Small and medium-sized business owners have different challenges than large firms. Security, however, isn’t one of them. Organizations of all sizes are vulnerable to cyberattacks and other security lapses. For SMB’s, the risks can even exceed that of enterprises: 60% close within six months of a major data breach. Yet, a majority of small business owners say they don’t think they are a target.
Working on the assumption that you’re too small to be noticed is a risky proposition. Security through obscurity, or hiding in plain sight, exposes you to risks that could be mitigated or avoided entirely. Worse, cybercriminals are aware that enterprises are taking a more rigorous approach to security and are actively seeking less defended targets. Verizon’s 2018 Data Breach Investigations Report found that a majority of attacks (58%) targeted small businesses.
With so many digital systems powering modern business, SMB’s are handling more and more sensitive data, including work products, personally identifiable information (PII), financial records, and user analytics. And that’s true even in businesses and industries that don’t necessarily think of themselves as IT-centric.
Managing Your Risk Factors
Data breaches and cyberattacks like ransomware disrupt operations, harm reputations, and cost small businesses $120,000 to $1.24 million on average. Clearly, the dangers of failing to keep your data, equipment, and employees safe in the digital economy are significant.
The good news is that a proactive, company-wide security protocol, combined with a robust backup and recovery solution, can keep unauthorized eyes off your valuable data assets. But it takes a two-pronged approach — technical and social — to address both the tools your business needs and the people that use them:
- Virtual Private Networks (VPN)
- Multi-Factor Authentication (MFA)
- Password Hygiene (as per NIST recommendations)
- 8-64 characters
- Frequently checked against known leaks
- Change password only after it is reported on a leak list
- Disable hints
- No common dictionary words
- No sequential (e.g. “12345”) or repetitive (e.g. “aaaa”) patterns
- No mention of the program or username in the password
- Accounts auto-lock after several failed attempts
- Require password manager usage
- Phishing Awareness
- Spotting errors
- Not clicking unknown links
- Flagging suspicious content
- Keeping in contact with IT
- Not plugging unknown USB drives into PC’s
- Using security software on home computers
Staying One Step Ahead
In another parallel to the challenges of enterprises, SMB’s have to make security a 24/7/365 priority, and one that is backed by continuous monitoring, adaptation, and education. Cybersecurity is a cat and mouse game. As the attackers get more sophisticated, so must the defenders. One of the advantages of a managed security service is immediate access to full-time and real-time protection that evolves as the threat vectors change.
Particularly given the recent upsurge in ransomware (malicious software that encrypts all your data and then demands a payment for the key to unlock it), multiple, redundant backups and a rapid recovery solution, are a necessary complement to any cybersecurity protections you may have in place.
That said, like any other critical aspect of your business, security should never become so intrusive that it impedes overall productivity and efficiency. IT, inclusive of security, can be seamless, lightweight, and effective when it’s tailored to your specific needs. Security is a top-level concern, one that a company’s leaders need to find a practical balance that works for the entire organization.
Protect and Train Your On-site and Remote Teams
The current health crisis has spurred a massive uptick in remote workers at companies of all sizes. This has made the job of IT and security professionals that much more difficult. Keeping track of all employee activity on your network was a taxing enough responsibility when most of it was coming from just a few places.
Now, employees are connecting from all over and often using their own devices, which may not have business-grade security built in. That’s why it’s crucial to talk to employees about home equipment, recommend remote access software, VPN’s, and the dangers of connecting to public Wifi hotspots. Institute and Acceptable Electronic Use (AEU) and BYOD (Bring Your Own Device) policies that cover all these issues ahead of time.
One way to get your team up to speed on phishing attacks is through training and simulations. There are a number of services that will send fake phishing emails to your employees and record which ones fall for the phony attack and click a suspicious link, which disregard it but not notify IT, and which take the proper step of avoiding the link and flagging it.
Other training focuses on physical security, for example, teaching employees to hide their passwords, lock their desk drawers, and report individuals without required guest badges in the building.
Another issue of growing significance is social media. Ensure that any comments, images, or videos shared do not expose passwords, security equipment information, or sensitive PII. More often than people realize, there is a computer screen or whiteboard in the background of a photo that contains information useful to hackers.
Security training, both in the form of simulated phishing attacks and physical security procedures like locking sensitive equipment away when not in use, is especially important for SMB’s because many employees are unaware of significant security risk factors or the harm that can result from data breaches. Once training has been completed, consider testing employee retention with quizzes and surveys.
Security Has to Be a Company-wide Goal
One issue that transcends the low-level specifics of selecting and implementing a cybersecurity program, is the corporate culture that is tasked with keeping it top of mind. With so much at stake, everyone from the top of the company down, should be staying alert for common attacks and risks. If your company has a history of laxitude in this regard, it may be time to institute a shift in your priorities.
At the same token, forcing huge changes without buy-in or demanding overly burdensome but low impact security conduct — such as hard to remember passwords that are dozens of characters long, daily password changes when a longer interval will do, incessant alerts, overly complex and hard to follow procedures, or antivirus and firewall software that inadvertently blocks safe and useful business platforms — are usually self-defeating initiatives.
In those cases, users often end up just disabling or ignoring the annoyance, leaving you less defended than if you had taken a more measured approach. Instead, shoot for achievable, practical security goals that can be enforced company-wide with minimal interference to other business operations.
D2 Integrated Solutions leverages decades of experience managing IT security risks and today’s most advanced tools and best practices to keep your business safe from cyber threats. Contact us today about our comprehensive Managed Security services.