Frightening facts: A recent Symantec study found that 40% of cyber-attacks are against organizations with fewer than 500 employees. And, according to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year.
Of those, some 60% go out of business within six months after an attack.
It’s no wonder, then, that small businesses are continually asking Optimal engineers about the state of cybersecurity for the industry. Below we’ll walk through how exactly malware can impact your company and its data, and provide actionable steps for protecting your small business against it.
How is malware putting your small business at risk?
What exactly is malware, and how can it affect your company’s data? Here are some quick definitions:
- Malware is actually not a specific threat itself, but rather a blanket term that encompasses any software that gets installed on your machine to perform unwanted tasks for a third party’s benefit. Spyware, viruses, and ransomware are all forms of malware.
- Viruses are types of software that can self-replicate and spread to other computers on your network—hence them being likened to an infection. Viruses are programmed to damage a computer by deleting files, reformatting a hard drive, or using up computer memory.
- Spyware is software that gathers information from your computer, data, and system, and transmits it to interested parties. We’re talking your web history, browser and system information, and IP addresses. Advanced spyware can even monitor your keyboard activity (“keylogging”) and report back things like credit card information, passwords, and addresses.
- Ransomware is a type of software that hackers use to hold individuals’ data hostage until they pay for its release. CryptoLocker, the first form of ransomware, appeared in September 2013 and circulated by way of infected email attachments. Here, your files are encrypted until you pay a certain price—and the only way around shelling out the cash is to restore a backup of your data.
The best ways to prevent malware for small business
Here are some of the best ways to protect your company from malware:
- Keep anti-virus and anti-malware up-to-date. Sure, almost all companies have this software in place in one capacity or another. But is it being updated on a continual, consistent basis? Your protection is only as good as your maintenance.
- Keep your operating systems, firewalls, and firmware up-to-date. Are your servers and workstations running operating systems that are still being supported? Is your firewall current? Is everything being automatically updated and patched on a consistent basis? What about your firmware? It is important that these elements stay current to protect against ever-evolving threats.
- Create and enforce password policies. Good, difficult-to-guess passwords are essential to computer security. What makes a strong password? In a nutshell, they (1) are at least eight characters long; (2) include letters, numbers, special characters and capitalization; and (3) are changed infrequently. Create a company policy that outlines these tips, and hold your staff to it. (Have a fussy CEO? Get them a password manager before you let them off the hook.)
- Create and enforce an equipment use policy. Set boundaries as far as what your staff members are permitted to do on company-owned equipment. To what extent can they use things like laptops and phones for personal purposes? Can they install software of their choosing? Will there be mandatory scans, backups, or encryption? Establish clear rules, and wrap them into your onboarding process.
- Create and enforce an employee separation policy: Is your business doing anything to ensure that access to your network is effectively revoked immediately upon an employee’s departure? When an employee leaves—whether they’re your CEO or your receptionist—this termination policy must be enforced so that disgruntled former employees cannot introduce malware to your system or access confidential data.
- Educate employees: This is the kicker. An essential part of practicing secure computing is educating employees to make smart computing decisions. For example, what would your staff do if someone called and asked for their social security number? Create regular, security training sessions for your employees that cover security basics, including
- Avoid clicking on suspicious links in emails
- Avoid going to suspect websites
- Ensure all downloads are automatically scanned by anti-virus
- Create multiple strong passwords—and don’t change them too often
- Do not run programs from which you cannot identify an origin
In today’s world, we all must prepare in order to protect our organizations. Once you establish the basics (investing in a robust anti-malware software), create comprehensive policies and user training programs to complete your company’s anti-malware efforts.
If they’re at all feasible, we also strongly recommend periodic security audits as a way to keep your business secure. After all, the best way to make sure you’ve remediated all existing vulnerabilities is to have an outside resource actively prod your systems for vulnerabilities. Your provider will run scans, they’ll analyze your existing policies, and they’ll set forth prioritized recommendations to reinforce any weaknesses. (For more on this, check out this article on security audits and how much they’ll cost you.)
Above all, we urge you to make cybersecurity a top priority—and to make security awareness part of your company’s culture.
Stay safe out there!