Simple Cyber Security for Small Business
Easy steps any business can take to harden their network against cyberattacks.
After repairing computers, laptops and all kinds of tech hardware for several years, I had many repair customers reach out to me for general IT needs. After all, they were small operations like mom and pop shops with 15 employees, or a medium-sized outfit with 2 locations and 50 employees. They didn’t have an IT staff to configure the new wireless printer, show them how to get their new Bluetooth keyboard to work, or figure out why the network keeps dropping devices. And so, being me, and being helpful, I gradually found myself studying the field of general IT support, and working inside of many small businesses, not just on the hardware, but doing things for them on their network. It was an eye-opening experience in many ways, and I had to learn on the fly, which is what I do best. These days, I am much more focused on the subject of Cyber Security and I can’t help but think about some of the poor security practices I’ve seen in so many small businesses over the years. Believe me when I tell you it’s bad, and if you own a small business and you aren’t focused on network security, you’re at a huge risk. Not to worry though, there are some simple things I’d like to share that ANY business can do to help ensure they aren’t on the wrong end of a malicious hacker’s terminal.
Is Your Small Business REALLY at Risk?
First, let’s discuss why, no matter how small or obscure you think your business is, you should be concerned about your network security. I say that because I’ve heard it…many, many times. For some reason, small business owners don’t think they’re an interesting or lucrative target for cyber criminals. However, there’s a saying in the IT world that “obscurity is not security”, meaning, being a small business rather than a fortune 500 company, doesn’t protect you. It’s true, large corporations are the target of malware, viruses and malicious hackers every day. However, they have entire security teams set up in a SOC, or Security Operations Center, monitoring their network 24/7/365. They also perform regular audits, and hire security firms to perform penetration tests, where a good guy, known as a white-hat hacker, actively tries to hack their network, and then shares the information with the company to harden their defenses. Your business, on the other hand, doesn’t have any of those things…and the hackers know it. To a seasoned hacker, the fortune 500 may be the brass ring, but small, unsecured businesses are ripe, low-hanging fruit.
You don’t have to be the direct target of a malicious hacker to download infected malware that will encrypt all of your network files, or be pinged by bots looking for open gateways that report back to a hacker so he can poke around your network. In fact, being a small business, with no IT infrastructure, and without a security tech like myself looking after you, makes you incredibly vulnerable to attack. If you take card payments, keep your books, manage inventory, send invoices, keep customer data, employee birthdays and SSN’s or even access your bank accounts online at your business, you have something hackers want. In fact, you may be surprised that being small and obscure may be the exact things that make you a target. A Forbes article recently found:
When it comes to avoiding cyberattacks, bigger is apparently better. At least that’s according to a new report that shows small businesses are three times more likely to be targeted by cybercriminals than larger companies.
What to do About it
Now that we have the WHY sorted out, and I have your attention, let’s take a look at the HOW. I’m not just here to tell you about the problems, I’m here to give you solutions. So, what can you do to harden your business against cyber threats? Let’s talk about it.
Private vs Public Network
One of the first steps you should take is to determine the type of network you have at your business. At the end of this section I will show you an easy way to determine what type of network you have. For now, let’s discuss the two types.
To understand the differences between a public and private network, I’ll need to detour for a second and give you some background on Network Address Translation, or NAT for short. Essentially, NAT does two things: first, any router or server using NAT will hide the IP addresses of all of the devices behind it on the network from the wider internet, and second it assigns these devices a Private IP Address like 192.168.0.100. This eliminates the need for every device in the entire world from having its own unique IP address, and there are billions of devices. NAT provides both a measure of security and ease on IP address congestion.
