It’s almost impossible to do business these days without relying on the internet. Unfortunately, though the internet has revolutionized how we do business, not all the changes it has brought with it have been positive. Cybercrime continues to be a worldwide threat, and all businesses, no matter how large or small, may be targeted.
Cybercriminals are Increasingly Targeting Small Businesses
When I sit down with small business owners and ask them about their cybersecurity, too often, they scoff. “Why do we need that?” they ask me, “We are much too small to be targeted by cybercriminals. Those guys go after big fish, like CapitalOne.” Unfortunately, that statement is far from true. Cybercriminals are increasingly targeting small businesses, many of whom aren’t prepared to detect and fend off a cyberattack.
According to the latest Verizon Data Breach Investigation Report (DBIR), 43% of all reported cyberattacks in the United States targeted small businesses. Considering that 95% of businesses fall into this category, these attacks are a serious threat to many business owners.
Even more alarming, the report found that 54% of small businesses still think they’re too small to be targeted by a cyberattack, which is at odds with the fact that cyberattacks on small businesses increased by 424% last year. In fact, 1 in every 323 emails sent to small businesses is malicious, and the average small business received 94% of its detected malware via email.
What Makes Small Businesses Vulnerable?
Like all businesses, small businesses are run by humans, and humans are error-prone. Human error and system failure account for 52% of data security breaches, and 63% of confirmed data breaches occurred because cybercriminals were able to leverage weak, default, or stolen passwords.
Considering small businesses are common targets for cyberattacks, most are woefully unprepared. Only 14% of small businesses rate their ability to defend themselves from cyberattacks and mitigate risk as highly effective. Almost half of all small businesses don’t even know where to begin when it comes to protecting themselves, and 3 out of 4 businesses don’t have personnel who can address IT security.
No Cybersecurity Rainy Day Fund
A cyberattack, even a relatively small one, can have devastating consequences. Even though 50% of surveyed small businesses reported suffering from at least one cyberattack in the last year, 83% of small businesses don’t have money set aside to deal with the financial consequences of such an attack.
What can I do to Protect my Small Business?
Most small businesses are too small to have a dedicated IT person, let alone one with enough cybersecurity training to safeguard the company from cybercriminals. That’s why more small business owners are turning to the experts for help.
By outsourcing your cybersecurity, you can rest easy knowing that you have a whole team of experts on your side. This team can assess your current cybersecurity posture honestly and effectively, and help you create the tailored plans you need to effectively detect, respond to, and even avoid potential attacks. They are also able to monitor your network for suspicious activity and secure your endpoints and email.
Cybersecurity Best Practices We Can All Benefit From
Though small businesses are increasingly being targeted, that doesn’t mean the rest of us are off the hook. There are a few things your business, no matter its side, should be doing to help safeguard your digital assets.
Provide Security Awareness Training
Even the best cybersecurity programs and protocols are useless if your employees don’t know what to do or how to use them. That’s why all businesses should be providing robust and informative cybersecurity training. At the end of the day, your employees are your first line of defense, and they are also cybercriminals’ number one target. That’s why your employees must be able to recognize potential threats (such as phishing emails), know what to do and what not to do, and know who they should alert if something doesn’t seem right.
Make sure you develop a comprehensive training routine for all new employees and provide refresher training to all current employees at least twice per year. These training sessions should teach employees important things like why their passwords need to be strong and why they shouldn’t store their passwords or reuse them, and train them to be skeptical of suspicious emails or phone calls. Just a few hours of training each year can dramatically increase your cybersecurity posture.
Conduct Regular Vulnerability Assessments
How do you protect your business if you don’t know what needs protecting? All companies should have a solid grasp on what their attack surface is, where it is, and what specifically cybercriminals might target.
This is where vulnerability assessments come in. These assessments come in two main types: external and internal. External threats are what most people picture when they think of a cybersecurity attack or incident: a cybercriminal trying to exploit a vulnerability in your defenses or hoping you fall for a phishing email. External assessments focus on attacks and issues that originate from outside your organization.
Internal assessments, on the other hand, focus on attacks and other problems that originate from within the company. While this may be in the form of a disgruntled employee (or former employee, if you didn’t remember to revoke their access privileges), it can also mean employees accidentally deleting critical data or malware that somehow managed to sneak past your outer defenses and is now attacking your business from the inside.
Running vulnerability assessments allow you to stress test your defenses in a no-stakes environment. These assessments let you find holes in your environment that malicious actors can target. 60% of all breaches occur because of a known vulnerability that wasn’t patched properly. By continually looking for vulnerabilities in your defenses, you can patch these weak spots and reduce your chances of a successful breach.
