By David Gould, Staff Editor
Digital tech makes our lives and businesses more efficient and convenient. Compared to a generation ago, communicating, record-keeping, transactions and marketing all happen easily now. But the computers and mobile devices that deliver these benefits also make us vulnerable. We pay a price for all the ease and convenience—it hits us with a responsibility to be vigilant about cybersecurity.
As with most threats and vulnerabilities that aren’t one-offs, we do our part for cybersecurity by adopting the right habits. It’s similar to when you habitually started wearing seatbelts or changing the batteries on smoke alarms. When activity like this becomes second-nature, it no longer seems like a burden. Here’s what the experts have been saying of late, about small businesses like your teaching operation and what’s required to protect the business and protect customers.
The problems and threats are generally under four headings:
- Malware, which is short for malicious software, is a catch-all term referring to software that’s purposely designed to cause damage to a computer, server, client, or computer network. It can include various viruses and ransomware.
- Viruses are destructive software programs meant to spread from computer to computer, along with other connected devices. They give cybercriminals potential access to your computer system.
- Ransomware is a threat generally aimed at large-scale business systems—there aren’t many known instances in which small businesses get hit this way. The intention of the hackers is to infect a computer system and cut off access to it until a ransom is paid. Ransomware is usually delivered through phishing emails and exploits what are called “unpatched vulnerabilities” in software.
- Phishing is a common type of cyber attack—the sort of threat you might commonly warn your parent or another inexperienced computer user about. It generally uses email or a malicious website to infect your machine with malware or to otherwise collect your sensitive information. Phishing emails appear to have been sent from a legitimate organization or known individual. Phishing emails with odd misspellings and sloppy use of brand logos are easy to spot, but lately they have gone out in a cleaner way that makes them harder to detect. They will always ask a user to click on a link or open an attachment, usually on the premise that some problem has occurred with the recipient’s account. They contain malicious code which, after it is allowed in will cause the user’s computer to become infected with malware.
The Small Business Administration (SBA) has been more active than ever lately in offering advice and tools to prevent smaller companies from being hacked. Any Proponent member who is concerned about these issues can avail themselves of SBA prevention steps, including via regular webinars and other online mechanisms to help defend against intrusion. In addition, the Department of Homeland Security’s (DHS) Cyber Resilience Review is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either do the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
DHS also offers free cyber hygiene vulnerability scanning for small businesses. This service can help secure your internet-facing systems from weak configuration and known vulnerabilities. Get connected with DHS and you can receive a weekly report to support your efforts. Among its cybersecurity best practices are the following:
- Train your employees: Employees and their lack of knowledge about malicious emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber attacks. The current campaign run by the DHS includes training that includes help with:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
The guidance from DHS includes the following:
- Make sure each of your academy’s computers are equipped with antivirus software and anti-spyware and that these tools are updated regularly. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
- Safeguard your internet connection by using a firewall and encrypting information. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name (known as the Service Set Identifier, or SSID).
- Use strong passwords. A strong password includes 10 characters or more, at least one uppercase letter, at least one lowercase letter, at least one number and at least one special character.
- Set up multi-factor authentication. This requires additional information, for example a security code sent to your phone, to permit log-in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
- Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
- Secure payment processing by working with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
- Prevent access or use of business computers by any unauthorized individuals. Laptops can be particularly easy targets for theft. They can be stolen or lost, so lock them up when they’re unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to key personnel.
According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2020 alone. Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. Keep all these destructive intruders in mind as you operate your instruction business, and follow the guidelines provided by experts as conscientiously as possible.