As such, one of the most important things that a small business owner can do is to educate his or her employees. Cybersecurity education consists of essentially three necessary components:
- Awareness of threats: You must ensure that every employee working for the business understands that he or she, and the business as a whole, are targets. People who believe that criminals want to breach their computers, phones, and databases act differently than people who have not internalized this reality. While formal, regular training is ideal, even a single, short conversation conducted when workers start, and refreshed with periodic reminders, can deliver significant value in this regard.
- Basic information-security training: All employees should understand certain basics of information security. They should, for example, know to avoid cyber-risky behavior, such as opening attachments and clicking on links found in unexpected email messages, downloading music or videos from questionable sources, inappropriately using public Wi-Fi for sensitive tasks, or buying products from unknown stores with too-good-to-be-true prices and no publicly known physical address.
Numerous related training materials (often free) are available online. That said, never rely on training in itself to serve as the sole line of defense against any substantial human risk. Many people do stupid things even after receiving clear training to the contrary. Furthermore, training does nothing to address rogue employees who intentionally sabotage information security.
- Practice: Information security training should not be theoretical. Employees should be given the opportunity to practice what they have learned — for example, by identifying and deleting/reporting a test phishing email.
Incentivize employees to comply with cybersecurity efforts
Just as you should hold employees accountable for their actions if things go amiss, you should also reward employees for performing their jobs in a cyber-secure fashion and acting with proper cyber hygiene. Positive reinforcement can go a long way and is almost always better received than negative reinforcement.Furthermore, many organizations have successfully implemented reporting systems that allow employees to anonymously notify the relevant powers within the business of suspicious insider activities that may indicate a threat to your cybersecurity initiatives, as well as potential bugs in systems, that could lead to vulnerabilities. Such programs are common among larger businesses, but can be of benefit to many small companies as well.
Remember to revoke access for former employees
There are countless stories of employees making mistakes that open the organizational door to hackers and of disgruntled employees stealing data and/or sabotaging systems. The damage from such cybersecurity incidents can be catastrophic to a small business. Protect yourself and your business from these types of risks by setting up your information infrastructure to contain the damage if something does go amiss.How can you do this? Give workers access to all the computer systems and data that they need in order to do their jobs with maximum performance, but do not give them access to anything else of a sensitive nature.
Programmers shouldn’t be able to access a business’s payroll system, for example, and a comptroller doesn’t need access to the version control system housing the source code of a company’s proprietary software.Limiting access can make a world of difference in terms of the scope of a data leak if an employee goes rogue. Many businesses have learned this lesson the hard way. Don’t become one of them.
Give everyone their own credentials
Every employee accessing each and every system in use by the organization should have their own login credentials to that system. Do not share credentials!Implementing such a scheme improves the ability to audit people’s activities (which may be necessary if a data breach or other cybersecurity event happens) and also encourages people to better protect their passwords. because they know that if the account is misused, management will address the matter to them personally rather than to a team.
The knowledge that a person is going to be held accountable for their behavior vis-à-vis maintaining or compromising security can work wonders in a proactive sense.
Likewise, every person should have their own multifactor authentication capabilities — whether that be a physical token, a code generated on their smartphone, and so on.Restrict administrators
System administrators typically have superuser privileges — meaning that they may be able to access, read, delete, and modify other people’s data. It is essential, therefore, that if you — the business owner — are not the only superuser, that you implement controls to monitor what an administrator does.For example, you can log administrator actions on a separate machine that the administrator does not have access to.
Allowing access from only a specific machine in a specific location — which is sometimes not possible due to business needs — is another approach common in cybersecurity, as it allows a camera to be aimed toward that machine to record everything that the administrator does.
Limit access to corporate accounts
Your business itself may have several of its own accounts. For example, it may have social media accounts — a Facebook page, Instagram account, and a Twitter account — customer support email accounts, phone accounts, and other utility accounts.Grant access only to the people who absolutely need access to those accounts. Ideally, every one of the folks to whom you do give access should have auditable access — that is, it should be easy to determine who did what with the account.