Since almost all consumer routers use NAT to create private networks, odds are, if you are at home or in a small business in the US, most of your devices have an IP address in the 192.168.X.X range. Your router, or default gateway, shields your network to a degree by not allowing the wider internet to see the IP of, or initiate connections with, any devices on your network. Instead, your devices communicate to your router and then it calls out to your internet provider’s gateway, which then initiates a connection with Google.com and then the packets are sent back down the line to establish a connection with your device. Additionally, your ISP may use Carrier-Grade NAT (Double NAT), meaning that the servers at your Internet provider are also shielding the public IP of your gateway and obscuring it’s address, thus making it hard for anyone to discover the actual address of your router and initiate a connection to it from the outside. This is the safest situation for your business. Not only are your devices hard to reach, but your actual gateway is concealed behind your internet provider. While being hacked behind Double NAT isn’t impossible, it does make things much more difficult for hackers to ascertain your gateway IP and initiate a connection to it. You are however, just as susceptible to downloading infected malware that will allow a hacker to call out from your network back to their PC. So keep that in mind.
If your business has a public gateway IP address, your router, and thus, your network can be reached from anywhere in the world. I’m assuming if you have this type of network, there’s a need for it, and you’ve asked your Internet provider to grant you a Public IP. Maybe there’s a file server at work you are accessing from home, or a time clock you’re logging into to do payroll over the weekend. Whatever the case may be, if your ISP has issued you a Static Public IP Address, and you can reach devices on your business network remotely by IP Address alone, you are highly vulnerable to attack. If you have a need for this, there are steps you can take to secure your business, but exposing your IP and opening ports for these services without any security architecture is reckless. For most simple office tasks there are ways such as Remote VPN, Tailscale, and Remote Desktop that will allow you to access your network behind NAT that are more secure, or at least use two-factor login to employ, without leaving your gateway exposed. While most Internet providers require you to ask for a public IP, some internet providers may issue business customers a public IP by default. I’ve seen it happen. If your ISP originally issued you a public IP and there’s no specific need, I would implore you to contact them and have your network moved behind Carrier NAT. If for some reason you absolutely need public access to your gateway, I highly suggest you bring in an IT consultant who can help you install network devices to help prevent intrusion.
While there are some more technical ways to determine your network type, there are some non-technical ways as well. First, you can always just call up your Internet provider and ask. Also, you can easily ascertain whether or not you have a public or private gateway IP, by going to a site like https://whatismyipaddress.com from a device on your business’ network. You’ll see your public IPV4 address. To test it, you can turn off WiFi on your phone, and type that address into the web browser using your cellular wireless signal. If the address is unreachable, it is because the public address you are seeing is the server at your ISP. Your actual gateway IP is concealed. However, if you are greeted with your router’s login screen, you have a public network and your business’ gateway is available for all the world to access. Another clue is in the location map, if you live in rural Georgia for instance, and the map displays your IP location originating from Atlanta, 100 miles away, that’s the address of your ISP. However, if the map clearly shows your business location, your network is most likely public and not only could an attacker connect to your gateway, but they could Google the location of your business, find photos, employee names, search Facebook accounts for potential login credentials like children’s names or birthdays, and a whole host of other public information about your business when gathering Intel to hack you.
In summary, if you need to access your network from home or another site you can do so without having a public gateway IP address, and unless you are hosting a website or enterprise-level services from your business, I highly recommend keeping your network address private.
Passwords
I know, you’ve heard this one a million times, but there’s a reason security professionals stress strong passwords. Remember this motto: “simple passwords are simple to crack”. In order to impress upon you the need for strong passwords on your devices and accounts, let me back up and tell you what it looks like from the hacker’s point of view. You see, when a hacker wants to access one of your devices like your router, computer workstations, or even login to your WiFi network, he can use a plethora of easily downloaded tools to “crack” or break your passwords. These tools essentially use gigantic lists of common passwords. For example: “Password”, “Password123", “Password1234", “P@ssword”, and so on. In fact, when major data-breaches occur at large companies with thousands of employees and new passwords are exposed, they usually get added to the ever-growing lists. Hackers simply load these lists of passwords into the tool and the it will go to work on your device…beating it up, spraying millions of passwords at it, until it hits the correct one. It’s called a “brute-force attack”. For this reason, you must use strong passwords on all of your devices and online accounts. Strong passwords generally include:
- 8 Characters (good)
- 10 Characters (better)
- 12 Characters (best)
- A mix of upper and lower-case letters
- Numbers
- Special characters
- NO names or words from the dictionary
- Do not reuse passwords across multiple devices and accounts
- Change Passwords at least a few times a year
The point here is to be so random with your passwords, that they’d never be on a list, and if one password on a device or account is compromised, it doesn’t compromise others. You can use a password manager, or create your own, but it is infinitely more difficult for a hacker to crack a password like “#3H4rw$P95@A”, than one like, “Strawberry94". While I certainly realize the inconvenience of implementing such things, they should be done. You’re going to see a theme here, where, as you increase security measures, convenience decreases. There’s no way around that reality. However, keep in mind, that a mere inconvenience for you, can often be a brick-wall for a hacker.
