Cybersecurity Strategies for Businesses and Nonprofits
March 31, 2017By Mike DuBose and Blake DuBose
Whether they’re common pickpockets or high-level organized crime syndicates, many criminals have the same goal in mind: using illegal means to obtain others’ money for themselves. Technology-related crimes are no exception, and because businesses typically deal with larger amounts of money than a single person does, they’re an especially attractive target for skilled cybercriminals. As despicable as it may seem, nonprofits are also in danger of online scams!
There are many ways that computer criminals can wreak havoc on a business. For example, they might trick employees into giving them their login information through e-mail “phishing,” then steal client information stored in the system for wide-scale identity theft. Others might use “ransomware” to rapidly encrypt vital files on a business or nonprofit’s network—holding them hostage until they are paid to release them! As the FBI explains, “When the victim organization determines they are no longer able to access their data, the cyber perpetrator demands the payment of a ransom, typically in virtual currency such as Bitcoin, at which time the actor will purportedly provide an avenue to the victim to regain access to their data.” Such scams are constantly evolving, becoming even trickier and more complex as we move into the future.
Organizations of all sizes are potential victims for a wide range of cyber scams. According to John Morelock of Carolina Business Equipment, “Theft from small businesses by itself may have a relatively low value, but when combined with data from a group of businesses, it can greatly increase in value. This will cause an increase in attacks on small businesses, since they continue to be easy targets.” However, with help from Morelock, research by industry experts, and DuBose Web Group’s experiences, we’ve compiled some strategies that organizations of all types and sizes can use to protect themselves:
Contract with knowledgeable, reliable IT professionals. More work tasks are done online or using computers than ever. Although this typically means greater productivity and faster, easier communications, it also makes organizations vulnerable to a wide world of potential cybercriminals. Therefore, every company, no matter how small, needs the help of someone experienced in information technology. Whether they’re members of the organization’s staff or outside consultants, these IT professionals will have awareness of the dangers that cybercriminals pose and can help formulate strong defenses. It’s true: IT solutions are an added cost—but leaders should consider it in relation to the devastation a data breach could inflict upon the budget. With 60% of small businesses that experience major attacks going out of business within six months (according to a report by HP), we consider it money well spent!
Use audits to locate and protect against security weaknesses. Once you have found qualified professionals to help protect your organization’s online security, you can leverage their knowledge to proactively anticipate threats and erect barriers against them. In a recent Forbes column, tech expert Dina Moskowitz recommends beginning with a security audit to “secure your entire IT infrastructure and prevent hackers from accessing your network,” then “encrypting your data, securing your hardware, locking your network.” Morelock echoes her advice, noting that “contracting with a third party to phish and spoof your organization can expose your weaknesses and provide a valuable training tool to help shield your business. Third-party testing can also search for infrastructure gaps.” After looking at your business through a potential hacker’s eyes, your IT staff or consultants will be aware of its most vulnerable points. Then, they can address them in advance to keep cybercriminals out—before the system is compromised.
Make plans to protect the organization. With the guidance of IT advisors and the information gained from security audits, companies should create comprehensive plans for how to deflect cyberattacks before they even start. One key strategy is using the right software, hardware, and cloud storage to fit the organization’s needs. Companies and nonprofits need business-class computers and equipment (such as routers), servers, cloud storage, and data-sharing options, which are more secure than those suited for individual users. Another vital security action is making frequent backups of important files in different places. This allows continued access to important files even if some versions become compromised. Someone (either within the organization or a consultant) should also be assigned responsibility for patch management, running regular tests and scans, and developing security and risk assessment plans.
Organizations should also have strategies in place for what to do if they are hacked (including how they will lock down sensitive information and notify those impacted) so that they can move quickly if that day ever comes. Share the plan with all staff members so they know their role if the time to implement it ever comes.
Make smart technology policies part of the company rules. Every organization should have a detailed employee handbook to guide the behaviors of its staff, including how employees are expected to conduct themselves online when representing the company and how they are to treat company computer systems. For example, staff members should know from reading the handbook that they are not authorized to download any unapproved software to their work computers—a rule that could potentially prevent malware from spreading throughout the system. They should also know that they are expected to keep valuable company information private, and that any messages they send through company systems are property of the company. If you need help constructing employee technology protocols, consult your IT staff or consultants for assistance.