Basic control and audibility are simple to achieve when it comes to Facebook pages, for example, as you can own the Facebook page for the business, while providing other people the ability to write to the page.In some other environments, however, granular controls aren’t available and you will need to decide between the cybersecurity implications of providing multiple people logins to a social media account or having them submit content to a single person (perhaps, even you) who makes the relevant posts.
The challenge of providing every authorized user of corporate social media accounts with their own account to achieve both control and audibility is exacerbated by the fact that all sensitive accounts should be protected with multifactor authentication.
Some systems offer multifactor authentication capabilities that account for the fact that multiple independent users may need to be given auditable access to a single account. In some cases, however, systems that offer multifactor authentication capabilities do not blend well with multi-person environments.They may, for example, allow for only one cellphone number to which one-time passwords are sent via SMS. In such scenarios, you will need to decide whether to
- Use the multifactor authentication, but with a workaround — for example, by using a VOIP number to receive the texts and configuring the VOIP number to forward the messages on to multiple parties via email (as is offered at no cost, for example, by Google Voice).
- Use the multifactor authentication with no workaround — and configure the authorized users’ devices not to need multifactor authentication for the activities that they perform.
- Not use the multifactor authentication, but instead rely solely on strong passwords (not recommended).
- Find another workaround by modifying your processes, procedures, or technologies used to access such systems.
- Utilize third-party products that overlay systems (often the best option when available).
The last option is often the best option. Various content management systems, for example, allow themselves to be configured for multiple users, each with their own independent strong authentication capabilities, and all such users have auditable access to a single social media account.
While larger enterprises almost always follow some variant of the last approach — both for management and security reasons — many small businesses tend to take the easy way out and simply not use strong authentication in such cases. The cost of implementing proper cybersecurity, both in terms of dollars and time, is usually quite low, so exploring third-party products should definitely be done before deciding to take another approach to this cybersecurity challenge.The value of having proper security with auditability will become immediately clear if you ever have a disgruntled employee who had access to the company’s social media accounts or if a happy and satisfied employee with such access is hacked.
Enforce social media policies
Devising, implementing, and enforcing social media policies is important because inappropriate social media posts made by your employees (or yourself) can inflict all sorts of damage. They can leak sensitive information, violate compliance rules, and assist criminals to social engineer and attack your organization, expose your business to boycotts and/or lawsuits, and so on.You want to make clear to all employees what is and is not acceptable use of social media. As part of the process of crafting the policies, consider consulting an attorney to make sure that you do not violate anyone’s freedom of speech. You may also want to implement technology to ensure social media does not transform from a marketing platform into a cybersecurity nightmare.
Monitor employees to succeed with cybersecurity
Regardless of whether or not they plan to actually monitor employees’ usage of technology, companies should inform users that they have a right to do so. If an employee were to go rogue and steal data, for example, you do not want to have the admissibility of evidence challenged on the grounds that you had no right to monitor the employee.Furthermore, telling employees that they may be monitored reduces the likelihood of employees doing things that violate cybersecurity policy because they know that they may be monitored while doing such things.
Here is an example of text that you can provide to employees as part of an employee handbook or the like when they begin work:
Company, at its sole discretion, and without any further notice to employee, reserves the right to monitor, examine, review, record, collect, store, copy, transmit to others, and control any and all email and other electronic communications, files, and any and all other content, network activity including Internet use, transmitted by or through its technology systems or stored in its technology systems or systems, whether onsite or offsite. Such systems shall include systems that it owns and operates and systems that it leases, licenses, or to which it otherwise has any usage rights.
Furthermore, whether sent to an internal party, external party, or both, any and all e-mail, text and/or other instant messages, voicemail, and/or any and all other electronic communications are considered to be Company’s business records, and may be subject to discovery in the event of litigation and/or to disclosure based on warrants served upon company or requests from regulators and other parties.