Cyber crime isn’t just a concern for large businesses like Yahoo or TalkTalk. Small businesses are also victims, despite popular misconceptions. In this blog post, we spoke to Phil Picton, of Droplet Media about cyber security for small businesses and what he does, to keep his company secure.
Hi Phil, please can you give us a brief introduction to both yourself and your business?
Hi. I’m a freelance web developer based in Ivybridge. I work for small businesses in Devon, producing websites for them and helping with other digital marketing stuff like Google AdWords or social media. I created the Droplet Media brand as I got busier so I could involve other freelancers to help me as and when I needed.
As a small business owner, how important is cyber security to you and why?
This is the subject on everybody’s lips now, after the attack on unpatched Windows computers around the world, including those of our NHS. For my business, cyber security is very important. I can’t think of many modern businesses which would not need to take their security seriously. If I lost my files or logins for the many websites and services I use, it could be devastating for my business, my reputation and my clients. Like everybody, I rely on email, online banking, websites, the software on my computers and mobile phone and so on.
In a nutshell, what is Droplet Media’s approach to cyber security?
My approach is to implement as many security measures as I can. Even when these measures are a bit of a nuisance, like long and unique passwords or two-factor authentication. Despite this, I am aware that a skilled and determined attacker would still be able to find an exploit for my web servers or computers. All anyone can do is make it as difficult as possible (and therefore not worth the effort), and limit the damage if the worst happened. The first thing to do is to analyse your business and identify what threats it might face – where it is vulnerable. Then look at what measures you need to take to defend against attacks, and mitigate any possible damage. Write a plan of how you are going to implement these measures, stick to it and keep reviewing your plan. Here are some resources to help.
Are all businesses vulnerable to cyber attacks?
Absolutely. The larger your business, the greater the threats are, but we must all take security very seriously. Recently the American spy agency, the NSA, was hacked by a group known as ‘Shadow Brokers’. They stole a list of exploits (known as ‘zero days’ they are vulnerabilities that software firms like Microsoft were not aware of) that the NSA was using to attack computers. These exploits are now being used by criminal hackers to attack computers, and lead to the massive attack which hit our NHS amongst others. It’s safe to assume that this kind of thing will continue and that we may all be caught in the crossfire.
How often do you review or change your approach to cyber security?
In my business, I need to keep up with new developments all the time as the internet is a fast-moving place. Whilst my approach in the office doesn’t change that much, (so far it’s still a good idea to use whole disk encryption, and keep backups for example) I do need to be aware of new threats and vulnerabilities in the technologies that I use. The websites that I look after experience dozens of attempts to hack them every day. I conduct a review of my data protection policy every year and keep security in mind every day.
What resources do you read, follow or make use of to keep up to date on cyber security issues?
A great website for tutorials and information about computer security and privacy is at The Electronic Frontier Foundation. The most effective way for me to keep up to date with current developments though is via Twitter. I follow InfoSec experts such as @micahflee, @SwiftOnSecurity, @mikko and @kevinmitnick amongst others. There are also several security newsletters you can subscribe to.
Is there any snippet of advice you’d strongly recommend to other small business owners?
Keep regular, secure and encrypted backups of all your vital files, emails, passwords, software and anything else you store on a computer. Store that backup in a different location. Always keep your software and hardware up to date. Install updates straight away when they are released. Use strong passwords for everything, and don’t use the same one twice. Use a password safe like KeePassX to store them. Don’t open email attachments that you aren’t expecting, even from people you know, without checking that they sent them. The same goes for clicking on links in emails. Encrypt your hard drives (use BitLocker for Windows, FileVault for Mac, in Linux you choose to encrypt during installation).