Educate employees about good technology practices. A business or nonprofit is only as secure as its weakest link. For the protection of the entire organization, all employees must be well-versed in the basics of Internet and e-mail safety. It may take some time to teach them smart practices regarding Internet use (especially for employees who do not adhere to new technologies), but this preventative measure can save countless hours down the road. It’s easy for people who aren’t current on cyber threats to accidentally make a mistake that can shut down an entire system. However, as Tami Abdollah noted in a 2016 Associated Press article, “Basic cyber hygiene such as ensuring workers don’t click on questionable links or open suspicious attachments can save headaches.” Have your IT staff member or consultant teach a class on basic rules for Internet safety, or encourage employees to participate in online or in-person trainings so that they have the knowledge they need to avoid making potentially costly errors. Whenever a fresh threat arises, teach staff about it or send out an e-mail alerting them to the new danger.
Limit connectivity. The more points of entry that hackers have, the more likely they are to infiltrate your system. Fortunately for efficiency (but unfortunately for security), many devices that operated separately in the past are now interconnected. As Carolina Business Equipment explained in a recent e-newsletter, “Small business owners’ data has become increasingly networked. For example, today’s point-of-sale (POS) systems and printers include software that makes them vulnerable entry points because they are networked, shared, and connected to so many other applications in your business.” Ask your IT consultant to help you locate tools and programs with appropriate protections for your organization’s needs, like printers with built-in business-class security features, and set up roadblocks to keep other devices safe if one is accessed.
A similar idea applies to employees themselves. By giving them access only to the networks needed to perform their jobs, you can protect other parts of the system from being impacted if their computers become infected with viruses or malware. As Abdollah recommends, “System administrators should ensure that employees don’t have unnecessary access to parts of the network that aren’t critical to their work. This helps limit the spread of ransomware if hackers do get into your system.” CBE also recommends isolating the physical components of your system from staff members who don’t need to be around them in the course of their work. Simple things like locking your server room and using security covers for tablets can make a big difference!
Report attacks. If you are the victim of a cyberattack, report it to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/. When making a report, the FBI recommends that you include your name, address, telephone number, and e-mail address; the details of what happened to you; documentation of any financial fraud, including account information, transfers and amounts, and the recipient of the money; if known, the scammer’s name, telephone number, e-mail address, and IP address; e-mail headers used in communications with the person; and any other details you think might help the authorities find and capture the person responsible. It’s typically very difficult to locate and prosecute cybercriminals, but at the very least, your report puts the scam on the authorities’ radar and may keep others from falling into the same trap!
When a cybercriminal successfully attacks your business, it can be a huge hassle—but it’s also a learning opportunity. Take the time to dissect the problem and share the mistakes that led to the hack (without judgment) with staff and leaders. By distributing this information throughout the organization, staff can apply the knowledge they have gained to shut down future hacking attempts before they impact the business.
The bottom line: The Internet is an incredible tool for sharing information and doing business, and it shows no signs of losing popularity. If you use it correctly, it can make your life a lot easier and simpler—but if you don’t follow smart online security practices, you can open up your business, non-profit, or self to theft and fraud. Cybercrime is thriving, and experts forecast that it will only grow in the future. Follow our simple recommendations to foil these attacks and protect yourself, both as a person and a business leader. As Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure!”
About the Authors: Our corporate and personal purpose is to “create opportunities to improve lives” by sharing our knowledge, research, experiences, successes, and mistakes. You can e-mail us at [email protected].
Mike DuBose received his graduate degree from the University of South Carolina and is the author of The Art of Building a Great Business. He has been in business since 1981 and is the owner of Research Associates, The Evaluation Group, Columbia Conference Center, and DuBose Fitness Center. Visit his nonprofit website www.mikedubose.com for a free copy of his book and additional business, travel, and personal articles, as well as health articles written with Dr. Surb Guram, MD.
Blake DuBose graduated from Newberry College’s Schools of Business and Psychology and is president of DuBose Web Group (www.duboseweb.com).
Katie Beck serves as Director of Communications for the DuBose family of companies. She graduated from the USC School of Journalism and Honors College.
© Copyright 2017 by Mike DuBose—All Rights Reserved. You have permission and we encourage you to forward the full article to friends or colleagues and/or distribute it as part of personal or professional use, providing that the authors are credited. However, no part of this article may be altered or published in any other manner without the written consent of the authors. If you would like written approval to post this information on an appropriate website or to publish this information, please contact Katie Beck at [email protected] and briefly explain how the article will be used; we will respond promptly. Thank you for honoring our hard work!