Incident response for freelancers and small business owners
When we hear about a big data breach, it’s typically a big company struggling legal and PR implications. “What is this insurer doing to protect patients’ private health information? How will this big retailer settle with angry customers whose ATM PINs have been stolen?”
But data breach or loss can happen to anyone, and information security is for everyone. Even (especially) those of us who work off our kitchen tables or out of the back of our pickup trucks. In fact, 61 percent of data breaches last year affected businesses with 1,000 or fewer employees, according to a study reported in Inc.
Don’t Be That Gal (or Guy)
People who aren’t computer experts, and don’t have the money to retain an IT employee, often use information technology in our work. We’re exposed to a gamut of IT pitfalls. For instance, a massage therapist may store clients’ intake notes with information about their physical conditions on her laptop.
What happens when the laptop gets stolen? An artist may keep records of purchases of his paintings. What happens if someone accesses the database and finds a bank account or credit card number? We all need to learn how to prevent problems, and how to respond when they happen.
Ask the Expert
Donnie Parton is an IT consultant and owner of The PC Doctor. He’s consulted in several fields, most dealing with healthcare, government and nonprofits. He works with small businesses, including dentists and CPAs. He’s exactly the person to advise a freelancer or contractor, whether they design furniture or run an after-school nonprofit. He’s just 30 years old, but he’s been working in information technology half his life.
“What do small businesses need to look out for in terms of information security?” I ask him. “How can we protect ourselves, and how do we deal with a breach when it does happen?”
Phishing, Ransomware and Other Common Problems
Plain, old-fashioned phishing is one of the biggest problems Parton sees for small businesses. In phishing, the sender relies on human behavior (opening an email, clicking a link, entering information) to give him or her the desired access. Phishing is the electronic equivalent of making a phone call and pretending to have a prize package to deliver—just as soon as the recipient gives you his or her credit card number to pay for shipping.
How do you avoid phishing? Don’t click suspicious links in email or private messages. But, what’s suspicious? One way to tell is to hover over the link. Does the hover text match where the link purports to lead? Or, does the link lead to a request for personal or financial data? Always a no-no.
Check out the sender, too. Do you know them? (This isn’t a magic bullet; some phishing emails propagate from one email list to another, so one might come disguised as a message from a friend.) If you don’t know them, don’t click.
A broad sense of skepticism helps too, according to Wired magazine. “You should generally be reluctant to download attachments and click links, no matter how innocuous they seem,” their experts write. That’s especially true if your machine for private computing is one and the same as your work machine.
You can also proactively protect yourself against the event you do get phished. If your documents are encrypted or password-protected on your computer, it will be harder for spyware to find possible targets. Or if you accidentally download file-destroying malware, a great backup system will save your bacon.
This is especially true in the case of ransomware, a kind of malware or malicious code that blocks access to some of the computer or network’s contents, often by encrypting them. While it’s great to have your own encryption, finding your files encrypted by a third party who holds the key is no fun at all. The attacker often delivers his or her malware by a phishing attack and then follows up with extortion: pay me (preferably in an anonymous currency like bitcoin) or you can’t have your data back, ever.
A 2017 study found almost a quarter of small businesses experiencing a ransomware attack had to stop operations immediately; some were down for as much as 25 hours. An average attack cost a company with less than 1,000 employees $100,000 in downtime. Scaled down a solo operation, the numbers look a lot smaller, but when you have only a handful of clients, missing a deadline for even one or two while you reconstruct their projects can be debilitating if they take their business elsewhere in the future.
Segregating your data so an attack can only access limited files helps reduce the impact of ransomware. So does a robust backup system with daily backups and storage that’s separated from your network, thus limiting a ransomware attack to files created in the last 24 hours.
Be Proactive
You can’t always avoid attacks, but if you plan ahead, you can limit the harm they can do.
“There’s quite a lot you can do to mitigate [data breach] mattering,” Parton says. “Don’t store information on mobile devices. Encrypt data. One easy example: I have a small office with one server and four laptops employees use. All confidential data resides on the server; none of it is ever saved to the laptops. If one of the laptops were stolen, there would be nothing to worry about from a data standpoint. Plus, if an employee did make a mistake and saved a file to their machine, the drive is encrypted.”
Parton recommends services such as BitLocker to encrypt your hard drive.
“The flip side is that it makes data recovery a lot more difficult, so you need to make sure you stay on top of your backups,” he adds. “Most people find Carbonite to be pretty easy to set up and use, and, at $60 per year, not too expensive.”
In addition to encryption, Parton says, “Password protect every computer in your network. Don’t let employees share passwords, and don’t let your password hints be too revealing.“Password protect your Wi-Fi, and do not give your password out to people. It’s a good idea to use a router with a ‘guest Wi-Fi’ option. Use that for everything that doesn’t need access to your data, including your own phone, in most cases.”
Lock your computer when you leave it, Parton adds. That’s Windows Key + L on a PC, or Control + Shift + Power on a Mac. When you get back from your smoke break or dash to the laundry room and enter your password, everything will be just where you left.
“And if you need to use remote software, nearly anything out there allows two-factor authentication,” he adds. “In most cases, this is going to attach your login to a cell phone, sending you a secondary password via SMS. This, like most security devices, can be a bit of a hassle…but it’s well worth it.”
Dealing with Money
If you take credit card payments from your customers, you’re bound by PCI compliance rules, even if you’re using a phone or tablet app. The rules may seem cumbersome, but they exist to protect you, too. Using established payment-processing software should generally protect you here.
When you implement your card-reader software, “answer the PIC compliance questionnaires honestly,” Parton says. “Don’t just put in the answer you know is ‘right,’ like not letting uncontrolled devices like customers’ phones or laptops in the in the same network as the credit-card processing machines or tablets. Negligence is the biggest enemy here. If you see you aren’t following one of the rules, change how your network is set up, and if you’re not capable of doing that, call a professional.”
The Heat of the Moment
Even with due diligence, data can be lost or stolen. If you lose control of your business data, especially anything that could harm your clients (personal information, payment data, etc.), immediately take steps to take mitigate the situation.
“If you think there’s a data breach, definitely contact a professional,” Parton says. “There are too many variables for someone who isn’t skilled and up-to-date in the field. Each case can be vastly different, depending on where the breach comes from and what the environment is like.
“Think of it a little like an injury; there’s plenty you can do to keep yourself from being hurt, but when you break your back, it’s probably best to leave it to a doctor.”
The professional security expert will look at server and firewall logs to discover the origin of the problem so you can stop it from happening, now (if it’s ongoing) or in the future. In the meantime, it’s best to assume a perpetrator has everything that the stolen machine or compromised computer had access to—for instance, if your laptop can access your server, and you lose your laptop, assume someone can now get into the data housed on your server.
“In the event a machine gets physically stolen, it can help to have something like Prey Anti Theft that allows you to remotely wipe a machine,” Parton says. “There’s more advanced software out there, but Prey has a pretty nice balance of features to price.”
In addition to remotely wiping your device, take steps to protect your reputation. If there’s a problem, a word in advance to your clients will make a world of difference. If spammy messages are coming from your email account, let everyone on your mailing list know as soon as you can these aren’t from you. If a client’s project notes have been lost, let them know as soon as possible what’s happened and how you’re handling it.
Being transparent and upfront, especially regarding any of your clients’ information, will help you maintain trust.