Small businesses are huge targets for hackers today, and they unfortunately hit their mark far too often. The good news is that even hackers who have wormed their way in still need time to figure out what to do next. If you can react faster than they can, you can save yourself a lot of hassle. Here are eight steps you can take to limit the potential damage.
1. Change ALL Passwords
This is an easy step that you can take at any hour of the day. Ideally, you should be changing all of your passwords, regardless of whether it’s a business or a personal account. If you don’t have access to all of the information, contact those who do and make the change a priority. If you want a handy way to keep track of the passwords, try a manager like 1Password. You can store anything from passwords to sensitive information in a virtual vault that’s guarded by a master password.
2. Set Up 2 Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
3. Audit Your Admin Accounts
4. Shut Down Account Access from Outside the US
5. Block Any Emails from Outside the US
Hackers have become increasingly more sophisticated with email communications, using everything from executive names to project information to craft subject lines and attachments that are nearly indistinguishable from the real thing.
If your company’s already been phished, hackers will have that much more information to work with. If your company only does business within the US, blocking foreign emails can go a long way toward keeping you and your employees away from further scams. Please note that there are ways to spoof location though, meaning some foreign criminals may still be able to send emails.
6. Set Up Sender Policy Framework (SPF) or Domain Keys Identified Mail (SKIM) Records
SPF and DKIM records were both designed to authenticate any emails sent to your company. There are some differences between the two security tactics, but the main purpose is to confirm the validity of the sender and the information contained in the email. These records are not perfect, but they can reduce your odds of falling further into the scam. This is especially recommended if there’s no way to restrict access from foreign countries.
7. Contact Customers
No business owner wants to tell a customer that their information has been compromised, but you risk even more damage to your reputation if you keep quiet. It’s important to start a dialogue with customers here. Be open about what happened, and give them actionable tips on what they can do to protect themselves. For example, deleting any communications from the company if they come from your Facebook account. This can keep customers from sending financial or personal information to the wrong people.
8. Check Your Server
If you have an on-site email server, you should be doing a security audit on the network. You can use an intrusion detection system to monitor for any malicious activity or violations. You can also perform full audits on any software you use for different workstations. Now is a good time to clear out any old files and update access settings for each program. Small businesses don’t always adjust their settings after people leave the company, and this kind of neglect can leave big openings for sophisticated hackers.
Steps to Prevent Future Phishing
You can’t eliminate your odds of being phished, but you can reduce them significantly. Here are a few steps you can take to get it done:
1. Domain Name System (DNS) Protection
The domain name system is compared to a traditional phone-book system and gives people the means to type in memorable domain names (e.g., Google.com) instead of a numerical address. DNS protection is a way to stop hackers in their tracks by preventing them from reaching your pages.
If the threat of a DDOS or malware attack is detected at the DNS level, it essentially means that the odds of it affecting your business are slim to none. This type of security takes place in the cloud, and produces a nearly instantaneous response. Those who might phish you are rerouted to a block page and there is no practically no exchange of information between your network and theirs.
2. SPAM Filter
No one is immune from clicking on the wrong link or email. It’s just a fact of life that humans are not always going to have their guards up 24/7. A SPAM filter won’t be able to detect all phishing techniques, especially considering they’re rejiggered every year specifically to get around these filters, but it can provide a much-needed extra layer. When it comes to both physical and virtual security, you’re usually better off with more barriers than less.
3. Cybersecurity Awareness Training
Your employees don’t need to be told that cybercrime is a threat. Training is more about calling attention to hacker tactics and providing actionable tips that employees can implement on a regular basis.
4. Rethink Your Communication Protocol
For major accounting or business management decisions, you might not want to use email as the only channel of communication. Hackers know that a lot of sensitive data passes back and forth, and they’ll use this to their advantage. So if you’re making adjustments to your payment destination, you might want to insist on both written and verbal confirmation of any changes.