Written by Patrick Taylor
July 31, 2018
In the modern world, we must think not only about physical safety but digital safety as well. And while we certainly are more open about personal details on the internet than ever before, there are still things we should keep to ourselves, especially if you run any sort of business. With all the recent data breaches that have occurred, not only have those companies taken massive blows to their reputation, but legislative measures are starting to be taken.
In the first half of 2018, the state of Delaware has put a policy for business data breaches in place, and many other states are sure to follow.
To maintain your reputation and not suffer punitive measures, taking preventative steps to reduce the chance of a data breach occurring and making a policy for reacting to a data breach to minimize damage is absolutely paramount.
Many Cybersecurity firms offer expert consulting and software, but as a small business, paying for such a service can be a significant financial burden. Below, I give a step-by-step guide to cybersecurity on a smaller, more manageable scale.
STEP 1: IDENTIFICATION
To protect your data, the first step is to determine what sensitive information you store, both of your clients and of your employees. But what qualifies and sensitive? Well, here’s the list that Delaware specified in their recent law, which they called ‘personal information’.
Personal information constitutes a first initial and last name, or first name and last name paired with any of the following pieces of information:
✓Social Security number
✓Driver’s license number
✓Social Security number
✓Driver’s license number
✓Financial account number
✓Username or email address in combination with a password or security question
✓Health insurance information
✓Biometric data used to access information
✓An individual taxpayer identification number
✓Marriage certificate or marriage certificate number
✓Full date of birth or birth certificate
✓Information or data collected through the use or operation of an automated license plate recognition system
This list provides a good starting place. It’s also probably wise to also count credit card information, business plans, proprietary schema, and other similar things as sensitive. If you wouldn’t be comfortable with another company getting their hands on it, it’s probably sensitive info.
So now that we know what we’re looking for, make a list of which of the things you store, and in what manner?
If you are going to protect all personal and sensitive data, you first need to know where all of it is.
Endpoints and Vulnerabilities
Okay, now with a list of all the different sensitive information, we need to determine where the vulnerabilities are. Professionals in the field might call these ‘endpoints’. Make a list of all the computers that are used to access and work with this personal information. Make sure to take into account phones and tablets as well. If someone uses it to deal with sensitive data, it’s a potential security risk. Make sure to take note of the operating system each device is running, as you’ll need that to determine your software security solution. Also make note of any network devices you use to access data, such as your router, as this is another place of vulnerability.
After making a list of devices, follow up by listing the names of all the employees who use each device. We’ll get into why later, but just know it’s important for now.
Alright, now that we have a list of all the hardware we use to access sensitive data, let’s look at the software.
Make a list of the software you use to access company data. Perhaps you currently store it all locally on the machine, or maybe it’s in a customer relationship management database, or maybe it’s hosted in cloud storage.
Also list the tools you use on your computer to manipulate that information, whether that be in Excel or Outlook or Adobe Acrobat. Also list out any current protections you have for any software, such as whether a service requires a password, or if you use two-factor authentication, etc. (Note: I hope I don’t have to say this, don’t write down the passwords! That can be dangerous).
With all the information above gathered, we can move to step 2.
STEP 2: PROTECTION
A large component of cybersecurity is taking preventative measures. It is far cheaper to protect against a data breach than to recovery from one.
Viruses & Antivirus
Viruses can prove a real threat to cybersecurity.
One easy way to prevent viruses, especially if a computer is being used by a less-than-tech-savvy individual, is to install an ad blocker on their browsers.
I recommend uBlock Origin. I also recommend installing Privacy Badger and HTTPS everywhere. Note that these latter two have a chance of breaking websites, but they can be disabled on a site by site basis. You’ll need to train your employees to disable these when some (reputable) site isn’t working.
It’s also important to have antivirus on all the office computers.
For Windows machines, the built-in Windows Defender should be enough for a small business, especially if you train your employees to avoid threats.
Consolidation & Cloud Storage
The next step I recommend is to consolidate your data. If you store data locally, on Google Drive, and in Dropbox, it may be time to decide on one location to keep it all, as it’ll both help business workflow, and will make protecting data ten times easier. If you’re storing data locally, I greatly recommend switching to a cloud platform, especially if your business doesn’t have to deal with extremely large files. At the very least, storing sensitive data in the cloud is a good idea. Cloud storage is probably the easiest and most secure way to back things up.
If you’re working in a relatively traditional office, you are probably using Microsoft Office 365 already. It’s built-in OneDrive and SharePoint features are great tools for cloud storage.
Especially with the desktop clients, where you can delete the local copies of files. Here’s an article talking about how they are different, and when to use one over the other. If you are using an Active Directory type solution, you can even automate the process of clearing these files
The command I use is:
cd C:\Users &attrib -p +u /s
Another major vulnerability is your passwords. If you’re a company that has to log in to a lot of sites to work (which we determined in our identification step above), secure passwords are a necessity.
You need to have a strong password policy in your office, and make sure no one writes passwords down in an insecure location.
The easiest way to remedy this is to get a password vault, I recommend LastPass Teams for small businesses, as it’s low cost and allows easy sharing of passwords between teammates. You’ll need to train your employees on the importance of strong passwords, instruct them on how to make a strong, memorable master password.
Another key component is having individual logins for each user on all machines.
Not only will this create less headache for the people working on the computer, it also makes it more secure, as it’s easier to delete a user account than to pick through to find out what is who’s, and it’s easier to trace back a virus. We did a roundup of all the users on each computer, so you already have a list of what accounts to make. However, there are some tools we can use to make the process easier.
Active Directory is the big name in the industry, but it has two big drawbacks, namely being only for Windows Pro machines that are in the office.
However, there are other solutions, my office personally uses JumpCloud, as it has Mac and Linux support, as well as remote device support.
It’s also free and fully featured for 10 or fewer users, so it’s perfect for small business. With it, you can decide which accounts to give to which computers, as well as what level of access that the user has. You also get command line access and some user policy control, which are very nice.
Now, while JumpCloud is great for rolling out accounts, it can be a pain in the the neck to go around to each computer and set up the ‘standard suite’ of software, whatever that may be for your company. (For me, it’s installing the mandatory browser extensions and setting up Office Suite).
To make your life easier, I recommend installing a remote access tool, so you can do any PC straight from yours. I strongly recommend remote desktop software AeroAdmin, as it’s built for remote IT work and has full set of features for remote computer control, which is exactly what you would be doing with it. In addition AeroAdmin can be used as a free employee monitoring software, what gives added value to this application.
Now, with all of the above in place, you should be pretty set to deal with any threats internally. In the next article, we’ll cover transmitting information externally, detecting a breach, how to respond, and how to recover. Make sure to stay tuned!