It doesn’t matter how much money your startup is making right now; you cannot afford to ignore digital security.
Many hackers target small businesses exclusively because they are easier targets. You cannot allow yourself to be a target, here is how you will harden up your digital security practices until you can hire a full IT team.
Securing Your hardware
This is essential because many hacks start out from a hacker directly stealing one of your devices. Securing your device is a four-step process:
- Use some physical lock which will secure devices to a desk. There are a wide variety of laptop locks out there.
- Make sure all of your devices use some lock screen. If your devices are physically stolen, there will still be one more layer of security for the hacker to get past.
- Use a tool such as Touchpoint Manager from HP. This features a single dashboard where you can manage the security of all your devices. Its most important feature is that it can remotely wipe stolen devices. This is very handy with smartphones and tablets.
- You need to set similar standards for any ‘bring your own device’ program. It’s not going to do your start up any good if someone brings their device in from home, but it has very weak security and is hacked.
Proper hardware security is always the first step in your digital security policy. Without it, the rest of the work you do could be meaningless.
Taking Regular Backups
You need to create offline backups of your most valuable digital assets. The best thing that you can do is create a backup of your website. The ways that you can do this include:
- Manual: This is when you, or a member of your team, manually download your site onto one of your machines. This is not ideal as you have to remember to do it periodically.
- cPanel: Go into your cPanel control panel. Click on the Backup button. You can then select where the backup will go, and be notified when it is done.
- Cloud: The most reliable cloud backups are Amazon S3 and Dropbox. Many of you are likely using WordPress, here’s how to do it automatically with Dropbox for free.
- Rsync: This is an interesting piece of software that will only transfer files that have been changed or updated. This could be a great backup solution as it will save you on bandwidth.
- Managed backup solutions: There are companies which can manage your backup solutions for you. The best examples include Backup Machine, Codeguard, and Dropmysite.
If your website is compromised, you will now have a backup to revert to so that you can reverse the damage.
Ways to restrict access
You need to create a database, or a simple spreadsheet, of everything that people who work for you have access to. This is how you are going to manage insider threats.
Once you have to let someone go, you have a database of everything they have access to, and you will be able to revoke their access before they are fired, or immediately after they hand in their resignation.
Managing their passwords
To make this database even more efficient, use a password management tool that you have ultimate control over. Have everyone that works for you upload their login details through this.
Once they leave or resign, you can instantly change all of their passwords.
If you can, create accounts that you assign to groups of people to manage. For example, have people use HootSuite instead of five or six different social media applications that you will have to reset access for.
To manage the insider threat, you will only have to revoke access to one account rather than five or six. This will help you not forget one account.
Finding every way you can to manage the access of employees once they leave the company is critical. There have been many high-profile instances of insider threats after somebody’s been fired, but their access had not been revoked:
- The American College of Education had an IT employee refuse to return access to a Google account.
- The chef at a restaurant used the company’s Twitter feed to post derogatory tweets after he was fired.
- The Marriott had an ex-employee hack their system and lower their hotel prices to a loss of $50,000.
- A member of a security firm departed his company on bad terms and proceeded to hack the phone system. This revenge wound up costing them more than half a million dollars.
Insider threats are a genuine problem at nearly every company and startup. You need to manage them from the beginning.
SSL Certifications for your Website
In the past, only sites that use online shopping or login pages bothered getting SSL certificates. This layer of encryption is now being encouraged for all websites through the Always on SSL movement.
Doing this will lessen the attack vectors for a hacker seeking to steal information as site visitors browse between secure and unsecured pages.
Advanced level hackers are going to be able to take information during anxious moments that should be secure.
If you are using WordPress, then check out how to get SSL enabled on your site.
Preventing Email Spying
Marketers from a wide variety of backgrounds enjoy using email tracking. It helps them better engage with prospective and current clients, and ultimately improve sales. It’s very convenient in that way.
Unfortunately, they’re also convenient for hackers. A program like MailControl will allow companies to block spy mail from going to their inbox. Email spying is a real concern, check out this attorney’s experience with it:
It can help against targeted phishing attacks as well. Phishing attacks are when hackers pretend to be someone within your startup who is trustworthy.
This frequently involves email spoofing. They will use an email address that is very similar, or the same, as a trusted person in your organization.
You need to step up standards for how sensitive information is shared in your company. You will usually discourage doing it through email.
Protect your mobile employees
Mobile employees are much more vulnerable than when they’re not on your home network. This becomes especially true when they connect to public Wi-Fi. There are two reasons for this:
- They can connect to Wi-Fi with no security settings, opening them up to hackers.
- Hackers can set up a fake Wi-Fi hotspot that is designed specifically to steal information. This frequently happens if your employees are known to congregate at a particular bar, restaurant, or shared workspace. This is usually called a watering hole attack.
The way to protect your employees here is to make sure that they have an easy to use VPN (Virtual Private Network) on their device.
IPVanish currently has the most diverse and trusted tool available for this. VPNs like this will encrypt their communications, and protect them even if they do connect to a malicious Wi-Fi hotspot.
Perhaps one of the biggest digital security risks today is ransomware. This digital security breach uses encryption to prevent you from being able to access your information… Unless you pay a ransom.
The most useful tool for this is CryptoStopper. Downloading it will protect you using bait files which get encrypted rather than your actual files. It even helped successfully stop the WannaCry attack:
Proper employee training courses
All of the fancy technology in the world will not hold up against an employee who doesn’t care, or who is ignorant of a particular security need.
It is up to you, as their employer, to make sure they know everything that is necessary to do their job. That now includes digital security practices.
Here are the major points that you will need to have covered in your employee training course:
- Teach them about how malware winds up being downloaded onto machines due to poor decisions on their part. Emphasized that malware does not happen by magic, it happens because people make poor decisions on what they click on and download.
- Make sure to cover social engineering and Trojan attacks. Both types of attacks seek to look as if they are legitimate, but are malicious. Social engineering is centered on trying to appear like an authentic person; Trojan attacks are centered on trying to look like legitimate software.
- Phishing attacks are commonly made through email. The typical phishing attack will have a hacker disguise themselves as an important person in the company. The hacker will then ask them to do something which violates company policy or give up valuable information.
- You also have to be certain to cover their particular role in the company when it comes to digital security. Make sure that cashiers know about POS terminal issues. Make sure that office staff know to use a lock screen. Tailor their digital security needs to their position.
- Cover the importance of complex password needs. Also make sure that they know not to share their password with anyone, not even a fellow employee who has forgotten their password which accesses a shared system.
Your employees are going to be a very important part of your startup’s digital security. Everyone must know that they are important, and they must be given specific instructions according to their role.
Start your digital security plan from the… start!
You don’t want your startup to fail before it evens gets anywhere due to neglecting your digital security. Remember the points we covered, and you’ll be well on your way:
- Secure your hardware.
- Create backups to recover from hacks.
- Have systems in play to restrict access.
- Use SSL certificates for your whole site.
- Prevent email spying and spoofing.
- Protect your mobile employees.
- Prevent ransomware.
- Have an employee training course on digital security.
Until you have a full IT team which can go into this even deeper, this is what you must do to protect your startup, your employees, and your customers.