7 steps to protect your business from cybercrime

Today, the modern workplace is crammed with computing devices ranging from desktops to laptops to tablets to smartphones, and employees are expected to use computers in the course of their day, regardless of what line of work they’re in.

The computer’s pivotal role in the workforce also means that hackers are finding cybercrime to be more lucrative than ever. And as cybercriminals employ increasingly sophisticated means of stealing identities and data, there is no option but for small businesses to do more in order to protect themselves.

There’s no doubt that security has evolved substantially since the early days of the PC. Indeed, measures that may have been deemed excessive just a few years ago are now considered to be merely adequate. With this in mind, we outline seven steps to protect your small business below.

A crucial first step towards protecting your data is to ensure that data is always encrypted at rest. Hard drives can be physically removed from a laptop or desktop and cloned in their entirety, by someone temporarily commandeering a laptop that has been left unattended in a hotel room, or an old laptop whose storage drive have not been properly scrubbed of data prior to being sold.

With the right forensic analysis tools, a cloned hard drive can yield a treasure trove of data, including passwords, browser history, downloaded email messages, chat logs and even old documents that may have been previously deleted.

It is therefore critical that full disk encryption technology is enabled so that all data on storage drives are scrambled. Windows users can use Microsoft’s BitLocker, which available free on the Pro version of Windows 8, or the Ultimate and Enterprise editions of Windows 7. Mac users can enable FileVault, which comes as part of the OS X operating system.

The use of full disk encryption ensures that all data written to the storage disk is scrambled by default, and gives businesses with an excellent baseline of protection where their data is concerned. However, organizations that deal with sensitive information may want to up the ante by creating a separate encrypted file volume for their most sensitive files.

This typically necessitates an additional step of having to first mount an encrypted volume prior to being able to use it, though using it with full disk encryption is as close to uncrackable as you can get.

On this front, TrueCrypt was one of the most popular software programs for creating encrypted file volumes before the project was abruptly closed down. Fortunately, the open source project lives on in the form of forks VeraCrypt and CipherShed, both of which are available on Windows, OS X and Linux. VeraCrypt was forked slightly earlier as part of an initiative to blunt the effects of increasingly powerful computers and their abilities to brute force an encrypted volume, while CipherShed was forked from the last version of TrueCrypt, or version 7.1a.

USB flash drives are cheap and highly convenient devices to help users quickly transfer large files between computers. They’re also incredibly insecure, as their small size makes them vulnerable to being misplaced and/or stolen. Not only can careless handling of USB flash drives culminate in data leakage, but a casual analysis with off-the-shelf data recovery software will yield even previously deleted info.

One possible defense is to encrypt the data stored on your USB flash drive using the built-in capabilities of Windows or OS X. The downside is that this approach can be unintuitive to non-expert computer users, and won’t work when trying to transfer files between different platforms, or even between operating system versions that lack the support for it.

Alternatively, the use of a hardware-based encrypted USB flash drive offers a foolproof and convenient way for seamlessly encrypting data as it is being copied onto the drive. Some, like the Aegis Secure Key 3.0 Flash Drive, even eschew software authentication for physical buttons for authentication, offering a higher threshold of protection against spyware and keyloggers.

While cloud storage services are going to great lengths to ensure the integrity and privacy of the data you store with them, they’re nevertheless a magnet for potential snooping by unscrupulous employees, compromise by elite hackers, or even secret court orders (depending on where the data is physically located).

This means that the safest measure is to either ditch public cloud storage services altogether, or to ensure that you upload only encrypted data. For the latter, a number of cloud services such as SpiderOak specialize in helping you ensure that only strongly encrypted data is uploaded into the cloud.

An alternative is to rely on a private cloud hosted on a network-attached storage device such as the Synology RS3614RPxs, or to explore peer-to-peer private synchronization such as BitTorrent Sync, where data is automatically replicated among privately-owned devices.

Not using a password manager results in users relying on mediocre passwords, as well as a significant increase in reusing those weak passwords across multiple websites or online services. This should be of particular concern, given how countless security breaches over the last few years have shown that most organizations simply do not store passwords with inadequate protection against brute force or social engineering.

For heightened security, some password managers also support the use of a physical fob in order to unlock their password database. This offers great convenience, and could limit the damage caused by spyware when authenticating via a onetime password (OTP).

As its name suggests, multifactor authentication relies on an additional source of authenticating information before allowing you to login to a system. The most common secondary sources are probably a PIN code sent via text message, or through an app-generated code that changes with time. Multifactor authentication is available for many services today, including cloud storage services like Dropbox, and popular services like Google Apps.

Another popular multifactor authentication would be by use of a physical dongle that plugs in via an available USB port and emits an OTP code when tapped. When linked to a password manager service such as LastPass, the use of a security fob such as YubiKey can reduce the risks of accessing the password service on an untrusted machine, as well as offering protection from phishing attempts.

Finally, one often-overlooked area that has been successfully exploited by hackers in the past is the password reset mechanism found on almost all Web services. With the wealth of details published on our social networks, and many other salient personal details being a simple Google search away, it makes sense to review our “hint” questions and other information that could be used to reset our most important online accounts.

Unorthodox methods exist, too — such as when a hacker successfully social engineered his way into controlling an entire domain in order to intercept the password reset email address of a targeted account (see “4 Small Business Security Lessons from Real-Life Hacks.”) One way to thwart such an attack may be to register the email address on a prominent domain such as Gmail.com or Outlook.com as the backup email account registered to receive the password reset message.

Following these steps won’t make you invulnerable against hackers, but it should go a long way towards helping you secure your data from some of the most common cyberattacks we know about today.