Change Default Credentials
Let’s say you buy a new router for the office. You unbox it, plug in the Ethernet cable and it gets the signal from your ISP and boom, you’re up and running. Everything works, so you move on. Simple enough…or is it? Have you actually logged into the router’s interface to change the credentials? How long has it been that way? Did you just leave the WiFi access password set to default? You may be surprised to know, that if you haven’t changed anything, I could probably find the login credentials and default password for your gateway interface on Google. I’ve done it before. You see, many manufacturers of network hardware like wireless access points, routers and gateways, even IP cameras, ship these products preset with default credentials like “Admin” for the username, and “Password”, for the (you guessed it) password. If you’ve never taken a look at this on your network, you should. Check any devices you have to ensure that there’s a unique username and a strong password set. Here’s an article that will go into detail about how to find your router’s IP address and access it through the web browser to configure it. That process will essentially work for many of your network devices that have an interface accessible by web browser.
Close Unnecessary Open Ports
While you’re logged into your router changing those default credentials make sure you check your open ports. Ports are essentially lanes of communication along the Internet highway through your devices. By default, many of those lanes are closed and only a few remain open. Port 443 is used to browse the Internet, however if your router has ports like 20, 21 and 23 open and you have no idea what FTP or Telenet is, you should probably close those ports as they are used to communicate and send files over the internet and can be easily exploited against your network if you have no reason for them to be open. Odds are they are probably closed, unless you’ve specifically opened these ports for a reason, or your nephew opened ports to host a Roblox server, you’ve probably got the default (necessary) ports open on your network at a minimum. Still, this is something to be aware of and take a look at if you are so inclined. Here’s an online tool you can use to check open ports, along with a deeper dive on how to fix any issues.
Network Segmentation and Internal Security
I’ve already discussed above why you should be on guard from attacks originating from outside of your business, and generally, those threats are what most people think of when they think of being hacked. However, as a business you can’t simply focus on external threats, you have to be aware of, and mitigate internal threats as well. An example of an internal threat could be a disgruntled employee in shipping, accessing accounting files to steal credit card numbers or banking information, or guests being able to access sensitive files on your network from the waiting area. Should every employee or visitor on your network have access to the shared folders for accounting? If you’re a coffee shop, should your guests be able to see the shared folders on your business laptop in the back room? Probably not. This solution gets a little technical, but as a responsible business owner, you must consider your potential risk and take steps to secure access to sensitive areas of your network. If you have no other choice but to operate on a single network in your office, you must at least make sure your network settings and shared folders policies on your Windows devices are configured correctly. I’d suggest creating groups and policies that assume zero-trust as a public network and make sure that only individuals who need access to shared files are grouped together, and that these groups cannot access files from other groups. For instance, all warehouse users are in a group together and can access each other’s shared folders for inventory and shipping, but they wouldn’t be able to see Becky and Stacy’s files in accounting, and vice versa. This will help prevent unauthorized employees from encountering information they have no need to know. Likewise, this will prevent guest users sipping coffee in the waiting-room from browsing through employee records in a shared folder on the network. You’ll have to do this on each machine as administrator, unless you have a domain server, but if you’ve only got 6 machines used by a dozen employees, it’s worth the trouble and may save you a headache long-term. Here’s an article that will get you started.
