A clean inbox every day? See the easiest, safest way »

person-apple-laptop-notebook

Bored or intimidated by the idea of beefing up your cybersecurity? We get it. Online security is not the most exciting or accessible concept in the world. But if you do anything important online, then it’s one of the most critical things for you and your organization.

Why you should choose to care about online security

Reports show that 70 to 90 percent of cyber attacks are against individuals and small and medium businesses (SMBs).

For every small and medium business (SMB) that has not been the target of a cyber attack, one has been. Yes, 50 percent of SMBs have experienced cyber attacks.

And it makes sense. While breaching a major company might reap major rewards for the attacker, security tends to be far more sophisticated. That’s not so much the case with smaller businesses. In fact, Endurance International Group’s 2015 Small Business & CyberSecurity survey shows that 83 percent small business owners manage their cybersecurity efforts rather than have in-house or outsourced IT for the job.

When attacks are successful, and a data breach occurs, the typical cost to repair the damage is more than $36,000. Worse still, as much as 60 percent of small businesses crumble within six months following.

But take note—there is a huge difference between being the target of a cyber attack and being successfully breached. What keeps someone in the former group and out of latter often comes down to simple oversights.

Steps to prevent a cyber attack (or its success)

“Cybersecurity lapses have common trends and problems that can be traced back to laziness, lack of knowledge, and awareness of how common pitfalls can be leveraged against an individual or organization,” explains Morey Haber, VP of Technology at BeyondTrust.

For instance, the National Cyber Security Alliance reports that over 75 percent of employees leave their computers unsecured.

For the safety of yourself, your coworkers, and your customers and clients, read through the following cybersecurity tips. Then, commit to practicing them and help others by passing the advice to your organization.

Stop mixing work and play

Don’t mix work and play. Just don’t. Separate profiles, accounts, storage mediums for work and personal life. Just keep things compartmentalized. Don’t make it easy by being lazy. -Robert Nicholson of Concept Shifts

Delete old login emails

If you never delete the (probably hundreds) of login detail emails from your email account, you have created a gold mine for hackers. All they have to do is get into your email and then they have access to every service or website you’ve used. -Emmanuel Schalit, CEO of Dashlane

SaneBox - Manage Email Inbox

Think before you click

Think before you click. Today’s scams look very convincing, coming in the form of voicemails, eFaxes, invoices, social media, ADP theme or from the IRS. -Anurag Sharma, Principal of WithimSmith+Brown’s Cyber & Information Security Services

Be pickier about where you download and install software from

Try to use things like Microsoft Store or the Mac App Store for your desktops and iTunes and Google Play for your mobile devices. Again, this isn’t an absolute. You can more gradually move toward better practices, and each step you take will make you more secure. –Jeffrey Goldberg, Chief Defender Against the Dark Arts at AgileBits, the makers of 1Password

Don’t ignore security updates

We have all seen the nagware to update Adobe and Java, and we click ignore or remind me next month. The same is absolutely true for operating systems and MS Office Updates. [Overcoming] the laziness to apply the patches and reboot is the best method, above anything else, to ensure you are not exploited by a common vulnerability. Although it takes time to apply them, the few minutes it takes is well worth securing your system. -Morey Haber, BeyondTrust

Often just switching to automatic updates where that is available will make the task easier for you and keep you safe…And this isn’t an all or nothing thing. The more things you keep up to date the better, but you will start reducing your risks with each thing you keep up to date. I would recommend starting with your operating system, but look for little improvements where you can. Jeffrey Goldberg, AgileBits / 1Password

Beware of free USB drives

Don’t ever fall for the free USB device drive—a very popular tradeshow giveaway these days—which when plugged in can easily deliver a malware or virus onto your computer. -Anurag Sharma, WithimSmith+Brown

Raise employee awareness about device theft

Often, IT has no insight into the types of data stored on their devices—devices that are left in taxis, hotel rooms, and stolen at airports. In fact, according to Gartner, one laptop is stolen every 53 seconds in US airports. And hotel safes are as secure as hiding the laptop under your mattress!

