I don’t know about you, but as a business owner that offers a service to clients in which they instill their trust in us, there is nothing that worries me more than the idea of getting hacked. Enough so that it keeps me up most nights, but it’s likely amplified being it’s a security company.
I know what they say – it’s inevitable and you must be prepared to account for it. While I realize it’s reality, I can’t help but think there are things that we should all be doing as business owners to help minimize the potential of such a hack.
While I often speak to website security, today I want to spend some time talking about things that we can each be doing to improve the security posture for our businesses.
Tips to Improve The Security of Your Business
We put a great deal of sweat equity into building our businesses. We owe it to our customers, employees, and ourselves to ensure we’re setting ourselves up for success. Security must be part of that conversation these days. Below are the top 5 tips I believe we can easily start employing, and hopefully you’ll find the context helpful.
I hear horror stories of compromises occurring after the forensics has been completed. It all comes down to your email being the weakest link. When you think about it, email is the most critical system we depend on, sometimes unknowingly.
We leverage it in many instances as our multi-factor authentication mechanism. We transfer information to and from employees, colleagues, partners, and potential customers. Yet, it’s often the last thing we think about securing.
For all new businesses I often recommend leveraging an email provider like Google Apps. If there is one thing Google does well, it’s email. This isn’t a debate on which email provider to use.I realize it’s much like discussing religion, but the take away is the use of a trusted third-party that doesn’t require running your own email servers. Once configured, it’s imperative you enable Two-Factor / Multi-Factor Authentication on your account. When configuring your email on devices (i.e., mobile, desktop, notebooks) be sure to use app-specific passwords, and not your main password.
Be wary of Phishing Lures. As implied in the name, it’s an attack method used by attackers to trick you into clicking or downloading files to steal information. Often your login credentials to things like email, but can extend to things like your banking information and other treasured data.
2. Social Media
Similar to email, social media is one of the things we all have to deal with and a variety of security controls available to help you improve your security posture.
The threats of Phishing exist in social media platforms as well. One bad click and the attacker can take over your account. It’s good to take time to familiarize yourself with the various platforms and their security options:
This is obviously not a comprehensive list, so research the tools of your trade.
Be mindful of the tools you employ to manage the various mediums. As our companies become highly connected, and we strive to stay in touch, we like to leverage every medium possible. To do this, we leverage tools like Buffer, HubSpot, and so many others. In doing so, we have to authenticate and provide access, then share some of that access with others on our teams. This can be a nerve wracking exercise for security-minded people, but it’s inevitably something that has to happen as you grow. Be prepared to account for this growth.
Do so with caution, and ensure you pay attention to authorization features within each system. How granular are the roles and how can you control them?
Always operate on the side of caution, reduce access until the work is impossible (to my internal team: sorry about this), then increase as necessary. I think you’ll find that similar to when we eat with our eyes. Our teams thrive for access; not because they require it, but because they desire it. Focus on what they require to get their jobs done, not what their desires would like.
Privacy is, and always has been, a big thing. A lot has been brought to light because of the ongoing surveillance government entities have been employing to keep tabs on us. Things we all have assumed but could never prove. To the ways organizations track our online actions and habits, using it to sell and improve their marketing campaigns. More importantly however, are the various hacks that have been occurring over the past 24 months.
We’ve seen giants like LinkedIn, Target, Home Depot, Sony, and so many others suffer massive compromises -leaking an overwhelming amount of information into the nether regions of the web. Some like to joke that it’s safe to assume everyone’s information has been leaked and we’re all liable to get hacked at some point or get our identities stolen. Cynical, I know, but there is a lot of truth in that statement.
With that in mind, we need to be thinking a lot more about Encryption. In laymen’s terms, encryption is an effective way of encoding your information so only those that are authorized to view may do so. One way we should be looking to employ it is through the use of technologies like Pretty Good Privacy (PGP), which if you’re using a Mac, you can find in the GPGTools Suite, and for Windows, in the GPG4Win toolset.
I recommend using it for the storage of static files that you don’t use often, and also for sensitive emails. I used to recommend folks use tools like TrueCrypt to create encrypted containers in which you can store information you don’t access regularly, but it’s now a discontinued utility – meaning it’s no longer being actively supported. I know one alternative for Windows users is BitLocker, and your Mac offers FileVault. I’m still looking for a suitable replacement to TrueCrypt, something I can use to spin up quick containers, and I don’t have to worry about doing entire partitions.
4. Functional Isolation
This is something I often speak to when talking about website security, but the same applies to our businesses in general. Take some time to think of all the services you might use; things like your payment system, payroll, administrative systems, social media, accounting, finances, billing, ticketing, collaboration tools, the list goes on.
Today, in order to operate, we have grown dependent on the various Software as a Service (SaaS) businesses designed to streamline what used to be very difficult, allowing us to grow faster than ever anticipated. It only gets better with the introduction of new technologies.
As great as that all sounds, it becomes a nightmare when trying to manage and account for all the bits of information being slingshot across the web.
We have to learn to break things apart and remove dependencies; specifically around access and control. No one individual should have access to every system, it’s just bad business to start with, but also it becomes your weakest link.
Build redundancy where possible.
As tempting as it might be, with the various integration options available in today’s systems, it’s okay if things don’t get integrated and function as isolated systems. Especially when you think about systems like Payroll or Human Resources. Those should be disconnected from all other systems, and access control is of the utmost importance.
5. Awareness / Education
This is the softest tip of the five, but many will argue it’s likely the most important. It’s a continuous process, educating and training your staff to the various threats, and yet it’s often the one that we all fall short. We either assume they know better, or don’t want to be the bad guy wasting people’s time with canned information we ourselves don’t fully understand.
We have to continue talking about security, and ensure everyone understands what a threat looks like and how it might impact your business. Trust me, every one of your employees has a vested interest in the business not getting hacked. It can lead to loss of revenue, negative impacts to the brand, and in the worst case, force your business into bankruptcy. Don’t be afraid to share that burden with your staff.
Threat of Hacks Are Real
In an ever-connected world, the threat of a hack is very real. Do not for one minute assume because you don’t have a website, or you don’t sell online, that your business is not at risk.
As my cynical friends say, it’s just a matter of time. There are however best practices and things we can all be doing, such as those described above.
Security and convenience have always been at war with each other. There is no denying this fact. Yes, some of the controls might feel exhausting and unachievable, but I assure you it can work. We have to push the boundaries of our own convenience, turn them into habits, and they’ll quickly become routine.
The weight and impact of the alternative is just too big these days.