Small Businesses and Security – Are You Prepared?

In the past it was very unlikely to hear stories about the average American small business being a target for a sophisticated cyber attack.padlock-lock-chain-key-39624-large For obvious reasons; they have fewer financial resources and relatively unknown brand recognition. Fast-forward to 2016 and you’ll find that these assumptions have been flipped upside down.

The dam has broken for small companies when it comes to security. Smaller companies have become more and more attractive to hackers because they have weaker online security. Smaller companies, like most, are conducting almost all of their business online as well. Particularly, by using cloud services that don’t require encryption. This is every hackers dream. Unlimited information behind an easily-picked, locked door without a deadbolt. Even worse, say your clients are Fortune 500 companies. Your hacker just hit the jackpot.

Although the public typically only hears about cyber attacks against high-profile companies, banks, and government websites, small businesses make prime targets for cyber-criminals, competitors, and disgruntled parties.

Unfortunately due to their lack of knowledge and resources, small businesses have the least-protected websites, accounts, and network systems making cyber attacks a walk in the park.

So what can small businesses do to further their protection? We asked two rock-stars from ABG Capital’s IT and Development Departments for some answers. We spoke with Chief Information Officer Adam Scott and Director of Development Jerry Eddy to discuss some of the best practices and tools to utilize for optimal security in your small business.

Right now, what is the biggest security threat to a small business such as ABG Capital?

Jerry: The biggest threat to small business is hackers looking for opportunities to obtain confidential information. Hackers will try to exploit any perceived weakness in the network as well as trying to obtain information via social engineering. They use social media sites and even contact employees and try to learn more about the staff and the company. By using that information, they attempt to gain access to confidential information through misrepresentation and trickery. It is important for the business to make their employees aware of this type of hacking, so they are able to defend it as much as possible.

Beyond anti-malware and anti-virus protection; where should a small business begin when implementing security programs to protect against these threats?

Jerry: They need to examine each step of every procedure that has something to do with a customers’ confidential information such as credit card and social security numbers. By examining each step, they need to make sure that they are doing everything possible to protect the confidential information through both technical and human means.

Are these services/tools affordable?

Jerry: One thing that can be done is use the controls of ISO/IEC 27002. It is a popular, internationally-recognized standard of good practice for information security.

Governance, risk management, and information security management are broad topics with impact throughout the organization. ISO/IEC 27002, is relevant to all types of organizations including commercial enterprises of all sizes, not-for-profits, charities, and government departments. The security risk and control requirements provide a common framework that any company can adopt, follow, and implement. It also addresses the need of the information security risks relating to their employees as well as contractors, consultants, and the external suppliers of information services.

data thiefThe standard is concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property). It provides controls that can be measured and that outline a comprehensive review of things that every company should evaluate about information security.

Is two-factor authentication for an employee’s computer/emails/etc. a safe bet?

Jerry: It helps by adding authentication to the authorization process of logging in. When you login, you now need two independent pieces of information, so therefore, if I have your username and password, I still need something tangible such as your smartphone or key fob to further authenticate that the person logging in fact, is the actual person.

Hypothetically speaking, how would a company best protect itself if a cloud provider we use went up in smoke?

Jerry: With any information that you store on a cloud provider, you will want to see if they offer the ability to back up to a separate site and/or provider. Also try and use cloud providers that have a good reputation or that you have heard of before or have been recommended by others to minimize the potential for a loss of cloud provider.

What should a small business do to educate its employees regarding security best practices?

Adam: Make sure to use secure, complex passwords. Learn to protect your information, don’t leave PII (Personally Identifiable Information) laying around. Locking their computers when they leave.

Should companies develop a security policy that is ingrained into company culture?

Jerry: Yes, the company needs to get buy-in from every employee to make sure that every effort is being taken to protect any confidential information that the company possesses. When you engage employees in the creation, development and implementation of security policies you get better security.

Adam: Yes, you want to make your security polices and training as easy to remember as possible. Regular security emails to the staff is a good start. Then move on to videos or Lunch and Learns and encourage employees to attend.

How is ABG Capital’s policy tied to its culture?

Adam: Our C.O.R.E Values state it-

We Cultivate our employees by encouraging them to learn.

We Overcome the security hurdles that face us to improve data security.

We Respect our staff, and they give us the reliability that they are keeping our systems and data safe.

We Evolve by adapting to changing network threats to protect us against data losses.

Do you have an incident response plan, and do you practice it?

Adam: Yes, we have security meetings on a weekly basis where we discuss existing security issues, plan a path to correct them, and learn about new threats we need to protect against. We developed these plans and test them internally and externally using outside vendors for vulnerability and penetration tests.

Lastly, what security threat scares you the most? Any additional advice for preparation?

