This article was featured in the 2017 September issue of Santa Barbara Lawyer Magazine

One of the benefits of having a Managed Service Provider (MSP) handle your IT is that you don’t have to worry about your IT. An MSP handles your tech issues, growth, and most importantly security. We organize our response teams into reactive and proactive issues, and consider security to be a constant proactive concern. Not everyone needs an MSP though. We provide a great Enterprise level service for those who need us, but not everyone’s business is ready or even right for what we offer. In a recent talk, our CTO David Ashamalla made the point that an individual or business owner should never spend more to keep their data safe than their data is worth. Basically a small business without a lot of overhead shouldn’t be investing heavily in an IT security solution that isn’t necessary. But what should you be investing in to make sure that your business tech is safe and secure?

Without an MSP watching your back your biggest security investment will be in time, education, and process. As a business owner you will need to spend time vetting emails, attachments, and sources. You will need to educate your staff about what to watch out for, and you will have to develop clear processes for avoiding security breaches. At minimum develop a company-wide standard for password creation, and processes for email verification.

The places that you are most vulnerable include: email, attachments, and passwords. Fake emails are getting more sophisticated. Here are some things to check for:

  • Who is sending you this email?
    • Does it make sense for this person to be emailing you?
  • Does the From Name match the From Email Address?
    • Sometimes the from name will look familiar, but the from address will be suspect.
  • Is the email coming from who it says it’s from?
    • A popular spoof is a notification that says it’s from UPS or FedEx that is not actually from UPS or FedEx.
    • If an email asks you to login to an account don’t log in through the email, instead go directly to the website, and do not click any links in the suspicious email.
  • Ask similar questions of attachments
    • Does it make sense to receive this particular attachment from this particular coworker?
    • Should the busy partner be sending you an attachment of TPS reports?
    • Take a second to email the person who emailed you and ask if they meant to send you that attachment.
  • Check the domain
    • Sometimes a domain will look legitimate with just one small thing about it that is not right.
    • You might receive something that looks like “accounts@firstdata.coma” First Data is a real company but note that it says: .coma and not .com
  • Institute a company password policy
    • Use longer passwords with actual words that are easier to remember than passwords with a lot of special characters. These random phrase passwords are very hard to guess, and difficult to hack. Ex. Flying_squirrel_goggles
    • Try replacing some letters in that phrase with their numeric equivalents or capital letters: Flying_Squ1rr3l_G0ggl3s
    • Update company passwords on a regular basis.
    • Use different passwords for different services. It can be tempting to use the same password for every service, but that can leave you vulnerable. If one service is compromised then it’s very easy to hack into the rest of your accounts.
    • Try using a password service to manage passwords if you have a lot to keep track of.
  • Have good backups. If your system is compromised you want to get back to work as soon as possible, and you want to minimize your losses. Don’t negotiate with hackers, and don’t pay the ransom. This might result in some lost work, but these losses do not have to be catastrophic.
    • Carbonite software is a fantastic cloud-based back up software that works, and is very affordable.
    • WD Passport and MyCloud Nas drives are good hardware options for back ups.

Everything seems more vulnerable these days because it is, but with vigilance and attention you can keep your business safe. Back up your data, igmplement a password policy, and train your staff to spot fake emails. This type of attention will ensure that your business stays, robust, resilient, and recoverable.