If you’re a business owner, trying to carve out time to dedicate towards cybersecurity is almost exhausting just to think about. We totally get that. But the real problem can hit if you don’t put any time into it at all: a major network failure, compromised personal information, or being locked out of important documents in a ransomware attack… that can add up to hours, days or even weeks of business lost. This is why we’ve put together this list of the top 5 tips for small and medium business owners to keep in mind to help keep their businesses safe, without having to take too much time away from everything else they have going on.
Security Tip 1: What’s at risk?
Your first step in cybersecurity is an easy one: don’t be complacent! Recognizing what you have that’s at risk will help motivate you to stay on top of cybersecurity and help you prioritize what information is most sensitive. While it’s easy to assume that attackers have more to gain by going after bigger targets who have a lot of “top secret” information to exploit, or huge amounts of money, the reality is that no matter what your business is—it could be a sports bar, a laundromat, a courier service, anything—you’ve got something that an attacker could profit off of. Some of the biggest payoffs for them: personal information of your employees (like financial information from your payroll, or Social Insurance Numbers that can be used in identity theft), customer payment information (including credit card information taken from POS terminals) and files they think you would pay to regain access to if they used ransomware to lock you out of them. And the biggest thing smaller businesses have that appeals to cyber attackers? Vulnerabilities. Because the dominant belief is still “small businesses like mine aren’t going to be on hackers’ radars,” there are, ironically, a lot of security oversights in small businesses’ networks that are on hackers’ radars.
Security Tip 2: Give passwords more than a passing thought
Okay, now that we’re all on the same page that any business can be a target for cyber attacks, can we all agree to never use “password” or “123456” as a password ever again? Great! No need to do the hackers’ work for them, right?
Now that we’ve covered the most common mistake, let’s dive a bit deeper. A good password is:
- easy to remember
- complex so it can’t be guessed
- changed often
- different from all your other password for different accounts
Those last three points definitely seem to be working against the first point, we know. Trying to remember multiple, complex passwords is understandably difficult. Which is why so many people default to using simple passwords, like the names of family members, important dates like birthdays or anniversaries, or other things that, frankly, wouldn’t be too hard for someone to guess if they did a bit of digging.
One easy solution to make your passwords both memorable to you and complex is to migrate to using acronyms that are easy for you to remember but look like random letters and numbers to anyone else. Here’s an example: mdBh5pi16. Looks like nothing, right? Impossible to memorize. Until we tell you that it stands for “my dog Bella had 5 puppies in 2016”. Memorable sentences like this can give you a good password that uses upper case, lower case, numbers, and even symbols if you want. Or if you want to get even more sophisticated, you could invest in a password manager that will generate and manage strong, unique passwords for all devices and accounts on your business’s network. But the most important password tip out there: never, ever share your password with anyone. And if you think there’s even the slightest chance that someone has figured it out or has accessed your accounts, play it safe: change it right away.
Security Tip 3: Be software smart
Is antivirus software your best bet against cyber attacks? Yes. Absolutely. But it’s a conditional “yes”. First off, not all antivirus software is created equal. Make sure you do your research and use find an antivirus program that is trusted and recommended for business use. And once it’s installed, don’t adapt a “set it and forget it” mentality. Threats evolve. They become more sophisticated, and they learn how to get around out-of-date antivirus software. So update often. Make sure your autoupdate is enabled so that you get the latest version as soon as possible. And hey, just like you likely check your door when you leave the house, even though you know you just locked it, it doesn’t hurt to check when the last update was, just to be 100% sure autoupdate is enabled and being completed.
Security Tip 4: Are you down with backups?
Backing up important documents, files and folders is just as much about cybersecurity as it is about protecting yourself in case of a system crash. Specifically, it’s a huge advantage if you’re ever the target of a ransomware attack. Ransomware attackers will try to exploit you by locking you out of your files. Cloud backup will ensure that, if that happens, you can still access copies of your files that you can access without having to pay your attacker exorbitant amounts of money. It’s basically like a hostage movie where the hostage-taker turns around and realizes they’ve just been holding mannequins captive the whole time. This hypothetical ransomware attacker has completely failed their mission. Just make sure you frequently test your backup to make sure the restorations are successful and complete.
Security Tip 5: Don’t take the bait
Phishing schemes aren’t always as obviously spotted as we like to believe. For the most part, we’ve all come to be sceptical of emails from unknown sources that ask us to follow a link or download a file for some sort of suspicious-sounding reason, such as unlikely business propositions to, well, more R-rated propositions we won’t call out here. But like most cyber threats, phishing is getting more sophisticated. Things that should set off some warning bells in your brain include:
- Emails that claim to be coming from an authoritative source, like a bank, the CRA, the president of your company, your IT department, etc.
- An overly urgent tone in the email, and scare tactics that make you believe that a delay in action could have serious consequences.
- Asking you to take action if you “mistakenly” received the email (for instance “if you did not order this, please click here to cancel your order”).
The easiest way to tell if an email source is legit or not is to always check both the actual email address (not just the sender name) that emails like this are coming from, as well as the URL address it links out to (by hovering over the link… never click through to the link provided unless you’ve confirmed the URL is valid). Don’t respond back to the sender, and if you suspect it’s fraudulent, just delete it.
And a bonus tip on the phishing front: be cautious when people call for information about your business, like names of employees, job titles, email addresses, etc. There’s an increasing number of attackers who are getting this kind of information beforehand to make their phishing emails seem particularly legit. You don’t need to make your business’s information super secretive (of course, you’ll still have actual clients or customers looking for information) but just keep your ears perked up for anything unusual, and make sure employees are given a heads up to report any suspicious emails that come in after such a call. Or in general, for that matter. The more your team works together to spot suspicious behaviour, the more likely you are to keep your business safe from phishing attacks.
Here’s the best thing about these 5 tips (other than the increased security your business gets out of them): they don’t require a lot of time to implement. Protecting your business from cyber attacks doesn’t have to be one more time-consuming task that will take you away from all the other roles you fill as a business owner. The moral of the story? You can have your business and protect it too.