Password: fluffy1234. One of our clients asked us to use this for setting up his email, telling us it was the name of his wife’s cat. “Admin” was another client’s request for a username, and he wanted his password to be 1234. Nope! No way, no how! We vigorously refuse to put unsecure passwords in place. “But they’re hard to remember, I have so many of them,” said one business owner. “I just keep them all the same, it makes it easier to keep it all straight,” said another. And that makes it easier for thieves to make life a living nightmare. And if they aren’t thieves, they are, at the very least, vandals.
Consider this a warning shot across your business bow. There are plenty of people out there gunning for weaknesses in website passwords, email passwords and databases with information of value – names, addresses, phone numbers, email and credit card information. How secure are you and your business?
Threats to your cybersecurity are all too real. If you haven’t been impacted by identity theft, hacked emails and websites or data breaches, consider yourself lucky. To protect yourself – and your business – from cybersecurity threats, you need a plan. Here are nine things you need to address:
1. Policies and training: Set up rules and policies to protect your business. Have systems in place, then train employees and set up consequences for non-compliance.
2. Passwords: Strong passwords need to be set up. Here’s a free source for the creation of a highly encrypted password: http://passwordsgenerator.net/. Some policies to follow include:
- Don’t use the same password across multiple accounts.
- Passwords should be at least 15 to 20 characters long and include numbers, upper and lower case letters, and symbols.
- Don’t use family names, initials, pets, birthdates, addresses, towns or full words in general, phone numbers or mathematical sequences as passwords.
- Do not permit your browser or FTP client programs to save your passwords. Any password saved in this manner can easily be discovered with a single click using some programming script.
- Do not access important, password-protected accounts from public computers or someone else’s computer.
- Change your passwords regularly. Monthly is best, quarterly at the very least.
- Keep passwords straight using phone apps or an online password management system. PC Magazine suggests the following: KeePass (free, download to your computer), www.keepass.com; LastPass (free, cloud-based), www.lastpass.com; RoboForm Desktop 7 (for one PC), or RoboForm Everywhere 7 (multiple PCs) (from $29.95) www.roboform.com. Alternatively, save your passwords as plain text, then encrypt them with AES Crypt or AxCrypt.
- When employees leave the company, change all passwords that person was familiar with.
3. Virus/malware protection: Your computers must have the latest virus and malware protection installed and operating. It must be updated regularly, then have a full scan run after each update.
4. Firewall: A firewall should be set up for your company’s Internet connection. Talk with an IT professional about what that entails.
Firewalls protect your private network data from being breached by outsiders.
5. Mobile device protocol: Mobile devices used by your team can pose significant threats. They may contain confidential information and are frequently used to access company networks. Password protect these devices, and have security apps installed. Encrypt all important data. Devices connecting to public networks at coffee shops, libraries, schools, etc., are particularly vulnerable to attack.
6. Back up data: Nothing is sacred. Back up your data regularly. Email, documents, spreadsheets, databases, accounting files, HR files, etc., are irreplaceable and should be backed up regularly, preferably automatically. Services like Carbonite or Barracuda are great for this purpose. If you make your own backups, put them on two external drives and keep them in a safe deposit box. Alternate these drives with each backup.
7. Wi-Fi: Secure your company Wi-Fi account with a highly encrypted password, which will help block outsiders from getting into your company network. If you offer a public access point for customers to use, make it separate from your business network.
8. Credit card processing: Work closely with whatever service you use to process credit cards and make sure you’re using the most trusted, validated and anti-fraud system possible. Use an isolated computer for these transactions, not one used for going online.
9. Give limited access: Give access to employees only on a need-to-know basis, only for the processes they use. No person other than the owner should have access to all this information. We call this having the “keys to the castle.” Give these keys to a trusted attorney who’s in charge of the owner’s estate should something happen, with strict instructions that these be given out ASAP to a specific person in the event of the owner’s demise.
Not So Hard
Sure, it’s hard to do all this, but it’s much harder to fix a data breach, undo the damage done by hackers and apologize to customers for their personal information being stolen. Set a goal to get this done before the end of the year.
BSB Contributing Editor Mark Claypool has more than 30 years of experience in the fields of workforce development, apprenticeships, marketing and Web presence management with SkillsUSA, the
I-CAR Education Foundation, Mentors at Work, VeriFacts Automotive and the NABC. He is the CEO of Optima Automotive (www.optimaautomotive.com), which provides website design, SEO services and social media management services.