Given that a cyberattack could shut down your entire business, preventing one should be a top priority. With a background in IT and cybersecurity, Rob Hord, IT manager at Island Home Center and Lumber in Vashon, Washington, takes a proactive approach to mitigating the online threats his business faces every day. But you don’t need extensive IT training to take simple precautions that could prevent a big disaster.
Restrict Account Privileges
Only give employees, from the owner on down, the access they absolutely need to do their work. Everyone should need permission and change to a different account to install software on a company computer.
“Users can run basic point-of-sale applications and browse the web, but they cannot make changes to the system or install applications,” Hord says. “This protects our staff from accidentally installing malware. The key is restricting the business owner and IT team to also using regular accounts in their daily routines. It’s unfortunately very common that many business owners insist on having full administrator privileges on the network and as a result, the owner is often the culprit who clicked on something they should not have.”
Require all staff to take training that will help them identify and protect against threats to their personal information. Hord uses a third-party service provider to send his employees through training in personally identifiable information (PII) and dark web threats.
“We use these training services so our staff knows what to look for and can smell something fishy when they see it,” Hord says.
Use a Password Manager
Staff at Island Home Center and Lumber are not allowed to save passwords to the browser, as that leaves them vulnerable to attack. Instead, Hord uses a password manager, which provides the best protection for employees with logins to multiple applications.
Talk about hacking threats you’ve received with vendors and other small businesses in your area. Knowing what scams are making the rounds and then communicating that information will help every member of your staff be on the alert.
“We often see that management stays apprised of potential threats, but they do not share the info with all the cashiers,” Hord says. “We use email and weekly meetings to disseminate the latest information.”
Check with your insurance provider to make sure your coverage includes the appropriate cyber insurance for your business size. Hord advises not to just search for cyber insurance on the internet, but rather use someone you know. More than likely, if you’re already using a major insurer, they have a cyber option.
“The largest insurance companies have access to the best tools. Don’t assume an online specialty insurer will be the best option,” Hord says. “You also get what you pay for. There are coverages that are bare minimum and there are white-glove options. Consider how you would like to be treated during an event to determine the coverage you want.”
Use a Backup System
Backup all data and documents, including POS data, to the cloud or other server so there are adequate redundancies in case of a hack. Hord uses a cloud-based daily backup system with version history. Staff have access to Office 365 so they can backup documents to the cloud.
“Migrating to the cloud offloads the hardware risk from our local business and significantly reduces our responsibility to the threat surface area. Version history is critical because if our backups also get infected, which can happen if a backup happens before we catch the infection, then we can retrieve a prior ‘clean’ backup,” Hord says. “I’ve seen other businesses separate the customer database and the company’s main system. Under this model, if one system is compromised, the other system stays clean.”
Keep Machines Updated
Don’t skip the updates to software and operating systems. Hord says every machine at his business is set to automatically process Windows updates every week, as those updates may contain new protections for malware attacks. He also recommends getting a subscription to an antivirus service and installing it on every machine.
Maintain a Safety Stock
Even if your own business avoids a direct hit from a cyberattack, you could still suffer if your wholesaler or other vendor gets hacked, as it could restrict your ability to receive delivery. Hord stays on the defensive by maintaining a 30-day supply of inventory.
“We take a defensive posture through proactive inventory management,” he says. “We rely on this safety stock level to get us through interruptions in the supply chain.”