A more advanced option, in addition to setting security, group and sharing policies is proper network segmentation. Did you know a skilled hacker could access critical files on your network and download them from the guest area, using only a cell phone? Ideally, you’d want all of the machines in the office on a separate network from the ones in the garage, or your guests on a separate guest network, apart from the business network. This is another way to keep the network segmented and users compartmentalized into different areas to prevent unauthorized access to sensitive information. Some routers will allow you to segment your network by grouping devices within a certain IP range together on their own network. Other hardware will let you create VLANs or Virtual Area Networks where you can place your guests on a separate network away from your critical business devices. Implementing these changes may be beyond the know-how of many average business owners, but if you feel your business is vulnerable to these types of insider threats, an independent IT consultant could easily install and configure these network devices for you.
Update Everything
Outdated software presents a big risk to any company or PC user. Reputable software companies like Apple and Windows release patches for vulnerabilities as fast as possible. Using an outdated version of Mac OS or Windows is especially risky, as both companies discontinue updates after several years and any vulnerabilities or bugs in the operating systems that are discovered can leave the door wide-open for a malicious attacker. For this reason, it is essential to make sure that you are using Windows 10 or 11 on your PCs, with an automatic update policy. Never allow your employees to disable or delay automatic updates, change firewall rules unnecessarily, or disable Windows Defender. If Windows or Mac updates are interrupting work, you can schedule regular updates to take place overnight or during the weekend. If you use Chrome, Brave, or Firefox browsers, make sure employees update these as soon as they are prompted. The same goes for QuickBooks, Adobe Products, SAP, or any other specialty software your business uses. I cannot stress to you enough how crucial staying up to date is. Also, as mentioned, running windows 7 or 8 at this point, is simply asking for trouble. If you use older machines to operate legacy equipment in your business and those machines are connected to your network, they are critically vulnerable to attack. You must do anything you can to either use these machines offline, or upgrade them to Windows 10 or 11. There are hundreds of unpatched exploits available online for older operating systems that anyone can look up and use against those machines.
Employee Training and Communication
Does your business have a network security policy or best practices for employees? Have you ever had a discussion, meeting or training with them around the topic of Cyber security? If you’re not at least discussing and enforcing some rules with your employees, they could be exposing your business to risk. Businesses should, at the very least, discuss proper network practices with their employees. One good topic to start with is passwords, as discussed above. You should encourage and enable your employees to create strong passwords and credentials. You can print this guide, and cut out the password section for them!
Also, another area to engage employees in, is what I call, network hygiene. You wouldn’t want someone with the flu to knowingly come to the office and infect the entire workplace would you? Of course not! Then why would you let Jennifer bring a USB stick from home that could be infected with any type of malware or virus and plug it into her workstation? You shouldn’t. Employees should be warned against bringing USB drives, hard drives, memory cards or any other device from home to use at your business network. They could potentially infect your entire business. After all, you don’t know if Jennifer clicks on those shady emails at home or not. How could you? And if her device at home is infected, she could easily transport it with her and infect your network.
Speaking of weird emails, that’s another conversation you should have. Email phishing is one of the most common ways malicious actors use to gain credentials or infect a user with malware. These emails often look legitimate and cyber criminals are becoming more and more sophisticated in writing better emails, often using AI like ChatGPT and Google Bard to aid them in crafting the messages. Here’s a great article that can help your employees recognize the hallmarks of an email phishing attack. One simple way to avoid falling victim to an email phishing campaign is to NEVER click the links or attachments in an email from an unknown address. Even if the email looks like it is legitimate, never click the link. What looks like your bank or payment vendor sending you a link to login, will take you to a fake website where attackers will hope you try to login so they can capture your actual login credentials. If you receive an email from Chase Bank, Visa, Facebook, PayPal, etc… go directly to the company website and log in. A reputable company will never send you an unsolicited login link by email.
