the full address of the sender, not just the display name in the From section of their inbox, says Brett McDowell, senior manager of customer security initiatives at PayPal and a board member at the National Cyber Security Alliance Advise employees to use unique passwords for all business-related accounts online and across your company's information systems. Their passwords should include combinations of upper and lowercase letters, numbers and symbols and should be changed every 60 days or so. Also, never use the same password for different logins and never leave your password written down near your computer, Underdahl says.
McDowell recommends multi-factor authentication to verify an individual's identity, especially for financial transactions. For example, PayPal offers two extra forms of authentication to secure users' financial transactions: the PayPal Security Key, which generates random temporary security codes to verify users when they login, as well as a system that sends security codes via text message to users' mobile phones.
4. Whom should I allow access to my company's critical data?
Administrative login credentials should be given only to key company personnel, such as the CEO, CIO and trusted IT staff. Develop a clear plan that designates which individuals have access to which types of sensitive information, McDowell says.
5. Should I use a firewall to protect my company's internet connection?
Always use a firewall to protect your company's inbound and outbound network traffic. A firewall can help prevent hackers from tapping into your network and to block access to certain websites. They can also be configured to bar employees from sending proprietary data and specific types of emails outside of your network.
6. How often should I back up essential company information?
Back up your business's vital information on a regular basis automatically, using a combination of cloud and off-site backup, Underdahl suggests.
Carbonite, an online data backup service for Windows and Mac users, offers encrypted backup storage services for small businesses for $229 to $599 per year. SugarSync is a similar cloud storage provider, with business packages starting at about $550 per year.
7. Should I use data encryption?
Encryption is essential to keeping such data as credit card, bank account and Social Security numbers as safe as possible. Encryption algorithms change information in your computer files into unreadable ciphertext, or "unreadable gobbledygook," as McDowell calls it.
Whether a cybercriminal or a criminal employee walks away with some of your data, encryption would keep you protected because [he or she] wouldn't have the special keys to un-encrypt the data and make sense of it," he says. "Only you would."
If you're using Windows 8 Pro or Windows 8 Enterprise, all your local files and folders are already encrypted via BitLocker Drive Encryption. If you're using Mac OS X Mountain Lion or Mac OS X Lion, FileVault 2 automatically encrypts all your data.
8. How should I communicate company cybersecurity policies to employees?
Create a written security policy that details what employees can and cannot do on the internet while using company devices. Also, provide clear instructions as to how staff (and contract workers, if applicable) should handle vital company and customer data. Repeat your cybersecurity policies often via email and in-person meetings.
9. How can I secure my Wi-Fi network?
Instead of using an older, less secure Wired Equivalent Privacy (WEP) network, Underdahl suggests using Wi-Fi Protected Access version 2 (WPA2), which is widely considered the most current and secure encryption available.
To hide your Wi-Fi network, change the name of your wireless access point or router, also known as the Service Set Identifier (SSID). If you don't, hackers could easily breach your network using the default SSID provided by the router's manufacturer.
For added protection, you can require users to enter a 25- to 64-character alphanumeric Pre-Shared Key (PSK) passphrase.
10. How can I secure company mobile devices?
Mandate that employees create passwords for their devices. Stolen or lost company-owned mobile equipment should be reported immediately to your tech support person or IT staff so that service can be shut off.
Consider installing an app like McAfee WaveSecure (19.99 with a one-year subscription, available for iPhone, Android, BlackBerry and Windows Mobile) that enables you to remotely track the device's SIM card, back up data and remotely lock the device before hackers can get their hands on sensitive company information. For iOS, consider Lookout Inc.'s free app, Lookout Free Backup, Security, Find My Device.