Adam: Data loss from a data breach would be #1. Having your systems crash is an easy fix; you repair the hardware, restore the data, and you’re up and running. But how do you get back all of your customers’ data once it’s out the on the web for anyone to see? We plan and test on a regular basis to prevent these losses. Intrusion detection systems, dual factor authentication, and employee training are just the start. You need to train your teams and work with the experts in the field to constantly prepare for the new threat coming down the road. Keeping up with the latest security blogs is a good start, but putting together an information security committee is probably the best first plan of action. Get the best minds together in your company, then you can bring together the skills of the best people to plan and protect your data.

Now ask yourself;

Is your small business ready for the unknown? Applying the insight given to us by Jerry and Adam is a great first step. However, it doesn’t stop there. Be proactive and do your research. Remember that educating your employees about security and compliance starts offline. As stated by author and security privacy specialist Bruce Schneier; “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” They want what you’ve got. Don’t give it to them.

Risky Business: When To Take Risks and When To Pass

From a young age, we’re taught that we should avoid risky behavior. The outcome could be less than stellar, or worse than that, adversely affect us for the rest of our lives. One bad risk taken and that’s the end. But are all risks bad? Is there a way to know when the risks we take could lead us to a better situation than our present one in our personal and business lives? After listening to Rebecca Harris, the Director of the Center for Women Entrepreneurship at Chatham University, speak on the topic of risky business, when to take risks and when to pass, we are closer to figuring it out.

ACG Women's New Year's Party Luncheon & Bad Gift Swap

Last Thursday afternoon, our Human Resources Manager, Sharon A. Kolesar, and I, our Communications Specialist, Cherie Steffen, attended the Association for Corporate Growth Women’s New Year’s Party Luncheon & Bad Gift Swap at the Fairmont Hotel in Downtown Pittsburgh. Braving the weather was the first risk taking of the afternoon, as an ice storm was upon us. We arrived safely though, making our way through the gorgeous hotel to an event room full of dedicated businesswomen from many different professional backgrounds.

Association for Corporate Growth members

The only part of the afternoon that the Association for Corporate Growth planned for us that did not involve any risk taking whatsoever was eating the delicious lunch. From the tortilla soup appetizer to the healthy and colorful buffet, to the almost-too-pretty-to-eat desserts, the Fairmont Hotel prepared an amazing arrangement of food to keep us happily full as we began to listen to our emcee and guest speaker, Ms. Harris.

Tortilla soup
seafood and vegetablesDessert Table
Possessing quite an exciting and humorous way of communicating with her audience, Ms. Harris began by telling us we have to be more comfortable with taking risks. That was something we needed to hear right away. Somehow coming from a woman who has taken many professional risks and still lived to tell the tales, it was genuine and not just an easy command. She went on to give us the “why” behind it.

Rebecca Harris Chatham University

Her speech centered around four themes:

♦ How to recognize good risk-taking opportunities (know your field; know the trends)
♦ Knowing when to get in; when to get out
♦ How to calculate your own risk-taking comfort level
♦ How to balance the right amount of risk to maximize your business potential

Ms. Harris also threw in these to-the-point, messages that hit home as well:

♦ Red flag risk raisers! These risks are outside your core competency area and you worry about the details later. Bad idea!
♦ Admitting what you don’t know is really important.
♦ We identify ourselves with our successes and our failures.
♦ Take the risks. Your results may be very different from what you expected.

By time she was finished speaking I feel like I had nodded so much I could easily be mistaken for a bobble head; she was on point with everything. You know, the types of things you either know in the back of your head but you somehow choose to ignore either due to fear or stubbornness? Those things. Also, there were so many one-liners that left me saying, “She nailed it!” that I had enough witty Facebook statuses and Tweets to last a week.

Bad Gift Swap
20150129_ACGWomensLuncheon_sharon opening her gift

After Ms. Harris finished speaking, we continued with the other risk taking themed portion of the afternoon: selecting our gifts from the Bad Gift Swap. Think of it as one of those White Elephant Gift Exchanges.

With this, we also learned not to judge anything by its pretty wrapping–another great motto for business. There were some doozies in there for sure!

The worst gift of all was decided by vote–a faux fur table runner. The gift we brought to throw into the mix, a hideous 1970s-esque yarn picture of a city scape, ended up coming in second place! Not too shabby. And surely if someone recycles that gift and brings it back next year, not too much risk would be involved; she should win hands down. It was awful.

Ugly gifts

We’ll leave you with our two favorite quotes of the afternoon from Ms. Harris: “Don’t overanalyze. Just cut that out right now.” and “Really, let’s just go for it.” Two amazingly simple and powerful pieces of advice that after her already moving speech, left us ready to get out there and capitalize on our personal and business potential.