I run a freelance writing business out of a home office. In many ways I have everything that a more typical corporate office has. I have phone lines, internet connections, printers, computers, fax machines, copy machines, scanners. lights, chairs, desks, file cabinets, and so on. I just have less of them.
I only have one desktop computer, but there is no one else looking to use a computer in my office. Plus, I have a netbook for writing mobile office style, and a full-size laptop from HP for when I want a big screen, full-size keyboard, and the kind of mobility that goes from desk to table to couch to porch to patio and back to the home office downstairs. Don’t get me started on how many printers I have thanks to HP making the very bad strategic business decision to not support the HP LaserJet 1012 on Windows 7 with new drivers.
The one thing that I do not have, however, is a corporate security guy or loss prevention team. It’s just me.
Handling Business Security As An Entrepreneur
I used to be a high-level computer systems guy and a Microsoft Certified Systems Engineer (MCSE). I keep up to speed out of natural interest and as a freelance technology writer, so it isn’t like I don’t know my way around computer security and security software and protocols. It is not the same.
Fortunately, the same point about my home business being smaller applies in some ways to security as well. There really aren’t too many international hacker rings dedicated 24/7 into breaking into my systems since they aren’t going to find any valuable trade secrets or databases filled with customer credit card numbers. In the industry, it’s called security by obscurity, and it is a very dumb way to try and stay secure.
The sad fact is that a lot of hacking these days does not involve a guy sitting behind the keyboard of a computer in his parent’s basement trying to get a TV station to play a certain movie during the wee hours of the morning. (Bonus points if you know what movie I am alluding to.) Rather, the majority of hacking takes place in the form of small computer programs, or bots, that just randomly ping around cyberspace testing for security weaknesses and exploiting them. In other words, it isn’t true that no one is looking for me; it’s just that the looking is done by mindless computer programs who are just as interested in a security hole on my little PC as they are in one on a major credit card number database at Visa.
And this is where the “good enough” advantage of a small business compared to a large enterprise ends. If Wal-mart gets hacked and coughs up sensitive financial data on millions of its customers, it makes a press release, offers to provide free credit monitoring for one year, and moves on. Even if they did get fined or investigated or whatever, it wouldn’t hurt them too much.
For a small business, things are very different. If hackers managed to compromise my computer network and in any way cause trouble for some or all of my clients, I could lose my entire company. I could possibly have to start a freelance writing business from scratch all over again under a different name because I would no longer have either the income from my clients who fired me, or their glowing referrals and recommendations that allow me to get new clients.
“Oh yeah, he’s a great guy, and we loved his work. It’s just that after he let that computer virus into our home office by connecting his laptop remotely, we had to stop using him.” I can see the potential clients pushing and shoving to band on my door and beg me to come work with them after hearing that. [– Insert big fat eye roll and sarcastic tone –]
Implementing network security for a small business can be tricky. There are tons of software programs that you can buy, but if they aren’t setup correctly or if you just click “OK” every time one of them asks you a security question, they aren’t going to help. Besides, that isn’t the biggest threat. A virus is a bummer, but they eventually get detected and deleted.
The biggest issue in home office computer security is the same that every regular computer user faces: passwords.
Like you, I have too many passwords to even list. Email accounts, social networks, bank accounts, website logins, and more. As an entrepreneur who works with numerous clients I have another set of passwords, the login information to their networks, VPN, websites, data storage, or online services that they provide to me so that I can do my job. If my own computer were to be compromised, all of those could be at risk.
I also have to be very careful to never re-use a username and password combination lest having one account compromised meant several client accounts were compromised. Can you imagine the nightmare of having the weak password controls at Facebook beaten and then having the hackers try that username and password, just in case, on a client site and find themselves with full access. And, everything they do logged for the client’s corporate security team under MY username and password.
There are a lot of solutions, but many of them are either cumbersome, or insecure themselves. Like a lot of people, I originally fell back on creating and then using dozen or so “usual” passwords. If I ever tried to log into a site where I couldn’t remember the password, I would just go through the list until I hit the right one. Of course, this is NOT good security.
Password Management Security Programs for Small Business
Whenever I log into a website Firefox offers to remember my username and password. Of course, if I were a hacker, one of the first thing any of my trojans, bots, or viruses would do is look for the files that have that information saved in them. Better take advantage of that password protection feature in Firefox and not turn it off to make things easier.
Not all of my passwords and usernames are for websites, or at least not only for websites. I have PIN numbers for ATM cards, door keycodes for offices, and who knows what else. Besides, I use three or four browsers depending upon what I am doing.
For several years now I have been using KeePass as my solution to this mess. It allows you to store whatever username and password information you like within a database. That database is locked with a password, and if you desire, a key-file as well. It’s secure enough that it probably isn’t worth anyone’s effort.
The catch was that it was only on one computer, a problem I fixed by using Microsoft’s Foldershare synchronization service, and then with Live Sync (which I can’t upgrade because I still have one Windows XP computer left. Ironically it’s Microsoft’s fault since they hamstrung netbook manufacturers with low hardware limits so I can’t upgrade it to Windows 7 without upgrading its memory too, and who has that kind of spare time?)
The other issue with KeePass is that I have to start up KeePass and go find the username and password and then input that into the website I’m trying to login to. That’s kind of cumbersome and time consuming which means I end up doing bad things like using the same username and password on multiple forums — just for now, or letting my browser remember the username and password and hoping I remember to sync them all up, or just as bad, emailing them to myself so that I can find it later. Yikes.
KeePass has a way to integrate with your browser via a plug-in, but I don’t really like the idea of plug-ins on my security software, and even if I didn’t care, it never really worked very well for me.
Recently, I re-tried LastPass. I have tried LastPass before and didn’t like it, although I don’t remember what my specific complaint with it was. All I know is that I uninstalled it and went back to using KeePass instead. I gave it a new shot after it showed up as a Google Chrome extension and liked it enough to install it for all of my other browsers as well.
There are some hiccups. The biggest one is that it someone messes up my Google website log-ins. The browser ends up reporting that something is redirecting in a way that will never complete, or in the case of IE, just saying that it couldn’t be found. (Thanks for the no information of any kind, guys.) After telling LastPass to never remember anything for google.com, those websites and services started working again. Unfortunately, that also seems to have told Firefox not to remember them either and I’m not sure that I want that.
However, so far, I would have to say that in the extra work versus increased security game, it is coming out ahead. Most importantly, when I sign up for new websites. or writing forums, or accounts I am NOT re-using passwords. In fact, I’m not even coming up with new passwords. One of LastPass’s features is to generate a password for you whenever it detects you registering for a new account of some kind. That means that no only are my passwords unique, they are more secure than ever before since they have no real words and contain numbers and capital letters like they are supposed to.
Lately, I’m feeling a lot better about my online security and the security of my clients as it relates to my usage. As a successful businessman you must always think about the next thing. So, naturally, my security fear has wandered.
I have the firewall from Windows 7 running on my computer, but what is it doing? Is it helping at all? If everyone with Windows 7 is running the same firewall with the same default configuration, don’t all the hackers in the world have that taken into account as they go about their business?
What if they are in my system already? What if they stop me from warning people by keeping me from finishing this post? What if —
(Just kidding. But, seriously, does anyone have good, easy, non-intrusive solutions or tips on small business security for home offices?)
This post was originally meant for my personal Brian Nelson writer blog that I often neglect, but after it blossomed from a few words to a long treatise, I moved it here. Instead, I wrote about maximizing your writing earnings by billing per project instead of per hour.