Small business owners, we need to talk. Or maybe you’re not an owner, maybe you’re an admin or a project manager or just a valued employee. Or a sole proprietor or consultant. Or just a smart person. Anyway, here’s the thing: your passwords suck. Here’s why:
You’re using one or a handful of passwords across multiple sites.
That password is probably some noun – like your name or your company name – and then two to four letters. Probably you’ve had to throw in an exclamation point in the last few years.
Sometimes – maybe all the time – you’re using that password for personal uses too.
Maybe it’s not you! Maybe you have a rock solid password protocol. But probably somebody in your organization is doing the stuff I just mentioned, which puts everybody else at risk.
Here’s something else – if you have cause to share these passwords with others in your organization, it’s often in a Word doc or an Excel spreadsheet. An unsecured document saved in a precarious location on your or your colleague’s computer.
I don’t mean to be a big downer here, but too many of you aren’t backing up your data regularly either. You’re a crashed hard drive, lost laptop, or stolen phone away from putting a serious dent in your productivity or worse, losing critical client data and damaging your business.
Friends, it’s past time to take digital security in your business more seriously. I’m not a security expert, but I am a guy who takes my data and the work I do for my clients very seriously, subscribing to the not if but when philosophy that stuff will go south. As such, I’ve developed personal protocols for how I handle this stuff.
You should develop your own protocols too. First of all, treating security seriously and using best practices insulates your business from the potential damage of hacks, attacks, and infection. Secondly, smart practices protects your clients’ data. When you think security don’t just think shady hackers in a dark room plotting your every digital move. Old computers can be a security risk. Poor or no backup protocol for your data introduces security risks. To be on top of this stuff takes diligence.
In this post I’m going to share with you some of the significant parts of my security practices. If you’re a small business or consultant without internal or managed IT to guide you through or help mind your digital security, you might find these tips useful. Emulate them if they work for you. Improve upon them. Then tell all your friends and colleagues to jump aboard the bandwagon so together we can make a safer, more awesome web.
I put a threshold of 3 years on my technology before they’re due for refresh. That means every 3 years I’m buying a new computer or laptop. My experience is that performance benefits like speed and memory become significant in the generation that 3 years entails, but also newer hardware tends to have more sophisticated security measures like encryption or biometric features. Most importantly, of course, is that older hardware is more prone to failure. I wouldn’t say 3 years is a hard rule or magical number, but it is a long time in technology. The important thing is that you take refreshing your hardware seriously and commit to a review every couple of years.
Take a second and think about your primary work machine. Your laptop or desktop computer. Now throw it in the ocean. Will you still be able to access that huge RFP you were working on, or send that important document over tomorrow, or just pick up on whatever you were working on? Or maybe you’ll spend the next 3-5 days scrambling through emails and asking colleagues if they have this or that file they can send over while you try and reconstruct your files. Maybe you just lost everything.
Working with cloud-based platforms like Dropbox or Box makes your workflow redundant. What you do on your computer gets automatically synced to the cloud, so you’re never working strictly “on your computer.” If your machine gets tossed in the ocean you can buy another one, install your cloud software, and boom, you’re back to work.
Last.fm has revealed the details of a 2012 hack this week that saw 43 million passwords compromised. The most popular password? 123456. Sheesh.
My best advice about passwords is to eliminate yourself from the scenario as much as possible. Modern browsers (I primarily use Safari) will have built-in features to suggest new, strong passwords when you’re creating a new login and then save that password on your computer (encrypted, of course.) When you arrive at that website again to login, your browser will remember the password and pop it into place. Done.
I also recommend apps like LastPass or 1Password (I use 1Password) to manage your passwords. These apps will generate strong passwords for you and save them in a secure locker on your device. They’ll also sync across devices so you can open them on your laptop, phone, or tablet. 1Password has a cool subscription tool for teams so your entire organization can store and access passwords.
In any case, the idea is to take you out of it. The largest obstacle I find to this is people’s insecurity (see what I did there) about not being “in control.” It’s the being in control in the first place that introduces the security risk! Passwords shouldn’t be convenient (i.e., 123456 or password123 or yournamebirthday). If you do need to manufacture your own password, make it a phrase or sentence. Silly is good. D0gzRth3coolest! is a phrase that’s much harder to crack than qwerty (another of the last.fm popular passwords.)
Using Two Factor Authentication (2FA) is one of the most proactive things you can do to double down on your security. Many online services today, including all major social networks, have 2FA available. With 2FA enabled, anytime a login occurs from a new or unrecognized machine (or sometimes just anytime you’re logging in at all), you’ll be required to input a password as usual. Then, before you’re allowed in, the service will instantly send a code, usually via text message, to a device you’ve set up for 2FA. You’ll have to also input that code in order to get to your service. This usually takes 3 minutes to set up and is another ring of security around you in case your password gets hacked or stolen.
Most experts recommend a 3-2-1 backup strategy. This means 3 total copies of your files, 2 of which are local and 1 of which is offsite. This strategy minimizes your exposure to risk if something goes south with your data. If you have a regular “set-it-and-forget-it” backup scheduled to an external drive, for instance, then you have 2 copies of your data stored locally (one copy on your machine and another copy on your external drive). If you lose your laptop or the hard drive crashes, it’s a quick switch to the data on your external drive. Then you want have one copy stored offsite. There are lots of services that you do this, including Carbonite and Backblaze, as well as services like Amazon Drive. The offsite backup is for worst-case scenarios like flood, fire, theft, etc.
Today all of us are doing as much or more work from our phones and tablets as we are from our laptops or desktops. Your clients and customers are sending files, emails, and texts that are important – and possibly confidential – aspects of your business relationship.
At a minimum it’s important to engage the basic security features your phone makes available, like a passcode. Ideally you’re using biometric measures like your fingerprint for improved security. In addition to security, it’s important to have lost-phone features enabled. Apple’s Find iPhone app and Google’s Android Device Manager allow you see your phone’s location via GPS if you lose it and wipe the device remotely if necessary.
Outsource it (see what did there?)
If all of this confuses you or stresses you out, consider outsourcing your IT. A Managed IT provider, colocation facility or data center can work with you to safely store your data, running off their servers. Depending on your needs and the size of your organization, you can save money on IT costs and increase power capacity, bandwidth, and security by working with a data center.
Security protocols and backup strategies should be a basic part of your business practices. Structured, organized, predictable, easy. These practices should be defined for everybody in your organization, whether there’s two of you or twenty. These kinds of strategies should be considered customer gains – basic, minimum expectations of working with you.
When you write up your practices and make them a part of your marketing identity, you make it a gain creator. Gain creators are things that aren’t necessarily expected by your customers, but they’re delightful discoveries that help them make better business decisions or have better business relationships.
When your prospects or customers see a page on your website that details how seriously you take security and recovery preparedness it signals your professionalism, organizational skills, and diligence. Good things – important things – for any business today. Check out how I do it here.
I’ve also put together a guide of
5 6 Easy Steps to Better Digital Security for you to download. I walk you through easy tools, practices, and processes you can start using right now to better lock down your digital business. Stupid easy, and you find end your day in a safer place than where you started it.