“There’s nothing important on my computer, so I don’t care too much about Internet security. Why would anyone want to mess with me?”
“My business is too small for the big Internet crooks; why would they bother to hack my computers?”
People express sentiments like these to me all the time, mistakenly thinking they are somehow immune to the ills of the Internet simply because they are too small, or too uninteresting. Only when they have experienced serious trouble do they come to me, wishing someone had shocked them earlier into the “give it to me straight, Doc,” facts about just how dangerous the Internet can be.
In the first case, the “I’m too uninteresting” mindset, reality can be summed up in a few sentences. The blunt truth is, Internet bad guys could care less what’s on your computer. They do not care if there is anything important on your computer. Sure, if they happen across a Social Security or credit card number, they’ll be glad to steal it, but oftentimes that’s not what they are after. They are much more interested in using your computer as a shield to hide behind while they attack other, more lucrative targets, like banks or retail businesses. By adding you to their robot army, your computer does the dirty work while bringing them their ill-gotten loot, and you take the blame when something goes wrong and your computer gets caught for crimes you had no knowledge of.
In the second case, the case of a business owner thinking their business is too small to be noticed by Internet crooks, nothing could be further from the truth. In many cases, Internet gangsters specifically target small businesses first, knowing that small businesses usually cannot afford IT security departments to keep them safe. This, combined with the knowledge that small business owners are often too busy or too uncaring to provide proper safety for their computers makes small businesses easy picking for sophisticated crooks.
There is a reason why more convenience stores are robbed every year than banks: it’s easier to rob a convenience store than a bank. The same principle applies to Internet crime. Larger Internet businesses are often more well-defended, leaving the low-hanging fruit of small business much less challenging. Add to the mix computer-automated tools designed to attack thousands of businesses a day, and suddenly small Internet businesses turn into big business for online crooks.
The same safety and security measures apply to all computer systems, be they large, small, or home-based. In the case of most small businesses, it is the employees that are the first line of defense, as they are often the ones with the most hands-on computer and Internet contact.
Employee education is job number one. Far too many businesses have complete and total dependence on their computers. Literally everything is there, and if the computers die, the business dies, often permanently. Employees must understand this, and treat things accordingly. They must understand the potential impact the business could experience if its Quickbooks database were stolen, or if passwords to important accounts were compromised. Rules and policies for email, web browsing and social networks must be clearly laid out and explained. Employees must understand that the computers and Internet access are business tools, and are not there to provide employee entertainment. Policies for network access should be clearly understood, as well; can anyone put their smart phone, tablet or laptop on the company network for personal use (and potentially access company records), or should access be restricted?
Employees should also be educated regularly in the many different types of cyberattacks, such as how to recognize dangerous emails, the importance of strong passwords, the hazards found on social networks like Facebook, why updates are important, and how file backups are vital to a company’s longevity. Employees who are ignorant of or do not respect these things are not employees you want to trust your business to.
Ongoing education regarding government regulatory rules and standards can also be important. Does your business accept and handle credit card transactions? Does it use POS (Point-Of-Sale) terminals in the form of modern-day cash registers? Then you and your employees are subject to Payment Card Industry (PCI) rules and regulations, including encryption requirements. Does your business deal in customer medical or financial information? If so, you may be subject to federal HIPAA and/or Sarbanes-Oxley rules, regulations and penalties for non-compliance. Educate your employees about the importance of these areas, as well, and get them on board with making your business a success.