Encourage employees to be vigilant about physical device security but have a plan B because mistakes and unfortunate incidents are inevitable. Choose security solutions with geotechnology so you can monitor devices, set geofences, and receive alerts to activities that could mean a device was compromised, lost, or stolen. -Chris Covell, Chief Information Officer at Absolute

Prevent shoulder surfing

Screen guards should be employed to limit the potential for ‘shoulder surfing,’ in which an attacker stands near an employee and notes everything they are displaying on their screen. Better yet, do not allow employees to store sensitive business information on their devices in the first place, if at all possible—this will also protect secret data should the device ever be lost or stolen. -Lee Munson, Security Researcher for Comparitech

Ditch the dated machines

If are you still running Windows XP or Windows Server 2003 within your home or business, all security professionals know they are end-of-life and no longer receiving any maintenance including security patches. So, if the best method to secure your system is applying security patches, and you are still running older systems, then they are wide open for attack with minimal mitigation strategies available to thwart an attack. You, or your business, should consider replacing these systems as soon as possible to ensure they can be maintained properly. Many times this is a combination of laziness and money, but being breached and cleaning up the mess could be much more costly than replacing the systems in the first place. -Morey Haber, BeyondTrust

Limit unnecessary admin privileges

Are you providing everyone in your company unfettered access to all data so when your least technical savvy employee gets hacked, all that data is exposed? -Greg Kelley, CTO of Vestige Digital Investigations

Employees should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission. Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hardcopies. -Mike Baker, Founder of Mosaic451

Limit remote access

Many businesses leave their firewalls open to outside entry by allowing access for managers working remotely or vendors who routinely perform maintenance on systems…Always change default firewall settings to allow only essential access, and limit remote access to secure methods such as VPN. – Kevin Watson, CEO of Netsurion

Password protect and encrypt sensitive info

This is especially important with regards to data stored on portable devices such as laptops and USB sticks, which can potentially be stolen, or lost. There are many encryption applications that achieve this, however, when choosing there are several aspects to consider:

1. How easy is the application to use? Could the CEO, who doesn’t have any IT skills, use it? If the application is hard to set up and use, it’s not a good solution for a small business.

2. Does the application interrupt the user’s workflow? Is there a wait time every time the user wants to access the encrypted file? If so, employees will do their utmost to avoid using the application.

3. Does the application automatically lock the data when the user stops working on the protected files? If not, this could be a security issue, as users are bound to forget to manually lock their documents.

4. What is the cost? Clearly, small businesses cannot afford an enterprise solution.

-Sandra Styskin, Co-founder & Developer at Safeplicity

Implement a password policy and multi-factor authentication

It’s tempting to use your dog’s name for every password, but it makes you very vulnerable to cyber criminals. Not only do you need to change your passwords often, you should use different passwords for every site, service or app you use. -Emmanuel Schalit, Dashlane

All companies, specifically SMBs, should implement a password policy for all employees and use multi-factor authentication. The password policy should at a minimum require employees to change the passwords every 90 days and they should always use multi-factor authentication to verify identity. The verification of identities when accessing work files and information is critical. I suggest implementing a solution similar to Okta or PingIdentity. -Ray McKenzie, Founder and Principal at Red Beach Advisors

Two-Factor Authentication (2FA), where users are required to put in a second form of information in addition to a password, like a PIN or security question, allows for only the intended user to access accounts. From password protected documents and accessing the network to staff’s personal and company accounts on company desktops, adding 2FA to accounts requiring passwords strengthen security. While sites like Gmail already implement this, many password managers also offer this as an additional feature to sites that don’t. -Kevin Shahbazi, CEO of LogMeOnce

Use a password manager

One of the impossible things that people like me tell the world is that everyone needs to have a unique password for each site. If I use the same password on a dozen different sites and services, then it takes only one of those to be broken into for the attacker to have my password for all of them.

Asking people to remember a different password for each site and service is absurd. Nobody will do that. (Ok, I once met someone with an eidetic memory who actually did do that for more than 70 sites.)  This is what password managers are for. They remember your passwords for you so that you don’t have to. Once you start using a password manager — and doing so will already make things easier for you — you can slowly start chipping away at password reuse. Sure it will be a while before you get to truly having a unique password for each site and service (I still don’t), but each time you change one password on some site to a new and unique one you are making a real improvement in your own security. -Jeffrey Goldberg, AgileBits / 1Password

(Hey, SaneBoxers. If you’re interested in trying a password manager, our friends at 1Password are offering you a 6-month free trial of Password Families here.)

