6 Information Security Tips for Your Small Business

At Supporting Strategies, we're committed to staying on the front lines in the fight against hackers. We encourage small businesses to do likewise, and there's no shortage of advice available on the web when it comes to installing the latest antivirus software.

But it's a mistake to assume that simply installing antivirus software ensures your small business' information security system is impregnable. No software can safeguard against the greatest threat: human error. You and your employees must remain ever vigilant. Here are six tips to help.

1. Be Sure Every Computer Is Secured
This applies on two levels. First, all computers — desktops, laptops, tablets — must be physically secure with a lock or some other device. On that note, employees should never leave a laptop or tablet unattended in a car, hotel room, airport lounge or anywhere else, no matter for how short a time period.

2. Never Share Your Password
I know of a financial institution that had dual controls for all financial transactions as a security measure, meaning a manager had to approve them. Well, this one manager gave his password to a clerk (a longtime employee) so that the clerk could approve transactions while the manager was offsite. It turned out the clerk was having financial problems. Once or twice a month, he'd transfer fairly small amounts of money to his son's bank account from one of the bank's largest clients. This went on for a couple of years before an auditor finally uncovered it. All because a manager shared his password.

3. Never Leave Your Password Next to Your Computer
If you haven't done this yourself, you've seen someone else do it. They jot their password on a sticky note and then leave it on their desk, or even stick it right on their computer monitor. That's like a homeowner who locks the front door and then leaves the key under the welcome mat.

4. Beware Trojan Horse Emails and Phishing Expeditions
"Phishing expeditions" — that is, emails that appear to come from reputable companies or trusted clients — have been around for a while. But hackers will usually give themselves away, if you and your employees learn what to look for. First and foremost, never download attachments or open links from unfamiliar sources. Remember that no bank or credit card company would ever send an email soliciting passwords, account numbers or other sensitive information.

And you and your employees shouldn't be lulled into a false sense of security just because you use a spam filter. Hackers can still get through, and their fakes are getting more and more authentic. Recently hackers spoofed DocuSign in an effort to get recipients to open an attached document infected with malware. A closer look revealed the email didn't resemble standard DocuSign emails and had an incorrect URL. In general, most email exchanges with vendors follow a pattern. So if you receive an unexpected email that doesn't feel right, don't click on it — and certainly don't open any attachments. Then go to the vendor with your suspicions.

5. Check Your Vendors' Security
You know that saying about a chain being only as strong as its weakest link? That applies here.

Let's say you hire a vendor to develop a website for your small business. You provide them access to all of your applications so they can develop a site with the functionality your business requires. In the process, you inadvertently compromise your clients' data. Guess who your clients are going to hold responsible in a case like this? And they should. On a related note …

6. Make Sure All of Your Software Is Up to Date 
It goes without saying that you need to update your antivirus protection periodically to stay one step ahead of the hackers. But it's just as important to upgrade all of your systems when necessary. Even a small vulnerability anywhere in your IT system can lead to a disastrous breach.

For a cautionary tale, just look at the Equifax case, in which 143 million Americans had their data exposed. It appears that Equifax, a credit-reporting agency, simply took too long to respond to a known software vulnerability. According to a statement from The Apache Foundation, "The Equifax data compromise was due to their failure to install the security updates provided in a timely manner."

By the way, if you're a small-business owner, make sure your employees never accept software upgrades without your permission.