Back to Insights

Small Business Cyber Security Best Practices That Won’t Break the Bank

Elizabeth M. Carroll, CPA Audit Technology Specialist and Manager, Audit & Accounting

Technology has a way of making users think they are infallible. In this day and age, if we can download entire movies in minutes, unlock our phones with our thumbprint or face, and wear watches reminiscent of James Bond films, how is it possible that we can still be hacked? However, technology is only as good as the people using it and the wrong click can bring down an entire company.

Everyone has heard a horror story of a company that has been hacked. Computers are frozen in time until a ransom is paid and the company loses days of productivity and can spend months restoring data, catching up on orders, emails, etc. Most of these stories originate with a wrong click, the accidental installation of an application, or the use of a weak password. The commonality in these scenarios is that the businesses – and their employees – were not adequately prepared.

Here are a few do’s and don'ts to consider when evaluating your company's cyber security preparedness. The good news is that none of these items are overwhelming in terms of time or money, but the payoff is immeasurable.

Do's

  1. Train your employees. As stated above, most cyber breaches occur because an employee clicks a link, downloads a malicious file, or leaves their password lying around. Employees need to be trained on what not to do (more below). You can implement cyber security training that requires employees to participate in short webinars, answer quizzes, and respond properly to test links or fake emails. These training programs are a small and typically inexpensive way to help ensure your employees are more aware of various cyber scams, and they ultimately help your company protect itself from possible breaches.
  2. Encrypt all hard drives. Encryption technology protects your company from confidential information being viewed by anyone who does not have the encryption key. If your company has employees working remotely via laptops, how do you know those laptops are safe from loss or theft? Encryption is a simple way to ensure the data stored on those laptops can't be accessed by just anyone. This principle can also be applied to any flash drives or other storage devices utilized by your company.
  3. Develop policies and procedures for cyber security. Developing a cyber security policy means thinking about the "what-ifs." Does your company use antivirus software? If so, how often is it updated, who is looking at the results, and what happens if something is flagged? Is the company backing up its data? If so, how often, to where, and how frequently does someone test those backups? Conduct vulnerability scans of all systems, develop an incident response protocol, and provide training to all staff. Devising a formal policy can prepare your company for the worst case scenario. Because unfortunately, the worst case scenario could happen to anyone.

Don'ts

As mentioned above, most of the don'ts can be addressed through proper training for all employees.

  1. Don't click unknown links. It might seem simple, but how often does someone click without thinking? Because companies can't guarantee all employees will think twice before clicking on a link, there is software available that will prompt someone after the initial "click" to be sure they want to continue. Those couple of seconds could be all your company needs to safeguard itself from a possible breach.
  2. Don't use weak passwords. What constitutes a weak password? Pets' names, kids' birthdays, or the word "password” are easy targets. Best practice is to use a long phrase unique to the employee that can be easily remembered, but is innately more complex due to the length. Require frequent password changes, utilize a password manager, and implement rules that prohibit using the same password for different software applications and sites. Finally, never keep your password on a post-it at your desk.
  3. Don't install unknown software. Even when trained, all employees are not considered information technology experts. Therefore, they should not have the ability to install any software onto company computers. Software advertised as a simple "PDF Converter" could contain ransomware, letting a hacker gain access to the computer's system without anyone realizing. The best option is to limit who has access to install software.
  4. Don't email sensitive information. Too often, people consider email secure and send payroll information, tax returns, or other sensitive information via email. Companies should utilize a secure file transfer service or portal to transfer this type of information. Also, users should never send information to an email address they don't recognize, or upload to a website that is not secure. Learning how to recognize a spoofed email address or an unsecure website are skills employees should learn as part of cyber security training.
  5. Don't leave computers unlocked. This might seem obvious, but employees should always lock their computers when stepping away from their desks. Even in a secure office building, there may be unknown visitors looking for an opportunity. Companies can implement a standard to "auto-lock" an employee's computer after a set amount of time, ensuring even the forgetful employee's computer is protected.

It’s vital to ensure that the proper precautions are being taken to protect your company from a cyber breach. The do’s and don’ts above are just a few easy ways your company can implement preventative measures.

Did you know that October is National Cyber Security Awareness month? There’s no time like the present to evaluate whether your business is prepared. Kreischer Miller’s complimentary Cyber Health Assessment is professionally-facilitated and conducted in a highly confidential manner, helping you lay the foundation for developing an effective cyber security plan for your organization. To receive your complimentary Cyber Health Assessment, click here.

Elizabeth M. Carroll can be reached at Email or 215.441.4600.

Subscribe to Kreischer Miller's email newsletter

You may also like:

Contact the Author

Elizabeth M. Carroll, CPA

Elizabeth M. Carroll, CPA

Audit Technology Specialist and Manager, Audit & Accounting

Employee Benefit Plans Specialist

Contact Us

We invite you to connect with us to discuss your needs and learn more about the Kreischer Miller difference.
Contact Us
You are using an unsupported version of Internet Explorer. To ensure security, performance, and full functionality, please upgrade to an up-to-date browser.