Sunday, June 10, 2012

4 Tips to Protect Your Small Business Against Cyberattacks


You may think that cybersecurity is only important for major companies, but think again. Small businesses are particularly vulnerable to cyberattacks: Without the big security budgets of Fortune 500 companies, they’re seen as easy prey by digital information thieves and corporate espionage experts. And if you’re hit by an attack, you should be prepared to face a revenue loss of up to $10,000 (or more) if your website goes down in the process. That’s a lot of money for a small business to lose, and it can happen at any time.

How can a small business protect against cyberattacks and information leaks without breaking the bank? 


Mashable spoke with Rick Doten, former chief scientist for cybersecurity at Lockheed Martin and current vice president of cybersecurity at DMI, a leading cybersecurity solutions provider, for his advice.


1. Smart Passwords


Doten’s first piece of advice for securing small business may also be the cheapest and simplest move: using better passwords. 


“I’ve spent 10 years running ethical hacking groups, and most of the ways we got in [to target networks] was because of weak passwords,” says Doten.


What, exactly, makes up a “better” password? Doten says it should be highly complex, difficult to guess and at least eight characters — so “deJ1s4qFDAS” is much better than “superman.”


“The longer the better,” says Doten. “Penumonics help, too. Take the first letter of each word in a sentence such as, ‘Don’t forget to feed your dog.’ 15 characters, with mixed upper case, lower case and numerical symbols will be much harder for a would-be hacker to crack.”


2. Mobile Device Education



Explaining the importance of mobile cybersecurity to each and every employee is critical, says Doten. This is especially important if some employees aren’t particularly technology-savvy or if a company allows employees to connect to an internal network via a personal device, such as an iPad.


“Companies today are getting access to adversaries’ [digital] environments by hacking into employees’ devices,” says Doten. “One of the things compounding that is the rapid development of mobile devices and the ‘bring your own device’ concept. Small businesses should manage what devices employees are allowed to use on internal networks, what’s allowed to go on those devices and use encryption appropriately.”


Luckily for small businesses, there are fewer employees to educate and fewer devices to manage than at larger firms, which Doten believes gives them an advantage. Small businesses can bring in cybersecurity experts to host training seminars on mobile security.


“Small businesses can implement [device management] much easier than larger firms,” he explains. “Understand that people make mistakes, but people can do risky things that can cause an impact on the business.”


3. Social Media Education


Doten acknowledges that companies should allow employees to post online about the company in a positive light, but cautions that employees who use social media too carelessly can give away sensitive details about a firm’s internal business.


“Depending on what your business does, you might be tipping your hand to competitiors to what you’re doing or who your customers are,” says Doten. “If I see someone tweeting about a conference in Omaha, I can guess what’s happening there. Social media’s great from a competitive counter-intelligence point of view. I can learn a lot [by] following tweets.”


Doten says that employees should be encouraged to tweet, but should be taught how to do so in a way that doesn’t reveal any trade secrets to the public or competing businesses.


“We’ve got a generation of employees sharing a lot,” says Doten. “And that can pose a risk.”


4. Risk Management


Finally, Doten says that small businesses should look at cybersecurity from the perspective of risk management. 


The core of your business, says Doten, will determine how much focus — and budget — you should place on protecting your systems. An e-tailer whose entire business is online and done on the front-end, for example, stands to lose a great deal of business if its servers are knocked offline for a substantial period of time.


“Companies should be asking themselves, ‘What do we have to protect?’ And, ‘What would impact our business the most?’” says Doten.


Doten also points out that cybercriminals often use lesser-protected small businesses as a “digital bridge” to attack larger firms with which they have a relationship. That, says Doten, can make unprepared small firms a less attractive business partner in the future, getting in the way of potentially lucrative business deals. That prospect, he adds, should be weighed in calculations about cybersecurity budgets.