Do you lock your front door before you go to bed? Most of us do, and for a good reason. Anti-virus software is like locking your door at night: It may not keep someone from breaking in, but it does make breaking in harder, which can deter at least some criminals.
That being said, a flimsy lock is easily broken. Avoid old signature-based anti-virus programs (which can only detect malware whose signature it recognizes) and, instead, choose something more robust and dynamic like Cylance or SentinelOne.
Get a Good Firewall
Compared to a lot of fancy new cybersecurity programs, a firewall can seem almost antiquated. However, this humble piece of software and hardware isn’t dead, and won’t be for some time. In fact, it plays a vital role in your cybersecurity defenses. Almost all small businesses that do business out of a physical location need a firewall, and fortunately, most have them.
Your firewall is like a front desk security guard for your network: Her job is to make sure that only authorized users and devices can access your network.
Today’s firewalls are much more sophisticated than their early ancestors, who simply opened or blocked ports. However, because they are becoming increasingly complicated, your day to day network administrator or IT person may not be able to configure or manage them properly. Configuration issues, not flaws, cause 99% of all firewall related breaches. Unless your IT team includes a firewall expert, you should consider outsourcing your firewall management to an MSSP.
Implement & Manage Password Policies
As we mentioned at the beginning of this article, 63% of confirmed data breaches occurred because cybercriminals were able to leverage stolen, weak, or default passwords. That’s why it’s critical for small business owners to take the time to train employees as to why secure passwords are important and why you should never use the same password on more than one site.
To help you establish good password guidelines, you may want to consider following the NIST standards, outlined in section 18.104.22.168 of their digital identity guidelines. To help ensure employees are following your security requirements, you may also want to consider relying on something like Active Directory. This ensures that employees choose passwords that meet your pre-established standards.
Use Multi-Factor Authentication (MFA)
You should be using MFA on any system or site that allows it. MFA is a security enhancement that requires you provide 2 pieces of evidence (your credentials) whenever you want to access an account. For many websites, this involves having you enter your username and password into the appropriate fields, and then having you enter a one time token or passcode (usually a relatively short random numeric code) which is sent to your phone or another device you own into the site before it will log you in.
While MFA is no silver bullet, it can make it much more difficult for attackers to breach accounts, even if they have gained access to a user’s credentials. Since most phones display the random numerical code as a push notification, MFA has the added benefit of alerting users when someone else attempts to access their account. As such, all employees should be required to use MFA at work whenever possible, and strongly encouraged to use it for their personal accounts as well.
As more businesses move their email and applications to the cloud, one thing you may want to consider before following suit is whether or not these cloud-based services offer MFA. One of the most widely used cloud-based platforms (O365) allows MFA and offers a lot of the products many small businesses already rely on (including Outlook, Word, and Excel).
Implement Role-based Access
While you may be tempted to save time by just giving all your employees access to everything, that isn’t a great idea. When your company is really small, say between 3 and 5 employees, your entire team may need to access everything because they all wear so many hats. However, as your business grows and your employees become more specialized, you should begin to restrict their access so that they can only access portions of your network they need to do their jobs. By being more selective when it comes to access, you can reduce the amount of damage an attacker can inflict. For example, if Jan the receptionist has her credentials compromised, your financial records are still safe because she never had access to those files anyways.
Backup Your Data
It never hurts to have a backup plan. Ransomware is still a serious threat and can wreak havoc on businesses of any size. However, small businesses typically have fewer liquid assets, and may not be able to survive being shut out of their network for long periods. While ransomware victims may be tempted to pay the ransom, that still doesn’t guarantee that you will get all of your files back.
When all else fails, the best thing you can have in your pocket is a good working backup. Many small businesses get caught up in their day to day operations and may not realize that backing up their data is incredibly important. However, a good backup can be the difference between resuming normal operations and scrambling to get work done.
What happens if the server dies? Or someone’s laptop won’t boot up? If the thought of either of those scenarios could cripple your business, you should seriously consider rethinking your data backup policy. Regular backups can help get your team back on track with minimal downtime.
What if I Use the Cloud?
Even if you rely on the cloud for everything you do, you should still be backing up that data. Just because data is in the cloud doesn’t mean it is automatically backed up. If the cloud’s servers go down, and you don’t have your own backup, you may be in serious trouble. Make sure you check with your cloud provider since data backup often isn’t enabled by default and is rarely offered as a complimentary service. After all, it’s always better to be safe than sorry.
This may seem like a lot, but I promise you the work you do now may save your business one day. You also don’t have to figure this all out on your own. We’re here to help.