Category Archives: Security

Demystifying Cyber Security for the Small Business

Seemingly overnight, the technology platforms we came to rely on became much more intelligent, creating a digital persona for each of us and leveraging our preferences to ‘serve’ us better. And although the intention may have been good at the start, the line between ‘serving’ and ‘manipulating’ has increasingly been crossed, highlighting the need to be watchful and vigilant. 

Admit it – if you are like I am (and probably 95% of the population), hearing the question ‘What are you doing to ensure your cyber security?’ simultaneously makes you throw up in your mouth and run off the nearest cliff. On the scale, it’s somewhere between the feeling you get when hearing Christmas music in a Walgreens before Thanksgiving has even occurred and yelling ‘Operator’ into your cell phone after being on hold with T-Mobile for 15 minutes. In other words – on the low end of desirable topics or activities.

Can you imagine explaining our digital world to a 1995 version of yourself? Over the course of the last several years our lives have become increasingly inter-connected via technology, sometimes in obvious ways (think advent of social platforms) and sometimes in much more subtle ways. Seemingly overnight, the technology platforms we came to rely on became much more intelligent, creating a digital persona for each of us and leveraging our preferences to ‘serve’ us better. And although the intention may have been good at the start, the line between ‘serving’ and ‘manipulating’ has increasingly been crossed, highlighting the need to be watchful and vigilant. 

This need to be vigilant has been highlighted by the seemingly incessant drumbeat of large corporations (or political establishments) being hacked. In other words, not only do we need to be careful about where our data lives – we also have to watch out for bad people who are trying to trick us into sharing that data. Just recently I received a note from a hotel chain; on a high level it read something to this effect (note that I’ve taken some liberty with this):

“Dear valued customer – I think you may have stayed in one of our hotels in the last 20 years. Your data (along with a small number of others in the neighborhood of, ahem, 500 million…no biggie), including email addresses, phone number, passport number, favorite NFL team, yada yada yada – has been compromised. The hackers may have gotten your payment information but probably not (and really we have no idea whether they did or not nor do we care to help you). We are so glad you spent money at our establishment (even if you don’t actually remember staying with us). Best wishes for a happy new year and please feel free to stay with us in the future at full cost!”

As a consumer, what do we do with this deluge of information about possible breaches? When you start to peel back layers and really think about our digital imprint as a whole – it can get quite overwhelming.

When you put on your small business owner hat this creates an entirely new layer – not only are you responsible for ensuring that your internal communications and assets are safe, but also those of your customers.

At Joy Accounting, there are a few basics that come to mind that we absolutely rely on. In no particular order, they are:

1) Working with reputable cloud-based technology (like QuickBooksOnline) with bank level security (companies whose entire business models rely on keeping others’ data safe)

2) A good VPN solution (we use VPN Land)

3) LastPass (see the password section below – LastPass is absolutely critical for ensuring our security)

4) Utilizing ShareFile – secure document storage which also allows us to send encrypted emails with sensitive information. This also ensures that no important documents live on our laptops or phones.

5) Reviewing insurance policies to ensure our company has cyber insurance coverage.

6) Being very vigilant about our communication, both with each other and our clients (you will understand how that relates to security as you read through the items below)

Below we have a few tips on some basic strategies that you can implement to create awareness within your team. This is by no means a comprehensive list, but starting with some basics will help you get to a place where your stomach doesn’t turn at the question “What are you doing to ensure your cyber security?”

Creating Awareness Within Your Team

Know what a ‘Whaling Scam’ is and how to handle it

What is it? Someone impersonates an authority figure to get privileged/confidential information or to steal money. For example, hacking an email over public WiFi and then using it to impersonate the email owner.

How do you avoid or minimize the impact?

Only use trusted (password protected) public WiFi. It’s better to use your cell phone as a mobile hotspot.

