Editor’s note: This online security advice is applicable to everyone in the company. Share information with employees so they can help keep your business safe from cyber security threats.
If my pocket computer can’t show me my bank balance in the time it takes to get from the sidewalk to the barista counter, I’m out. You’re the same, right? We expect the services and data that power our finances, our travel itineraries, our tailored news and sports scores, our businesses, our lives, to be available immediately and from everywhere. And the cost of this convenience is risk; the more services you use, the more data you store, the harder it is to keep your data safe — let alone understand your exposure or know whether you’ve been compromised.
The benefits of everything the internet affords us still outweigh the risks by far. So why am I writing about cyber security, possibly contributing to what the National Institute of Standards and Technology (NIST) calls “security fatigue” — a security overload that can cause computer users to feel helpless and act recklessly? Two reasons:
- To minimize the number of small businesses dismissing cyber security risk.
- To help grow the number of small businesses investing and prioritizing cyber security efforts.
I’ll keep it simple and let you hear it directly from some of the good guys. Then you can get back to running your business and living your life.
Tip: Security specialist Troy Hunt has built an amazing tool to search your email for accounts that might have been compromised from a major breach. I recommend ';--have i been pwned?.
Online security advice from Jeremiah Grossman of SentinelOne
“Having a good backup process is simply indispensable and has personally saved me more than once.” —Jeremiah Grossman, SentinelOne
Jeremiah Grossman is a professional hacker and founder of WhiteHat Security. He currently serves as the chief of security strategy at SentinelOne. His top cyber security tips for small business owners include:
“Multi-Factor Authentication (MFA or 2FA). Most social networks, web-based email systems, and financial institutions offer customers an MFA option, which effectively means that when you log in, they’ll text you a special code you must enter into your browser to authenticate. To hack you, the bad guys would need your username, password, AND access to your text messages. Setting this up adds A LOT of extra protection when inevitably passwords are lost, which happens all the time these days.
Back up your files. Eventually, no matter what precautions we take, everyone gets hacked. And when this occurs, we want to limit the damage and be able to recover as quickly and cheaply as possible. Having a good backup process is simply indispensable and has personally saved me more than once.
On corporate email systems, often your email address doubles as your username — which makes it a bit easier on the bad guys when they try to hack your account. Upfront, they have half of the key already. What I do is pick a username that looks more like another password than something you might typically find. I then set up an email address alias where people send me messages, and never share the real username. That way, when they try to guess the password on my account using my 'email address,' it can’t possibly work, because it’s not really my username.”
Read more from Jeremiah on his blog.
Online security advice from Jeffrey Goldberg of 1Password
“It is a mistake to think that there aren’t reasonable and practical things that ordinary people can do to improve their security online. If you think about security as ‘all or nothing,’ you will be overwhelmed and pick ‘nothing.’” —Jeffrey Goldberg, 1Password
He says everyone can take steps to reduce cyber security risks.
According to Jeffrey, “Any improvement in these three things will reduce your risks:
- Try to be better at keeping your system and software up to date.
- Look more toward trusted app stores for where you get your software from.
- Reduce password reuse. That is, try to avoid using the same password on multiple sites. A good password manager can help you move in the right direction.
Those aren’t absolute ‘all or nothing’ things. They are things that you can improve upon at your own pace, and any improvement will pay off in better security.”
The folks at 1Password run a great blog. I think you’ll appreciate their latest piece on password reuse in the wake of the recent Yahoo! breach.
Online security advice from Logan Kipp of SiteLock
“When considering services and applications for your small business, keep your Jetsons dreams in check …” —Logan Kipp, SiteLock
Logan Kipp, cyber security analyst turned product evangelist for SiteLock, promotes a healthy balance of security and usability for small businesses:
“The cloud is well-known for accessibility and ease of use, but that needs to be balanced with the reality of the state of web security today. When considering services and applications for your small business, keep your Jetsons dreams in check with what I call a ‘Faraday Filter,’ and consider the security you may be compromising just to make things a little easier for yourself.”
And for those that develop services and applications for small businesses and the rest of us, balance the rush to get your product out the door by ensuring that your security isn’t compromised. As Logan says:
”I know you’re really excited for your ideas to materialize and your service to come to market, but a shortcut made in production today could compromise your customers’ livelihood tomorrow; test not only for functionality and usability, but also for exploitability; static and dynamic application security testing should both be employed.”
Cyber security tips from GoDaddy’s Todd Redfoot
“Back up your data regularly, preferably to cloud-based, trusted services that support encryption.” —Todd Redfoot, GoDaddy
As GoDaddy’s Chief Information Security Officer, Todd Redfoot is responsible for keeping our enterprise, our customers’, and our customers’ customers’ data safe. He’s seen just about everything and to him, it’s not about whether your data has been compromised, it’s whether or not you know about it and what you’re doing to minimize your risk.
“Imagine years of accounting records for your small business unexpectedly unavailable and receiving a message that you must pay to regain access to what belongs to you. That’s how it works when you’re hit with ransomware; hackers encrypt your files, making it inaccessible unless you pay the bad guys to have it decrypted. This attack vector is popular right now because it’s inexpensive and easy to distribute, and is very lucrative because companies have no choice but to pay to get their data back.”
“Back up your data regularly, preferably to cloud-based, trusted services that support encryption. As a general rule, you should be backing up your computer on a regular basis anyway. Those affected by ransomware with recent data backups may simply restore data from backups and avoid paying the ransom, rendering the attack harmless.”
Todd is a regular contributor to the GoDaddy blog.
Act on this advice to protect your business
Security failures cost.
If you read Nicole Perlroth’s NY Times piece on how “defending against hackers may have taken a back seat at Yahoo,” you know about the potential investigation and rumors that the breach may cost Yahoo! $1B in their pending sale to Verizon. And Yahoo! wasn’t the first big business hit hard by a breach; TalkTalk was just hit with a £400,000 fine for their 2015 breach of customer data. There are many, many more examples.
Your small business is not a web behemoth like Yahoo!, and you don’t have hundreds of millions of users whose data may be exploited. But when you manage your business in the cloud and trust others to manage it for you, you expose yourself and your business to financial and reputational risk — just like multi-billion dollar companies.
Use this online security advice and industry best practices to help keep your data safe (or at least easier to recover). Doing so will help you avoid at least a very bad weekend and at most a catastrophic neck punch to your business and livelihood.