Pre-Holiday Cybersecurity Checklist for SMBs

The holiday shopping season is just around the corner, but businesses aren't the only ones that will be profiting from the uptick in consumer spending - cybercriminals will be making plenty of money too.

For cybercriminals, the busy end of the year shopping season is a prime opportunity to steal consumer data, hijack small business bank accounts and extort companies using cyber attacks. Why? Because many businesses are stretched thin during the hectic November to January period, which means they have less time to check and maintain their IT security, look for incidents of fraud and other malicious activity, and they're also more willing to pay off a cybercriminal who threatens their business operations during a crucial profit-making period.

Small businesses are particularly at risk during the holidays because they often have less resources available for IT security, as well as less experience dealing with threats. According to the national insurance company Travelers, 62% of all data breach victims are small to mid-size businesses. 

For this reason, SMBs need to take extra precautions ahead of time to avoid these risks. 

Here's a simple checklist that every small business owner should complete before the holiday rush:

  • Update Everything - Make sure every computing product you have, whether it's a desktop, laptop, server, mobile device, point-of-sale terminal, WiFi router, etc., is fully updated with the latest software and security patches. This will lower the risk of hackers exploiting known security flaws. In particular, businesses should transition to the new EMV, or "smart chip," point-of-sale devices as soon as possible since the older swipe-based terminals no longer have fraud coverage by the major credit card companies. Also, if you're still using other end-of-life software or devices, like Windows XP or Windows Server 2003, try to replace them as soon as possible as they are high-risk targets. 
  • Do a Password Audit - Now's the time to start asking questions like, do any of your employees have too much access to sensitive networks or data, when was the last time the company reset its passwords, how strong are employees' individual passwords and what would happen if any single password was compromised by a hacker. Segment the company so that no single employee has too much access to key accounts - that way, if they're hacked they won't sink the ship. Make sure every employee has a "password manager" tool (ex: LastPass, Dashlane) loaded on her desktop, laptop, mobile device and point-of-sale terminal. Require passwords to be long and complex (12+ characters, using upper and lower case letters, numbers and special symbols), and changed frequently.
  • Scan the Website - Most small business websites today are riddled with basic security flaws. These flaws could allow a hacker to steal information stored on back-end servers, or infect customers who visit the web page. Sign up for a web scanning service (ex: McAfee SECURE, Symantec Safe Site) that will check the site every day for vulnerabilities and malware. Go one step further by signing up for a security information and event management, or SIEM, tool (ex: AlienVault, HP Arcsight) - this will monitor the site for active attacks.  
  • Isolate Your Online Banking - A special type of malware known as the "banking Trojan" is widespread on the Internet and it's easy to get infected just by surfing the web and opening emails. Criminals use this malware to takeover small business bank accounts and steal tens of thousands to millions of dollars. Banks don't always catch the fraudulent activity and they may refuse to reimburse the small business for its losses. The best way to avoid this risk is by having a dedicated computer (desktop or laptop) that is literally used for nothing else except logging into the online bank account. This will greatly reduce your chance of a malware infection. Also, sign up for extra security features offered by your bank, such as two-factor authentication, email alerts and fraud monitoring.
  • Anticipate Extortion Attacks - Cyber extortion incidents are growing rapidly across the US, and SMBs are a prime target. Two of the most common attacks, especially during the holiday season, are distributed denial-of-service (DDoS) and ransomware. In a DDoS attack, hackers will knock the company's website offline by flooding it with bogus web traffic. They will then demand a fee (usually $5,000+) to stop the attack. The best way to prevent this is by signing up with a DDoS mitigation service (ex: CloudFlare, Incapsula). In the case of ransomware, the company will be infected with a type of malware that locks up all available files (e.g., Word docs, spreadsheets, etc.) using high-grade encryption, thereby rendering them unusable. The hackers will then demand a ransom to unlock the data. The best way to mitigate this attack is a simple one - back-up data regularly. If back-ups are done every day, or at least once per week, the company can simply wipe the hard drive of the infected machine and restore the data - with only a minimal disruption of business operations. 
  • Lockbox Your Data - Every company will eventually be hacked. Therefore, safeguard your most important data - like customer accounts - by encrypting it, that way, even if a hacker breaks in and steals these files, they won't be able to use them. There are a wide range of commercially available encryption products that are user-friendly and inexpensive. They include full-disk and file encryption tools, as well as email and cloud encryption. 

By following these six simple, inexpensive tips, any business can significantly reduce the damage potential of a hack. Remember, no business can prevent every cyber attack, so focus instead on common sense measures that will protect data and operations even if the worst comes to pass.