1. Using free or ISP email addresses
Some small businesses choose to use email accounts from their Internet Service Provider (ISP) or even a free service. This might reduce setup complexity and save a few dollars, but it exposes the business to significant risk. If the provider shuts down, is acquired, or changes their policies, the company’s email service could be interrupted or terminated without notice.
Businesses who regularly email customers may be particularly at risk. Even if they follow best practices and meet regulatory requirements, some customers may mark messages as spam. Free ISPs are notorious for terminating email accounts on receipt of spam complaints without properly investigating them, placing the business at risk of losing their email address.
One reason ISPs provide customers with email addresses is to make it more difficult to change providers. Generic ISP and free email services also generally do not offer telephone support so resolving technical issues may take several days.
Businesses should register and maintain ownership of their own Internet domain, and use that domain for email and websites. In addition to creating a more professional image, it ensures that the business owns their online identity. The registration should be made directly by the business and not through the ISP that provides their Internet, email, or web hosting services. In the event of a dispute or serious service interruption, the business must be able to update their Internet domain records and switch to a new service provider.
2. Inadequate perimeter security
Mobile devices, teleworkers, and Cloud services have significantly changed the small business IT landscape. But they have not replaced the need for adequate network perimeter security. Even the smallest home-based business with an Internet connection requires a firewall. Unfortunately, the majority of ISP-provided devices do not provide an adequate level of security. In addition to poor feature sets and low assurance levels, they can be accessed remotely by ISP personnel who are often located in call centers outside of Canada. Routers with firewall capability intended for home use are not appropriate for businesses. As an aside, many of these products do not provide adequate protection for home networks and teleworkers.
Any ISP-provided modem, router, or firewall belongs outside the security perimeter. Businesses should install a commercial-grade firewall to protect their network. Small office Unified Threat Management (UTM) Firewalls are available in the $500 range.
3. Using a single Cloud provider
Hosting servers in the cloud makes sense for many small businesses. It is rarely advantageous to purchase and maintain server-class hardware. Some small businesses choose a single Cloud provider to host all their systems and backups. In the event of a serious intrusion, contract dispute, or other interruption at the provider, the business risks losing their entire IT infrastructure and all backups.
Cloud services are often the best choice for small businesses, and there are certainly some large, stable, and reputable providers. However, no business of any size should rely on a single provider. As an absolute minimum, backups of critical information should be stored in-house or at a second, unrelated Cloud service provider.
4. No Business Continuity Plan (BCP)
Natural disasters, fires, accidents, and equipment failures happen. Businesses must plan to survive. Small businesses generally have fewer locations and less cash on hand, making it more difficult to withstand a business interruption. But, they also have a distinct advantage in that they can often take advantage of simple, inexpensive continuity strategies.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…