Phishing doesn’t only happen by email, in fact it often happens by phone. This type of phishing is often referred to as Vishing, (think voice+phishing). Both scammers and malicious hackers may use vishing to entice employees to give out sensitive information over the phone. While it may sound like vishing attempts would be easy to spot, these scammers are experienced and can be very good at what they do. When it comes to taking unsolicited calls, employees should never:
- Give out financial information like credit card numbers or banking details
- Discuss which employees are working or when
- Give out full names of employees that generally have zero contact with customers
- Assist anyone with “tech support”
- Supply more information with a caller than is minimally required for good customer service
Criminals of all types will perform reconnaissance before they pull a job and try to gather any intel they can to make their operation successful. Employees should never make payments during received calls, or volunteer any information that isn’t essential to meeting a customer’s needs. Perhaps an all-too-common scenario or anecdote could help hammer the point of phone security home.
Let’s say, on Friday afternoon, a person claiming to represent a vendor calls your office and the call gets answered by an intern. The caller makes polite conversation and asks if management will be in the office over the weekend to sign for new equipment they will be dropping off. The intern politely informs the caller that no one really works over the weekend except for Chris Blackburn, a new employee in sales, and that the security guard always works too, but he hurt his back playing golf the weekend before and he will be off for two weeks.
Can you see all of the things that went wrong here? At this point, a hacker or scammer would know that, the office is essentially empty, and they would have a name: Chris Blackburn. They could potentially find his LinkedIn, Instagram or Facebook accounts, which could aid them in figuring out Chris’ passwords or usernames. If he has posted photos of himself wearing his company badge, they could blow up the image and attempt to print a fake. Anyone looking to physically break in would know that the security guard is on leave. Let’s continue:
When the weekend rolls around, the scammers call the office again, and the new hire Chris answers the phone, except this time, the scammers are pretending to be the company’s IT Security vendor and they’ve been “monitoring the network” and have discovered a security issue. Using high-pressure, they stress the need for immediate action. So Chris, being new and helpful, assists these individuals in logging into his PC via Microsoft Team Viewer where they pretend to fix a virus, but in reality they are installing malware to give them a backdoor into the network.
While this is a contrived scenario, I can assure you that it happens every day to countless businesses and individuals. When it comes to phone security and Vishing attacks, employees must be aware of the potential risks and how to avoid them.
Lock Screens
Having employees lock their screens when they are away from their workstations or devices is a standard best-practice for information security. In fact, hospitals and government agencies take this policy very seriously. Employees should always lock their screens anytime they will be out of sight of their device and when locked, a password should be required to unlock it. This prevents unauthorized access and is a small, but important part of proper security.
Device Management
This is very simple. Don’t leave laptops, tablets, devices or expensive tech assets lying around in areas where they could “sprout legs and walk away”, meaning, someone could steal them. I have personally witnessed unattended, unlocked laptops, lying on a desk or in a conference room adjacent to a hallway near exit doors. If you have a business with customer traffic, lock your office doors and don’t invite someone to pick up your unattended iPad pro from your office desk on their way out of the side door. This is not just about a loss of expensive assets, but any sensitive files on stolen devices could potentially be recovered if the thief manages to unlock or break your login credentials.
Shut it Down at Night
My last tip, is to shut it down…literally. If no one is at your office overnight or on weekends, what reason do you have to keep your devices on or your gateway powered on? Of course, it may be inconvenient to power your router on every morning, I get it, but you can make your coffee while the network comes back up. At a minimum, any workstations not being used should be turned off overnight. Hackers can’t hack what isn’t on. Furthermore, this prevents people from driving up to your business and accessing your WiFi network at night, which is a common way that hackers can perform attacks. They call it “wardriving” where they drive around town looking for a WiFi signal. Once they find it, they try to break onto your network and use your internet to perform hacking attacks against other targets. This makes it extremely hard for them to be tracked down. So, if you aren’t using it, cut it off.
Conclusion
Security doesn’t have to be hard. Sure, it may be inconvieneint at times, but it is absolutely necessary. In fact, I’m sure that you lock your doors at night, or maybe even have an alarm system to protect from burglary or fire. The concept of securing our homes and businesses from theft or vandalism is second-nature to us all. Shouldn’t protecting our digital homes and businesses be just as high of a priority? Hopefully, after reading this article you not only have a new respect for your network security but you feel empowered to implement changes to protect yourself from being a victim. At least, that’s my hope.
Thanks for reading.
