What small to medium-sized businesses need to know about securing their remote workforce
Whether small to medium-sized businesses (SMBs) are better positioned to work from home than their larger brethren is debatable, but one thing that is clear (and was even so pre-COVID) and that is that SMBs bear the brunt of cybersecurity attacks and their after-effects. Compounding the problem is that they simply aren’t as capable of preventing breaches whether due to the high cost of security solutions or a lack of expert IT staff. Now, with the move to home, SMBs are facing a new round of challenges — and risks.
We have seen a trend of what we call seven deadly cybersecurity sins when it comes to cybersecurity pitfalls for SMBs. While SMBs might be uniquely vulnerable, luckily, for each of these sins, there’s the promise of absolution:
- Children on business devices: A scant six months into the COVID crisis and, if we’ve learned anything, it’s that it’s near impossible to work full-time from home while simultaneously keeping children happy and entertained. Rather than risk familial discord, many parents are giving their children access to their work computer or phone to keep them busy. Don’t! Kids visit gaming sites and other social sites that often contain malvertizing or other suspect links. They click shiny objects. And they infect your device.
- Failing to update devices: Keeping computers, phones, and point-of-sale devices up-to-date with the latest software is more important than ever. These updates ensure a device has the strongest security profile possible, whereas devices with old software often fall victim to known (and defensible) attacks.
- Lack of regular back-ups: Regardless of size, companies should have a back-up service configured on every employee’s computer. These services ensure that employees can quickly resume operations if a device is lost, stolen, or disabled. Apple, Google, and DropBox, just to name a few, offer inexpensive cloud storage that’s ideal for personal files and content.
- Carelessly disposing of sensitive data: Don’t throw printed documents into the recycling. Dumpster diving is a great way of obtaining confidential information. As we work from home, criminals know that the keys to the castle often are no farther away than that blue recycling box on the curb.
- Passwordless online meetings: Always use password protected meetings through online conference services. Criminals can scan for toll-free numbers, steal this information, or eavesdrop. Despite a rather hilarious parody of this and other conference call nuisances on YouTube, it’s no laughing matter.
- Weak passwords: Create a password that is not based on a common pattern (such as “123456” or the word “password”), and change the password if you suspect it’s been compromised. The reality is that most people cannot memorize numerous, complex and unintuitive passwords, and criminals are good at guessing passwords or substituting special characters or numerals for letters (“$” for “S” or “1” for “L”). For this reason, the National Institute of Standards and Technology (NIST) released a 2020 update on password:
- Set an 8-character minimum length.
- Change passwords only if there is evidence of compromise.
- Screen new passwords against a list of known compromised passwords.
- Skip password hints and knowledge-based security questions.
- Limit the number of failed authentication attempts
And, whatever you do, don’t use the same password across mailing list subscriptions for shoe sales, iTunes, or Netflix, and your online banking services – create different passwords for lists and subscriptions, payment information-attached services, and payment or financial institutions. Whenever possible, take advantage of two-factor authentication for personal accounts: Apple, Google, and other online services offer a secondary means of verifying log-ins, purchases, and administrative changes to passwords or user access.
If you’re concerned that your password has been compromised, check the free haveibeenpwned website. The site monitors the dark net for stolen account information and even lets users set up automatic alerts if their emails and passwords are compromised.
- Secure your business network: Perhaps the greatest vulnerability to the small business model is the fact that employee and customer data is primarily secured by consumer-grade technology such as routers and modems, and the majority of people don’t know how to configure them. Many routers still have the administrative defaults set to the manufacturer’s setting, something easily revealed with a Google search.
Too many people use the username “admin” and “password” for the admin password. Remember, criminals can connect to and a home router’s admin control panel from the sidewalk, and with default credentials in place, they can connect to a home network, lock users out, or snoop everything you do, including logging into your online banking service.
SMBs and their employees can reduce these risks by following a few basic steps:
- Change the device’s default SSID (Service Set ID) (Hint: It’s the name of your WiFi network.)
- Enable WiFi encryption (WPA2 or WPA2 AES).
- Set a strong WiFi password (see above).
- Change the default admin password.
- Keep the router’s software up-to-date. Regularly log into the admin screen and check for updates.
- Create a guest WiFi account with something other than the name of your primary WiFi (it’s ok to have “yournetworkname-Guest” as the name) and use a different password.
Even with limited resources, by following the steps and suggestions outlined above, SMBs can dramatically reduce the threat of falling prey to one of these seven deadly cybersecurity sins and instead, position themselves to focus on the fundamental principles of doing business.
Vice President and Industry Security Strategist
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.