Most hacking isn’t sophisticated. In many ways it’s not even hacking. A marketing company may use shady but legal techniques to find out your annual budget, or a competitor may go after your customer list. Even as a small or medium sized business (SMB), without an IT security department, there are small things you can do that make a big difference in protecting your digital data.
In our work with SMB’s we’ve heard lots of stories about compromised digital data – we’ve tried to distill a few decent ideas below:
1. Search Your Site for Sensitive Files
Google and other search engines allow users to search for specific types of files, on specific websites. So, for example, someone could run a Google Search Query that in effect says “show me every excel spreadsheet (or PDF) on www.yourwebiste.com. See for yourself here.
You’d be surprised how much data is hiding in plain site on a website, often placed there inadvertently by a careless webmaster or an employee who wouldn’t know better. Unless otherwise specified, Google’s robots will index this data and anyone can find it. You should search your own website for any excel (.xls,.xlsx), PDF files (.pdf) and Word file–and maybe PPT as well–to make sure you don’t have sensitive data hiding in plain site.
2. Check Your Sharing Settings
As there are more and more files being stored in the cloud, we have to be doubly careful about our sharing settings. Many companies are using Google Drive and Dropbox to manage proprietary data. Oftentimes you’re using these systems to share that data. Occasionally, this can go wrong, and something that should be shared with one person is accidentally shared with many, or even made public on the web.
We recommend tagging or labeling sensitive data with an inconspicuous tag like “A-Check” and regularly check the sharing on those files to make sure it is private.
3. Google Your Email Address
We also recommend googling yours or your company’s email address to make sure internal data isn’t floating around on the web, or that you’re being included in unsympathetic databases. To do this, try surrounding your email address with quotation marks– “firstname.lastname@example.org”–so Google looks for that exact match. You should also do a search that looks like this “*@yourwebsite.com” where the little * is a wildcard character, telling Google to look for anything in front of the -@- sign.
If you find something that concerns you, see what you can do about it.
4. Calendar a New Password Day
Your biggest security hole is probably you or your employees being careless with passwords. Big companies force their employees to change passwords regularly. Even though you may not have that level of security in your company, you can nevertheless set a policy that this is a requirement. Then, you can easily create a quarterly calendar event that reminds employees that it is password change day, and send an email to everyone to that effect. We know – there is NOTHING more annoying that having to change your password. But there’s also nothing that will so quickly contribute to your security.
5. Insist on Passwords for Phones/Laptops
As per the above, make sure you but insist on basic protection for phones and laptops. This should be true even if clients are using their private devices. They’re accessing sensitive company information – you should make sure that if that device is lost it won’t be easily accessed. This is an easy thing you can do and get a big boost in security.
You also need to prepare for a lost phone – make sure you have a way to remotely shut off access to important data hubs like your company email. Many platforms allow for disconnecting devices.
Something many people miss is the risk in sending a phone away for repair, especially if the screen breaks. In that case it may not be difficult for the average owner to remove data from the phone or perform a reset. Make sure you think through and talk to your providers about how to handle remote security on the phone.
6. Cancel Old Employee Accounts
We’ve seen cases where SMBs leave old employee cloud accounts (Google Apps, Dropbox) open for a few months (or even longer) after that employee has left. That’s not smart – it creates more access points to your systems and data. Do your best to close accounts quickly, or at the very least change passwords immediately.
There you go! The above tips aren’t groundbreaking, but they’ll help your SMB improve its digital security and may save you some embarrassment or potentially business damage. By implementing these, you can sit back and let your digital operation focus on its real goal: converting more site visitors into happy customers.