Learn where you fall in the food chain of cyber security attacks

Banks and the financial sector are the number one targets, hospitals and the healthcare industry are number 2, universities number 3, and so on. There is a lot of online data and statistics on this topic. By understanding where your industry falls on the spectrum, you can understand generally what level of hacker you will be dealing with and the types of cyber attacks that they are capable of. -Regan Marock, CEO of SPC Cybersecurity

Make upkeep the #1 priority

Have you ever heard the phrase, Upkeep is cheaper than replacement? This adage applies closely to cybersecurity. One of the most important things SMBs can do to keep their systems safe is continually update them, perform routine maintenance, and ensure they’re clean. By regularly performing software updates on company devices and continually patching any discovered vulnerabilities, many basic cyber threats can be stopped or lessened significantly. -Stephen Coty, Chief Security Evangelist at Alert Logic

Don’t just take IT’s word for it

Business management must not take we have it handled as an appropriate answer from IT. I had a client come to me once that was told by his IT that their vital data was backed up daily. When the server containing that data crashed, the client said let’s restore the data only to find out that the backups were stored on the same machine! That story is replayed over and over today because organizations do not go through the process of executing a test plan to recover from disaster or hacking. A plan for recovery from hacking (especially ransomware) must be thought out, planned, and tested. -Greg Kelley, CTO of Vestige Digital Investigations

Embrace the human element

I will tell you one of the most tragic mistakes companies make regarding data security is to only approach data privacy from the perspective of the company as a whole, which is a very general perspective. The employees of your company don’t understand how data theft and data privacy is relevant to them. Good people can easily leak data, or cause leaks in security by simply being careless or leaving it unprotected. All privacy starts with the employees. -Anthony R. Howard

Know who to contact for help

Contact the right person for help. If you are a victim, if you encounter illegal Internet content (e.g. child exploitation) or if you suspect a computer crime, identity theft or a commercial scam, report this to your local police. If you need help with maintenance or software installation on your computer, consult with an IT professional. -Mark Grabowski, internet law professor at Adelphi University

Laziness is not an excuse for not knowing

Learning to protect ourselves online is just as painful as sitting through a defensive driver’s education class or jury duty. We do it because we have to, and for many, they will do anything they can to get out of a class on cybersecurity. The realization is no one is immune to an attack, and learning how you can be hacked and how to protect yourself is really important, and laziness or boredom is no excuse for skipping the class. -Morey Haber, VP of Technology, BeyondTrust

About SaneBox

Remember when email used to make your life easier, not harder? SaneBox takes you back to that time so you can focus on things that actually matter. Take charge of your productivity today by starting a 14-day free trial, no credit card required.

Clean Your Inbox With SaneBox


Related: Bring sanity to your Wi-Fi security: A need-to-read guide

Related: 5 Ways to Protect Your Gmail from Being Hacked

sanebox-asana-communication-training-webinar

We recently joined our productivity pals at Asana to host a webinar. It was such a hit with attendees that we decided we had to share the recording with others (you!).

The training session’s emphasis is on something most of want and need, but few know how to get: a layered communication strategy for internal, external, and instant communication across your company.

Watch it on-demand to get actionable advice on: Continue Reading…

A clean inbox every day? See the easiest, safest way »

online-security

When was the last time you used public Wi-Fi to work remotely? If you’re like 91% of recent survey respondents, you agree that public Wi-Fi is not secure. If you’re like 89% of the same respondents, you use it anyway.

Continue Reading…

How our team stays focused

October 12, 2016 — 2 Comments

And 6 steps to becoming your most productive self

Macbook Productivity

“Once I became mindful of how easy it is for me to get distracted, I started to think seriously about productivity. How can I manage my time better?” (Click to tweet this)

Pet peeves are so annoying. Chewing with your mouth open. People listening to loud music on the train. Littering. And the absolute worst? Notifications: they feel like a million small zaps in my brain.

Once I became mindful of how easy it is for me to get distracted, I started to think seriously about productivity. How can I manage my time better? What’s preventing me from staying focused?

Continue Reading…

sea-beach-holiday-vacation

Short answer: I didn’t.

My Normal Routine

Continue Reading…

Silicon Valley Meeting

How do you get the attention of a top executive, let alone schedule a meeting with one?

Not only can their contact information seem difficult to come by, but with their full schedules and army of assistants, you need to have a pretty appealing offer to earn an appointment.

The average corporate employee sends and receives over 120 emails every day. For most executives, this number is even higher. How do you stand out in a sea of words? How do you make an offer that they can’t refuse?

Hint: It all comes down to making the right contact with the right person.

Continue Reading…

freelance email strategy

Not only can email be a time suck, but if you’re not on top of it, you can…let more things fall through the cracks than any professional should.

Guest post by John Arthur

You’ve heard it a million times: time is money. And email, if not approached correctly, can be one of the biggest drains on your time, and by extension a drain on your bottom line.

Not only can email be a time suck, but if you’re not on top of it, you can miss crucial messages, neglect to follow up with important clients, and, generally, let more things fall through the cracks than any professional should.

Organizing emails to save yourself trouble

Continue Reading…