Useful articles, how-to guides, reviews and other IT staff.
Written by Patrick Taylor
August 6, 2018
Welcome back to part two of the guide to cybersecurity! In the previous part (Cybersecurity For Small Businesses, Part I), we covered Identification and Protection of weak points in your system, covering what is valuable information, where it can be hit from, and how to protect it with passwords and cloud storage. This part will be covering a bit more on protection, as well as how to detect a data breach and how to respond.
One thing I forgot to mention in the last article was storing any local data on encrypted drives. By storing your data this way, it means that if a device is physically stolen, the thief has little to no chance of getting to the data that’s inside, especially if you have a tool like JumpCloud that you could use to disconnect any user accounts the second the thief connects the computer to the internet.
Encrypting the drive will mean that the user will need to enter a password after starting up or a reboot (before signing in), but this adds minimal hassle for a great deal of protection, especially when you have files you need to keep locally.
And don’t worry, all the tools you’re used to using (including remote desktop software AeroAdmin, my recommended remote access tool) will still work just fine.
For Macs and Windows 10 Pro machines, you can use the built-in encryption tools, known as FileVault and BitLocker, respectively. However, if you are running Linux or Windows 10 Home (the latter of which I know many small businesses do use), there are plenty of free alternatives to the above. The one I use personally is VeraCrypt, which is relatively straight forward to use. There can be some complications involving motherboard boot options, but most can be worked around.
Now as a small business, it is highly likely that you need to have correspondence with your customers that involves the sensitive data discussed in part one of this guide.
I regret to inform you that most of the way you are used to communicating with clients (over the phone, texting, or email) aren’t particularly secure.
Email requires that both parties have a secure connection (trust me, your customers aren’t going to want to check), and texting and phone calls have no security at all. Luckily, there are alternatives.
(A note before we go any further: beyond I talk a lot about methods that share directly with their email address, even though just above I was saying email isn’t secure. What I meant by that is that an email in transit is insecure, not the email client itself. So, when a file sharing link is sent to an email address and you need to prove ownership of that email to access the file (as many services do), you maintain security.)
The first hurdle to tackle is sending information to you clients.
Sending it attached to an email isn’t okay.
What I do (with the Microsoft Suite) is send them a file-sharing link from OneDrive to the file that’s specific to their email address, so only they can access it. You can read more about that here.
However, many people don’t use OneDrive. Luckily, other tools have secure methods as well. If you are using Google Drive, you can use its sharing tool just as easily as OneDrive by sharing it directly to their email, provided that they have a Google account to do so (you can prompt the user to do so when sharing if the email isn’t a Gmail address). If you are using Dropbox, if subscribed to the Professional tier, you can control link sharing in a similar manner to the above, albeit it is a bit more unwieldy.
If you don’t use any cloud options, you could try out AxCrypt, which you can use to encrypt individual files and then attach those to emails. Note that you will have to provide the person on the other end with the password, which you can’t send securely by email. You’ll have to find another way, which might just be telling them in person. I’ll outline another method below but know that it might just be easier to use a cloud platform.
Now, let’s talk about clients sending data to you. While you aren’t liable for any data breach that occurs due to how a customer decides to send data to you, it still makes sense to set up a way for your clients to send information securely, which can keep all parties happy if they are concerned about the security of their data. The best way to do something like this is do set up a portal where clients can upload files, a technique that has been used in the CPA and college admission worlds for a while now. However, these tools are rather expensive to implement.
What I did instead was use Dropbox to set up what is known as a file request link where clients can upload any documents with sensitive information. What I do, besides making sure new customers know about it when they sign up, is include a copy of it in my email signature, so they can find it with ease. If Dropbox isn’t your primary storage method, it’s easy to set up a small script that will automatically move it from Dropbox to elsewhere, then delete the copy in Dropbox, ensuring you don’t run out of storage. Personally, I use Microsoft Flow, as it has the integrations I need. Other tools that may work for your needs include IFTTT and Zapier.
Maybe sending files back and forth is a bit too clunky for you at times. Perhaps you just want to have a texting-like chat where you can exchange information, securely (sure as encrypted file passwords, perhaps?) For this, I recommend Signal if both you and your client have it installed on your phone, and communication through the app is completely encrypted and secure. It’s rather easy to use, as it just connects with your phone number. It also has desktop clients, making it that much more convenient. I know plenty of clients won’t want to just for this, so have it more in place so if the client expresses a need to chat securely, you have a solution you can provide to them. It has phone call support, too.
Alright, that should be about it for protecting data. Now let’s look at detecting when a breach occurred.
Even with the strongest of barriers in place, threats can still occur. That’s why it’s important to be able to detect threats to respond and minimalize damage.
The simplest thing to do is to make sure to monitor what your Antivirus software catches. By looking at what it quarantines, you can get an idea of where threats are originating from. Not much else to say, besides to check regularly and to keep the software updated. If you find malware that has passed your antivirus, disconnect it from the network as soon as possible.
This is going to be the most obvious way of detecting a breach. If a device is stolen, the first thing to do is contact the police. Afterwards, disconnect any accounts associated with machine (maybe sign ins on JumpCloud or Microsoft Accounts, especially is the device is not encrypted. If it is a mobile device, use find my device features to lock the device, or even wipe it if you deem the information serious enough.
In response to an event, you can incorporate lessons from it to help you in the future. Make sure to take note of the date, of the incident, what it entailed, how it was discovered, how you fixed it, what data was affected, and what steps you took to rectify the problem.
After you have determined the reach of the breach, you’ll need to inform your customers of what happened to any of their data, and what it means for them. You should also contact legal assistance about what your local ordinances for data breaches are.
And that about covers it! I do strongly recommend writing all your policies into an official policy guide, as it will help your employees know how to act and outline exactly how to act in reaction to events.