Have a secondary process to validate information with your staff and clients. If you receive an email (especially if it seems like an odd request or if it involves something important like a money transfer), respond by calling or texting the person to verify and talk through the request (versus just responding to the email).

Do a ‘gut check’ – does the request make sense?

Make sure you have information available on who to notify when there has been a breach – authorities, cyber insurance,banks, etc.

Understand what Ransomware is and how to spot it

What is it? Malicious email with attachment that’s been opened.  Ransomware locks down/encrypts all data until a ransom is paid.

How do you avoid or minimize the impact?

Keep your antivirus updated.

Be an aware user – do not click on attachments or links in emails.

Get cyber insurance.

Make sure you have information available on who to notify when there has been a breach – authorities, cyber insurance, banks, etc.

Understand what a phishing scam is and what to do

What is it? Fake emails sent in an attempt to steal sensitive information,typically passwords or credit cards. These scams have also been used to fake invoices and steal customer and billing data. (and note that they come from a lot more places than the King of Nigeria these days…)

What policies should be implemented?

Be aware – don’t click on links or attachments you weren’t expecting. It’s always best to go directly to a website and not click on the link in the email.

Phishing Testing – send emails to your employees and see who opens the links and who doesn’t

Gut check – were you expecting this? Even if you were, a good rule of thumb is to not click on the link. 

Double-check the email address that the email came from. Does it look legit? Google, Paypal, Yahoo, and Apple are the most impersonated websites. The phishing scams are becoming so good that it’s very difficult to tell a real email/website from a scam.

Know how to spot and how to handle privilege misuse

What is it? Use of employee rights to access data that is abused either accidentally or maliciously to steal private data. For example, an employee leaves a firm and downloads client data before leaving. Or an employee downloads data legitimately to work on a mobile device and the device is stolen. Both situations have legal implications!

What policies should be implemented?

Communicate privilege/confidentiality policies with staff and have employees sign a policy every year.

Take training on data security and the proper use of client data.

Use Share File to request sensitive information such as tax returns, W-2’s, bank statements, etc.

Use “technical fences” such as bitlocker on laptops to encrypt hard drive data.

Know who to notify when there is a security breach: Clients, the State Attorney General and the U.S. Attorney General.

Know good password practices and how to avoid weak passwords

Why is this important? Weak passwords can lead to a network breach allowing hackers to obtain sensitive financial information and forcing owners to provide credit monitoring for all clients for the next year.

What are some policies to implement?

Use strong, complex passwords. 

Do not use the same passwords for multiple sites. If one site gets compromised, then they all get compromised.

Use longer passwords, 20+ characters.  Passphrases are better and stronger than passwords and easier to remember.

Don’t use easily identified personal information in your password – family names, pet names, street names, birth dates, etc. Avoid simple, sequential, or repetitive numbers and simple, obvious terms.

Don’t share passwords, even to websites like Netflix, especially if you use the same password (or a version of the same password) to multiple sites.

There are software programs used to just break passwords, don’t make it simple for the hackers. 

Change the SSID (name) and password on your WiFi router. 

Use LastPass and let LastPass create the password for you.  Do not keep LastPass signed in when you turn on your browser or it defeats the purpose of using the software.

Use multi-factor authentication such as a password and a text when a service or website allows you to. Two-factor verification should be 1) something you know and 2) something you have. For instance, when using an ATM, use your PIN (something you know) and your card (something you have). When using a website, use your password and a text message with a code to enter.

Change passwords regularly – every 60-90 days, especially when using banking websites.

Change passwords immediately upon staff turnover.

Be alert and aware. If you notice a breach or hear of one in the media, take action quickly. Change your passwords, change your security questions, or contact the owner of the website.

Secure your security. Use strong security questions so a hacker can’t easily reset your password. Don’t use your mother’s maiden name. If you have to, make one up. Just don’t forget what it is!

Don’t allow your credit/debit card or banking information to be stored on websites. If there’s a breach, you’ve now made it easier for the hackers to access that information.