Many small businesses allow their employees to use personal mobile devices for work. In addition, they host public wireless networks for customers to peruse email and the internet via mobile devices and wearable technologies like smartwatches. Both can be a benefit to employees and customers, but “bring your own device” (BYOD) and public Wi-Fi access come with a price.
Hardly a month goes by when you don’t hear stories of cyberattacks that may result in the theft of sensitive customer credit card data and proprietary financial records. While it may not make the papers, it happens to small business all too frequently. When policies are not well documented or understood by employees and patrons, that risk increases. According to the Center for Identity at The University of Texas at Austin, 85 percent of small businesses do not have a written plan in place for keeping their businesses cybersecure.
“Many small businesses have fairly large problems when it comes to BYOD practices and Wi-Fi connectivity,” says Sean McCleskey, the Center for Identity’s Director of Education. “They tend not to appreciate the risks they’re inviting.”
Rein in remote access
Prior to joining the Center for Identity in 2015, McCleskey was a Special Agent with the U.S. Secret Service for 17 years, focused primarily on identity-theft crimes. His biggest piece of advice for owners and managers of small businesses: Determine the company’s most sensitive information and who is allowed to access this data outside the office. “We did an audit of a law firm once and found out that the receptionist had off-site access to proprietary data like bank account information,” he says. “We nipped that in the bud.”
“I can’t tell you how many times a company loses proprietary information because an outsider sticks a thumb drive into a laptop when the person isn’t watching.”
Once data access practices are developed and written down, provide this acceptable-use policy to employees for their signatures. The document should contain clear disciplinary actions for non-compliance. “If it doesn’t have teeth in it, employees will be less willing to abide by the rules,” McCleskey says.
Good rule of thumb
Requiring strong passwords that are changed on a routine basis and multi-factor authentication, in which the user is granted access to data only after presenting several pieces of evidence, are strongly advised. For employees who have access to extremely important and sensitive data, companies may want to issue laptops that are encrypted and can’t be accessed by a thumb drive. “I can’t tell you how many times a company loses proprietary information because an outsider sticks a thumb drive into a laptop when the person isn’t watching,” McCleskey says.
Safeguard that hotspot
With regard to a small business that hosts a Wi-Fi hotspot, McCleskey warns that these wireless networks can be infiltrated. According to a 2016 study of more than 31 million Wi-Fi hotspots across the world by Kaspersky Lab, more than one-quarter are not secured, with no encryption or password protection required. “A cyberattacker can take control of company computers, capture the passwords, and infect systems with malware to breach sensitive files,” McCleskey says.
For this reason, it is wise to keep public hotspots separate from the Wi-Fi used by employees. Business providers, such as Spectrum Business, provide a separate modem for public hotspots at no additional charge. Internet service providers may also be able to help reduce other small business Wi-Fi risks. “For those with more significant assets at risk, third-party security consultants can be retained to do the same,” McCleskey says.
Print this article