Cybersecurity 101 for Business

Watch the video below or scroll down to read the recap

This class is provided in partnership with the WV Small Business Development Center

The Bluefield WV Economic Development Authority (BEDA) hosts workshops to meet the needs of our local and regional business owners. This class taught by Andrew Baker with BrainWave Consulting LLC, will challenge your thinking in regards to your business's cyber liabilities and offer tips on how to make your online presence more secure.

We often think about cybersecurity for ourselves personally whether it's passwords, clicking bait links, or junk e-mails, but your business can be just as vulnerable... if not more. This workshop is going to be "light" with steps that you can implement today. We will NOT cover Artificial Intelligence (AI), Threat Intelligence, Regulatory Compliance, Intrusion Detection & Prevention, Zero Trust Access, or other deep topics.

Andrew first explains, "There is NO such thing as a FREE lunch". He shows us a triangle diagram with the words "cheap", "secure", and "fast" in each corner. He mentions many people will try to sell you a security and/or technology solution that covers all three of those -- and that is extremely rare. Most of the time you are only able to select 2 of those options.

Next, Andrew shares some basic cybersecurity facts:

1. If you are on the internet in any way, you're open to cybersecurity attacks. It doesn't matter if your business is a bank or financial in nature. These attacks can reach you for "good" or for "evil". Although your business may not be financial, it probably has ties to a business that does. They don't know what kind of business you have until they've hacked into it.

2. Cybersecurity isn't just about tools, it's about people, processes, and tools.

3. Cybersecurity is about how you live and behave -- not just what you buy.

4. Your goal at the end of the day is to minimize risk. You can't say, "I'm perfectly secure", it is about how you minimize the threats you receive.

5. You shouldn't spend $1 million to fix a $10,000 problem.

6. Education & Awareness for yourself AND your employees is essential to good security.

7. Poor security always costs you more than you think. If you lose something that is worth $10,000, not only do you have a $10,000 loss you could also lose reputation, data, or another asset. This may cost a business doing business with you.

8. Complexity is the enemy of good security.

9. How you spend is more important than how much you spend.

Cybersecurity is part of risk management. You need to look at your business and say, "I have these business risks, I have these technology risks, and this is what I am going to do to minimize their effect on me." There is always a chance someone will steal from your store, someone will break into your website, you might open a bad link on an email. Every business, regardless of size, has risk management they have to deal with.

It's also about people. Careful staff will make up for bad technology or processes. Careless staff will create security problems even if you have the best processes and technology. As a business owner, you probably wear many hats -- treat them differently. When you wear each hat, behave differently with each hat. You may do finances, sales, and IT but you need to act accordingly and behave differently in each role and not use the same account for all of those roles.

Trust, but verify. Don't take things for granted. If you see something out of place, verify its legitmacy.

Whatever steps you take for protection should be practical. Whatever steps you take, aim for practical and document your steps so someone else can follow your instructions. Be sure that when you purchase and/or install some type of tool or software, make sure it's fitting the objective in your mind. Don't change your whole process just for this tool or software. The most important tools you can pay attention to are:

1. User Account Management & Multi-factor Authentication

2. AntiVirus/AntiMalware/Endpoint Security Solutions

3. Monitoring Systems

This applies to desktop just as much as mobile.

Security awareness training:

• Recommend implementing this in the workplace for all employees

• KnowBe4 -- a portal with free training, tips, quizzes, and resources

Tips for security:

• Don't share accounts or passwords across systems

• Don't share credentials (username/passwords) across sites with different levels of sensitive information

• It makes sense if you use the same username/password with all of your bank accounts, it's not the best or recommended.

• Do NOT use the same username/password for your social media or e-commerce as your bank accounts

• Don't share your accounts or passwords across people. Although this is hard because usually, a site can't allow multiple accounts. For example, the same login information for ordering supplies for your business. If you have to, use multi-factor authentication. Remember to change the login details if someone leaves the organization.

• Do use a Password Credential Manager such as LastPass or Dashlane. This way you can have tons of different (and safe) passwords for your different accounts. Be sure to use a strong password for your password credential manager.

• Don't use personal data (birthday, locations, family members, etc.) as part of your passwords

• Don't answer those silly social media questions that are asking for details about where you live, who you are, what year you were born. For instance "Comment below with the GIF that comes up for the year you were born" or "how old were you when JFK was assassinated?" these details are being harvested.

• When you're setting up security questions and answers, "What is your mother's maiden name?" or "What was your first car?" use fake answers and store them in your password credential manager.

• Use Multi-Factor Authentication: usually, this consists of the site you're logging into requiring a code to be sent to another device.

• Do use a dedicated computer (preferably a stationary desktop) for just your finances (banking, payroll, accounting, etc.), and do not access any other sites other than the role of finances.

• If you can't dedicate a single computer to doing finances, dedicate a single browser for doing finances. If you use Google Chrome for social media and email, use Mozilla Firefox or Internet Explorer for finances.

• Do ensure you have good physical security -- if your business is in a shared space, be sure to lock your network equipment up. Keep your laptop and desktop screens are locked when you're away from your desk.

• Don't rely on your Internet Service Provider's tools for cybersecurity -- it's better than having nothing but can be improved with different tools. Spend a little bit more on a real firewall like Fortinet or a pfSense device.

• Protect your website using CloudFare to protect it from Denial of Service attacks. You can use CloudFare to host your DNS services.

• Do consider Cybersecurity Insurance

Andrew's Recommended Cybersecurity Resouces:

• Free General Resources

• https://www.nist.gov/itl/smallbusinesscyber

• https://www.fcc.gov/general/cybersecurity-small-business

• Free Cybersecurity Policy Templates

• https://www.sans.org/information-security-policy/

• https://www.sans.org/information-security-policy/

• E-Commerce Solutions

• https://www.websitebuilderexpert.com/ecommerce-website-builders/comparisons/shopify-alternatives-competitors/

• https://www.pcmag.com/news/how-to-secure-your-e-commerce-website-6-basic-steps

• Email Security

• https://www.gartner.com/reviews/market/email-security

• https://www.gartner.com/reviews/market/email-security

• https://www.mimecast.com/products/email-security-with-targeted-threat-protection/

• https://www.proofpoint.com/us/products/email-security-and-protection/email-protection

Let's Get in Touch!

Andrew Baker, CxO | BrainWave Consulting

abaker@brainwavecc.com | www.brainwavecc.com

Jim Spencer, Executive Director | Bluefield WV Economic Development Authority

jspencer@bluewv.org | (304) 902-2332 x 1