Computer Security for Small Business
If you run a small business, the data that is on your computer is obviously critical to your business. Loss of that data or downtime can cost you revenue or even destroy your business. It is important to follow all of the guidelines below. If you don't understand any of the suggestions below or don't have someone in your company who does, you should hire a consultant who can assist you in implementing these essential computer security guidelines.
Using cloud based software such as Quickbooks Online, Office 365 or G Suite for your business can make things much easier because your data is already backed up and you can access your data from home or while traveling. However, it is very important to implement strong security measures since your data is now exposed to outside hackers. Important security measures include using strong passwords, educating your employees on best security practices & utilizing the security features which are usually included within the app itself (password & device monitoring, login attempts, etc).
Backup your data:
The purpose of backups is to not only to protect against the loss of your data, but also against damage to that data. If you use Quickbooks for your accounting software this is critical data that needs to be backed up frequently. You might also have software that is extremely critical to your business such as programs that store contacts, medical or dental software that includes all patient records, point of sale software that tracks your inventory, etc. Loss of a hard drive or a corrupted file could be devastating if you don't have proper backups and a recovery plan. A little bit of work now can save your business from potential monetary losses & perhaps legal liability.
Cloud backup – You should implement a cloud backup service such as Carbonite, IDrive or CrashPlan. Make sure to enable backup set retention so that at least 2 backup sets are retained - this will help protect against damaged files or mistakenly deleted files. For example, if your Quickbooks data file became corrupted yesterday a backup set from last night will contain the same corrupted data file which will be useless. However, if you have a backup set retained from 7 days ago you will be able to recover a usable copy of your data.
Keep multiple backups – You should keep at least 5 copies of your critical data using an external hard drive or some other external storage device. Quickbooks will automatically date stamp its backup files & you can specify how many copies to save until it deletes the oldest one. This is a good practice in case there is damage to your data. For example, if important information was deleted 2 days ago but the deletion was discovered today a backup made yesterday would be worthless as far as recovering that deleted data.
Keep a copy of your data offsite – In addition to your standard onsite backup you should have at least 2 copies of critical data offsite. You can use an online backup service where your data is stored on a remote secure server. Alternatively, you can store an additional external hard drive or DVD backups at a secure location other than the office where the accounting records are stored. This measure will protect against theft, flood or fire at your business location resulting in loss of your computer as well as the onsite backups.
Test your backups – Make sure the backups you have can actually be restored in case there is a hardware failure. If you didn't back up the data you thought you were saving, or somehow the backup is not complete you will have to reconstruct some or all of the data.
Protect data from outsiders
Wireless security – Wireless networks are vulnerable to outside attack so be sure to follow these guidelines & re-assess the security of your wireless network on a regular basis:
- Use WPA2-Personal (WPA2-PSK) security with AES encryption - make sure your router and all devices connected to your business network support the WPA2 security standard. Older standards such as WEP & WPA are unsafe so you should replace older equipment that doesn't support the WPA2 standard. Don't use mixed-mode settings on routers such as WPA/WPA2 or TKIP/AES - force all devices to connect to the router/access point using only WPA2 with AES encryption.
- Use a strong password for the wireless passphrase
- Set up a separate wireless network for guests & clients - most newer routers allow you to set up both a company network & guest network. Use a different passphrase for the guest network which is not as strong (easier for guests to enter into their device) and never give out the internal company passphrase to guests or other persons outside the company.
- Change the SSID (network name) from the default setting
- Change the username & password for administrative access to all routers/access points from the default settings.
- Disable remote management on all routers/access points.
- Disable Wi-Fi Protected Setup (WPS) on all routers/access points.
- Consider implementing WPA2-Enterprise (802.1X) In environments where highly sensitive data is being transmitted (such as a doctors office) - this standard offers the highest level of wireless security possible, but is more complex & costly to setup.
Beware public wifi! - Never transmit sensitive information over any public wifi since you really don't have any control over security in these situations. In other words it's a bad idea to check your online banking at Starbucks. Remember anything that involves a password (such as an email login) or credit card info should never be transmitted over public wifi.
Use stong passwords – It is a good idea to password protect all business computers. Have them set up to require password for login as well as an inactivity logout (in case you walk away). Make sure to use strong passwords & change the passwords on a regular basis. If you have to write your passwords down don't leave them near the computer & don't write anything on the paper that indicates that they are computer passwords. You should also set passwords on business critical programs such as Quickbooks and make sure only the people who need access to that data know the password. It is also very important to protect the password for your email since your email can be used to reset various online passwords & since there is often sensitive data within your emails. Don't underestimate the damage that can be done if your email is compromised.
Don't mix business and personal use – Don't allow your business computer to be used for personal use. This will lessen the chances of virus/malware/trojan infection as well as avoiding unauthorized persons accessing business data. If you have a home office, don't let family members or guests use the business computer for personal web surfing. Supply them with a different computer intended for this purpose which is not networked to the business computer.
Avoid traveling with a laptop that has business data on it. Most likely all you really need to stay in touch is your email, so why carry all that sensitive data around & take a chance of it falling in the wrong hands if your laptop is stolen? It is probably a good investment to purchase a "personal use only" laptop for travel and surfing in public places.
Follow general security practices
Make sure you are protected by a hardware firewall (router) as well as a software firewall & keep your computer free of virus/malware/trojans. This requires more than just installing an antivirus program! Make sure to perform regular maintenance on your network no matter how small or large it is. Like it or not, your business depends on that network and the data that it handles. Also remember: if a computer is getting slower and taking a long time to boot up it usually means you have a virus/malware/trojan issue.