The "It can't happen to me" mindset must change about Cyber Security

Small, preventive measures can help protect your business from cyber threats - and enhance its search engine optimization (SEO) and email marketing
Release Date: 
Thursday, December 19, 2019
Contact: 
Michael Aumack (316) 269-6275

By Michael Aumack, Public Information Officer, U.S. Small Business Administration – Wichita District Office

The common belief that small businesses in Kansas are too small or 'unknown' to be targeted by cyber criminals needs to end. Every business that depends on a computer system and the internet is a potential target. A 2019 study by Keeper Security, Inc. stated that "2 out of 3 respondents (66%) believe a cyberattack is unlikely (even though 67% of small and medium sized businesses experienced a cyberattack in the last year)."  

Small businesses are targeted because cyber criminals know most don't have the financial resources or know-how to protect their data, intellectual property (IP), transactions or websites from being compromised.

While it may not be feasible for a small business to invest a lot in cyber security, there are a few practical steps business owners can take to reduce risk. Below, are a few best practices and links to resources business owners could discuss with their IT staff or provider. There are no "silver bullets" that can provide 100% protection against the constantly evolving cyber threats, but businesses can fortify their systems and be better prepared to respond quickly and recover from an incident.

Get Updated: Ensure your operating system, firewall and anti-virus/malware software are updated with the latest software fix 'patches' issued by providers. Assign someone to check for updates and implement them as frequently as possible.

Backups and Recovery: Frequently backup (copy your data) on a storage device located offsite or digitally in the cloud. Consider encrypting your back-up files and keep the encryption key in a safe place at a different location. Protect access to your backup system with a special login with added multi-factor authentication

Train employees on cyber best practices: How to identify phishing emails and avoid clicking on attachments that may contain malicious software viruses.

Remove non-essential software applications from your server and devices (e.g. games, streaming services, social media apps, etc.). Ensure all software and apps you do have are supported and rated as safe by reputable sources. 

Delegation of job duties should be reflected in your IT: Restrict the 'admin rights' of users to prevent them from downloading any software or accessing data they don't need for their job duties. The CEO should have two separate log-in accounts: (1) they use everyday that provides access to the data and systems they normally use, and (2) a log-in with a different password and multi-factor authentication that would provide full-admin rights to everything in the system, and allow software changes. This 'super user' login profile should only be used when necessary.

Long passphrase (password) that expire every 90 days. A longer phrase is more secure than a shorter one with special symbols that may be hard to remember. Consider typing the chorus of a favorite song in all lower-case letters. It may be easier to remember and long enough to baffle a code breaker. Change the passphrase once a quarter, and keep it somewhere only you can access – like in a digital file on your cell phone.

Consider Multi-Factor (MFA) for a more secure log-in. MFA is a security enhancement that allows you to present two pieces of evidence (credentials) when logging in to an account. SMS (text) based authentication is the most common tool, followed by email, authenticator app, or a phone call back.

Use VPN (virtual private network) technology to connect all wireless devices to your server when using WiFi outside your office’s secure network. Consider ‘free public WiFi’ as unsafe.

Activate screen saver lock-out of your computers, laptops and phones after 2-5 minutes of inactivity.

Upgrade your business website with Transport Layer Security (TLS) to ensure your web domain begins with "https://". Web domains without the "s" are flagged by some browsers as 'unsafe', so having TLS will help your website's search engine optimization (SEO).  The current email encryption standard is TLS for data in-transit. This ensures that TLS configured email servers transmit data back and forth securely over an encrypted connection. For more information on email encryption click here or here. 

Protect your reputation by implementing Email authentication upgrades: SPF, DKIM and DMARC. These software upgrades make it harder for a scammer to send phishing emails that look like they are coming from your company. Also, without email authentication, your emails could be routed to a SPAM folder or rejected by the recipient.   

Consider Cyber Insurance: Cyber insurance can help protect your business against losses resulting from a cyber attack.

Develop and adhere to a cyber security plan and designate a person or team to implement a quick response in the event of a cyber breach.

Report any cyber breach, ransom attack or email compromise to the FBI Internet Crime Complaint Center https://www.ic3.gov/default.aspx as quickly as possible.

In Kansas, businesses impacted by cybercrime should contact FBI Cyber Unit Special Agent Tom Ensz at 316-262-0031 or connect via https://www.fbi.gov/investigate/cyber

Take action today to protect your business from cyber threats! Here are some links to helpful resources to get started:

If your business community, association or chamber would be interested in a free workshop on Cyber Security Essentials for Small Business, please contact Michael Aumack at the SBA to set-up one up today. Call 316-269-6275 or email Michael.Aumack@sba.gov