CyberSecurity Tips for Small Business

Experience why

we’re different.

1. Protect Against Viruses, Spyware, and Other Malicious CodeMake sure each of your business’s computers are equipped with antivirus software andantispyware and update regularly. Such software is readily available online from a varietyof vendors. All software vendors regularly provide patches and updates to their products tocorrect security problems and improve functionality. Configure all software to install updatesautomatically. Set antivirus software to run a scan after each update.

2. Secure Your NetworksA firewall is a set of related programs that prevent outsiders from accessing data on a privatenetwork. Safeguard your Internet connection by using a firewall and encrypting information.If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network,set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. If employees areworking from home, ensure that their home system(s) are protected by a firewall as well.

3. Establish Security Practices and Policies to Protect Sensitive InformationEstablish rules of behavior such as requiring strong passwords and policies on how employees should handle and protect personally identifiable information and other sensitive data.Establish appropriate Internet use and guidelines that detail penalties for violating companycybersecurity policies.

4. Educate Employees About Cyber Threats and Hold Them AccountableEducate your employees about online threats and how to protect your business’s data,including safe use of social networking sites. Depending on the nature of your business,

CyberSecurity Tips for Small Business

employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures.

5. Require Employees to Use Strong Passwords and to Change Them OftenRequire employees to use unique passwords and change passwords every three months.Consider implementing multifactor authentication that requires additional informationbeyond a password to gain entry. Check with your vendors that handle sensitive data to seeif they offer multifactor authentication for your account.

6. Employ Best Practices on Payment CardsWork with your banks or card processors to ensure the most trusted and validated tools andanti-fraud services are being used. You may also have additional security obligations relatedto agreements with your bank or processor. Isolate payment systems from other, less secureprograms and do not use the same computer to process payments and surf the Internet.

7. Make Backup Copies of Important Business Data and InformationRegularly backup the data on all computers. Critical data includes word processingdocuments, electronic spreadsheets, databases, financial files, human resources files, andaccounts receivable/payable files. Backup data automatically if possible, or at least weekly,and store the copies either offsite or on the cloud.

8. Control Physical Access to Computers and Network ComponentsPrevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

9. Limit Employee Access to Data and Information, Limit Authority to Install SoftwareDo not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Create a Mobile Device Action PlanMobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

Typically the end goal of a cyberattack is to steal and exploit sensitive data, whether it’s a person’s credentials or a customer’s credit card information, which is then used to manipulate the individual’s identity online.

Businesses should be aware of the most common types of cyberattacks. Here a list of potential cyber threats.

APT: Advanced Persistent Threats, or APTs, are long-term targeted attacks in which hackers break into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they can continue to plunder data.

DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target’s website or network system.

Inside Attack: This is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms. Your business should have a protocol in place to revoke all access to company data immediately when an employee is terminated.

Malware: This umbrella term is short for “malicious software” and covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important for choosing what type of cybersecurity software you need.

Type of Cyberattacks

Password Attacks: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user’s keystrokes, including login IDs and passwords.

Phishing: Perhaps the most commonly deployed form of cyber theft, phishing involves collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.

Ransomware: Ransomware is a type of malware that infects your machine and, as the name suggests, demands a ransom. Typically, ransomware either locks you out of your computer and demands money in exchange for access or it threatens to publish private information if you don’t pay a specified amount. Ransomware is one of the fastest-growing types of security breaches.

Zero day attack: Zero day attacks can be a developer’s worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers before the developers and security staff become aware of the issue. These exploits can go undiscovered for months, even years, until they’re discovered and repaired.

The Department of Homeland Security has come up with a Small Business toolkit containing resources to help businesses recognize and address their cybersecurity risks. Below are links to begin evaluating your cybersecurity program:

C³ Voluntary Program SMB ToolkitThis toolkit contains resources specially designed to help small businesses recognize and address their cybersecurity risks. Resources include talking points for CEOs, steps to start evaluating your cybersecurity program, and a list of hands-on resources available to small and medium businesses.

1. Toolkit for Small and Midsize Businesses (SMB) Table of Contents2. Begin the Conversation: Understanding the Threat Environment3. Getting Started: Top Resources for SMB4. Cybersecurity for Startups5. C³ Voluntary Program Outreach and Messaging Kit6. SMB Leadership Agenda7. Hands-On Resource Guide

CyberSecurity Resources for Small Business

Stop.Think.Connect. ToolkitThe Stop.Think.Connect.™ campaign has an online Toolkit that includes information specific to SMBs. The Toolkit can be found at http://www.dhs.gov/stopthinkconnect-toolkit or www.stcguide.com.

Small Business Administration (SBA) TrainingThis 30 minute, self-paced training exercise provides an introduction to securing information in small businesses. For more information, please visit: https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses.

Federal Small Biz Cyber PlannerThis tool helps businesses create custom cybersecurity plans. The Small Biz Cyber Planner includes information on cyber insurance, advanced spyware, and how to install protective software. For more information, please visit http://www.fcc.gov/cyberplanner.

Small Business, Big ThreatThis online assessment tool, developed by the Michigan Small Business Development Center (SBDC), assists small and medium businesses in evaluating the cyber risks they face. At the conclusion of the 30 minute assessment, participants receive a risk assessment report and can choose from a variety of resources to engage with, including in-depth trainings, webinars, best practices, and industry articles on small business cyber security. Learn more and take the assessment at www.smallbusinessbigthreat.com.

Internet Essentials for Business 2.0This guide for business owners, managers, and employees focuses on identifying common online risks, best practices for securing networks and information, and what to do when a cyber incident occurs. For more information, please visit: https://www.uschamber.com/internet-security-essentials-business-20.

White Paper: Every Small Business Should Use the NIST Cybersecurity FrameworkThis white paper from eManagement can help SMBs understand and use the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It provides cybersecurity tips for SMBs aligned to the Framework’s core functions: Identify, Protect, Detect, Respond, and Recover. The white paper can be found here.

Geographically Specific ResourcesThis collection of cyber resources from various levels of government can help small and midsize businesses recognize and address their cyber risks. Access geographically-specific resources here.

All rates, fees, terms and programs are subject to change without notice except as required by law. ©2018 Provident Bank. All rights reserved. Member FDIC. REV0518