There's more to cybersecurity than virus protection and anti-spyware. From securing mobile devices to guarding against hacking, here are some common vulnerabilities small businesses need to watch out for.
The media reports frequently about increasingly sophisticated security breaches that lead to exposure of proprietary information or pass codes, yet industry surveys show that small businesses continue to neglect the need to batten down the hatches.
It's not just about being vulnerable to viruses or exposing one's own confidential information. If your business stores customer's sensitive information, such as their credit card or Social Security numbers, a breach could result in loss of customers' private data, which can lead to consequences.
When online shoe retailer Zappos experienced a breach in January, confidential customer information such as passwords and email addresses were exposed. Many of its customers were supportive as the retailer did damage control, but a couple filed a class-action law suit, which can devastate small businesses.
Guard against breaches
Care and caution need to be taken to guard against everyday processes as well as unique situations, stresses Cameron Camp, a security researcher with ESET, an IT security company.
"A flower shop won’t have the sophistication in their network to counter an attack from Russia that siphons their money. You have to secure financial data, or banks won't be forgiving of losses. So you have to lock down end points and keep hackers from capturing financial data," Camp said.
Locking down involves having a firewall in place and on at all times, including non-business hours. More restrictive is better than less, Camp said.
Researchers like Camp track hundred of new threats that come out every week, so a key step in beefing up security is making sure you get all the latest updates for programs installed on your computer.
Many of us buy protection programs, plug it in and think we're done with it, but Camp cautioned against complacency.
Others opt for a hosted solution where the burden of responsibility shifts to a third-party provider. But instead of having a smattering of protective measures, it's better to have small, highly capable 'sensors' sprinkled through out the network, he said.
Secure smartphones, tablets
Entrepreneurs and businesses that pay attention to securing their networks with firewalls and other measures often overlook mobile devices.
From smartphones to tablet computers, thumb drives and memory sticks, the average person juggles a variety of devices, in addition to the requisite laptop and computers at work and home.
People check work email using different devices, logging in from home, coffee shops and Wi-Fi hot spots -- all of which increases the importance of securing those devices.
"You have to protect the same data in different angles, with mobile you have five ways in which this data can be accessed, while it's at rest and when it's mobile," Camp explained. "Many users on a survey we did said they don’t have even the most basic locks. So if someone gained physical access to it, then it’s a problem. They can also get digital access if you are in a Wi-Fi hotspot."
With iPads, iPhones and Android devices becoming more common, the number of apps available have exploded. But where you go to download an app can make the difference between security and vulnerability.
Camp cautioned against going to third-party sources for apps, because although they may look the same and function the same, it may be wrapped in malware.
"It can jailbreak the device in the case of Android, logging slides and taps and capturing sensitive information you may be entering on your tablet," Camp said. "We've been seeing more attacks on Apple platforms, but they take a stricter approach to the apps that are in their app store. Java itself has some vulnerability, so with Mac operating systems, the operating system is not the issue, it’s the apps on top of it."
Android device owners need to be extra careful, he said, because Google has tried to increase the number of apps available and so there are fewer barriers to entry for app creators.
"It's easier for an app to get into the Google ecosystem and since it's not so tightly controlled, it's easier to get malware through," Camp said. "Google does patch holes but it depends on how long it takes device companies to update their systems with those patches."
To guard against this, small businesses need to set up virtual sand bags in addition to firewalls, so that if a device is accessed, hackers will log onto what looks like the business network, but they will only breach general areas.
When the devices are activated the first time, enabling a remote wipe will ensure that if it does get lost, you can wipe out all data remotely and restore it to factory defaults. And if GPS tracking is enabled, you may be able to track down whether you left your phone in the rental car, as opposed to the plane, and get it back sooner.
Camp raised an important point in securing mobile devices, saying employees should not exist in a culture of fear and should know that they will not be penalized, so that if the worst happens, they confess sooner rather than later and employers can do damage control early in the game.
Inadequate cyber training
Having firm Web-browsing policies in place is important, as is training employees about cybersecurity. But information overload can lead to anathema.
However, security platforms and the training need not be bulky, Camp stressed.
Circle back to key training points several times a year, since employees can't absorb it all in one shot. He suggests raising awareness by warning employees and setting up traps or a phishing email, and watching what happens.
"Trick them and laugh about it at the year-end party. The best learning moments you can have is right after you've fallen for something like that," he said.
The problem is that although protection programs have become sophisticated, malware has kept pace and suspicious emails often arrive in your inbox looking very authentic.
An email warning you that your LinkedIn account will be discontinued may prompt you to click on it and before you know it, you will be taken to a site in Russia.
And despite all the software precautions, breaches can happen for the simplest of reasons, as Camp pointed out, such as if some one is at a coffee shop and logged into their network on the laptop and walks up to the counter to pick up their order and leaves their device exposed for a few minutes.
This is where proper training steps in and can make the difference between caution and carelessness. ESET, headquartered in Bratislavia, has its U.S. base in San Diego, and offers free training for businesses, which can learn more at securingourecity.org.
As a final cautionary note, Camp noted that small businesses make the mistake of thinking "Oh, I'm too small to be hacked," but in his line of work, he often observes that no one is impervious.
"We saw some malware attacking architect firms in Peru -- they captured industrial design documents designed in AutoCad and sent them overseas," Camp said. "This would give someone else access to your core secret sauce, which would otherwise take them months or years to develop."