10 Steps to Protect Your Small Business from Cybersecurity Threats
October 27, 2021
One in five small businesses experience cybersecurity attacks or data breaches. And, on average, each one of those attacks cost $38,000.
On top of that, the recent acceleration of remote working, telehealth, e-commerce, and distance learning over the past two years has increased the likelihood of cybersecurity attacks across multiple industries. The use of less secure devices and networks has provided attackers with more opportunities to manipulate security gaps, and they have ramped up efforts to take advantage of those weaknesses.
The recent acceleration of remote working, telehealth, e-commerce, and distance learning over the past two years has increased the likelihood of cybersecurity attacks across multiple industries.
Threat actors have also been known to utilize techniques to exploit people's fears. BBC.com reported that during April of 2020, for example, scammers were sending 18 million hoax emails about Covid-19 to Gmail users every day. The tech giant says there has been an explosion of phishing attacks in which criminals try to trick users into revealing personal data.
And while the Twitter Bitcoin hacking scam of prominent US figures was front-page news, sophisticated attacks occur every day that most people never know about. The Center for Strategic and International Studies (CSIS), a US bipartisan think tank, outlines significant cyber-attacks on government agencies, defense, and high-tech companies. Their list includes over 100 events in 2021 alone as of the writing of this article.
The fundamental shift in the way we work is a major cause of these attacks. From our supply chains, to risk management, to regulatory oversight, to how employees and customers view their interaction with the digital world, all are being reshaped as McKinsey outlined in a report from last year.
So, how do startups and small businesses protect themselves from these breaches?
Step 1 - Be Flexible
The challenges facing business owners multiply as users, customers, partners and the resources they need to access changes rapidly. However, there are key areas on which you should focus when building (and revising) your playbook.
Step 2 - Educate Users
BitDefender shared that companies' common enemy for data breaches is, unfortunately, often their own employees. Not surprisingly, the evolution of cybercrime in recent years shows attacks consistently rely on the human factor to succeed. In 2017, 20% of registered breaches were due to employee negligence. The percentages increased slightly in 2018, to 21%, only to return to 20% in 2019. The term "employee negligence" encompasses several attack methods, including phishing and malware attacks launched from emails or unsecured devices. There is rarely any malice, and attacks happen most often because of a lack of or infrequent education.
Remote teams, who have less direct contact with supervisors and co-workers, may be even more susceptible. Employing regular online security training to teach staff how to avoid risks is vital. Conducting frequent awareness campaigns (the National Cyber Security Centre has valuable content) combined with frequent anti-phishing tests will also be useful.
Step 3 - Develop Bring Your Own Device (BYOD) Policies
Personal devices used by employees working from home can not only put your data and that of your customers, partners, and vendors at risk, but it can also expose the employee's personal information should your company network be breached.
Establishing a BYOD policy streamlines operations and saves your organization money on laptops’ purchase and maintenance. Many companies offer employees a stipend instead of covering device costs and data plans. Other advantages BYOD offers are increased productivity, as staff are already comfortable using their own devices.
Regardless of the type of devices being used, your BYOD policy should include:
- VPN required use
- Minimum required security controls
- Where data will be stored
- Inactivity timeouts
- Your remote wipe policy
- Industry-specific/compliance restrictions and requirements
- Acceptable use guide
- Mobile device management software
- Two-factor authentication for company applications
- Simple sign-up process
Step 4 - Know The Risks
The attack mentioned earlier on a US federal agency is thought to have been possible when hackers gained initial access by using employees' legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
As for how the attackers managed to get their hands on the credentials in the first place, U.S. Cybersecurity and Infrastructure Security Agency's investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.
"It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," according to the alert.
School districts utilizing video collaboration tools such as Zoom have increasingly become targets of hackers demanding ransom in return for unlocking district computer servers that they have taken "ransom." When Clark County School District refused to pay, hackers released sensitive data, including Social Security numbers, student grades, and other private information to the public.
Step 5 - Penetration Testing
Each mobile and desktop application that your company uses can be an open door, a vulnerability, a new opportunity for hackers to breach the walls. By proactively finding and addressing vulnerabilities in your networks, systems, and applications, you will be one step ahead of those looking to take advantage. This can be accomplished through penetration testing. Penetration testing (or pen testing) is a method to delve into your small business’s IT environment and identify how hackers can exploit the exposed vulnerabilities. It's commonly called ethical hacking, as it involves having pen testers mimicking the hacker's act, but with permissions.
By proactively finding and addressing vulnerabilities in your networks, systems, and applications, you will be one step ahead of [cybersecurity threats].
The first step here is to have the pen testers scan for security vulnerabilities in your IT infrastructure. Once the vulnerability assessment is completed, you can leverage pen testing to identify ways a hacker can exploit your environment's weaknesses and build a robust vulnerability management program.
Step 6 - Know Your Data
Three key factors, known as the CIA Triad, should guide your efforts in keeping your data secure: confidentiality, integrity, and availability.
- Confidentiality - Confidentiality refers to data privacy and providing access only to those with approved access. Data encryption is a standard method of ensuring confidentiality.
- Integrity - Integrity refers to the consistency and accuracy of data over its life cycle.
- Availability - Availability ensures that the data is accessible when needed and by all who need it. Ensuring availability often involves redundant systems and creating backups.
While all of your information is important, certain data types are particularly at risk because of its value to others. This includes personally identifiable information, your company's intellectual property, sensitive government information, or financial data.
Step 7 - Know Your Roles
Small businesses must determine the right access control model to utilize based on their industry, how sensitive the data they are managing, and any potential regulatory considerations. If your data could be of any value to someone else who does not have the authorization to access it, then your organization must implement strong access control. A Carbon Black report outlined how a botnet mined sensitive information that included internal IP addresses, domain information, usernames, and passwords.
Here are the four types of access control you could implement for your business:
- Discretionary Access Control (DAC) - A discretionary access control policy is a means of assigning access rights based on rules specified by users. The underlying philosophy in DAC is that subjects can determine who has access to their objects.
- Mandatory Access Control (MAC) - Mandatory access control (MAC) is a security strategy that restricts the ability of individual resource owners to grant or deny access to resource objects in a file system. MAC criteria are defined by the system administrator, strictly enforced by the operating system (OS) or security kernel, and cannot be altered by end-users.
- Role-Based Access Control RBAC - Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC, such as role-permissions, user-role, and role-role relationships, make it simple to perform user assignments.
- Attribute-Based Access Control (ABAC) - Attribute-Based Access Control (ABAC) is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object), actions, and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned.
Step 8 - Move Beyond Passwords
An upside to WFH is that the sticky note that "Bill" has on his monitor with his passwords is no longer creating a security risk. You cannot blame Bill too much. The human brain has its limitations. According to psychologist George Miller, humans are best at remembering numbers of seven digits, plus or minus two. With all the various systems we need to access, we are becoming overwhelmed. In 2016, RoboForm surveyed web users, and 74 percent said that they were using six or more websites or applications a day. No wonder Bill needs a sticky note.
The challenge from a security standpoint is that passwords are creating weak points in the systems. A Verizon report noted that in 2020 stolen and weak credentials were responsible for 80% of corporate hacking-related data breaches.
Even if you have staff that are diligent about utilizing complex passwords and update them regularly, hackers can often make quick work of them. During an Ars Technical experiment in 2013, hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute, including 16-character versions such as 'qeadzcwrsfxv1331.'
The cost of an antiquated password system goes beyond the security risk they pose. There are operational costs of maintaining passwords, including help-desk expenses and the lost productivity of employees who become locked out of critical systems.
New technologies such as biometrics, user analytics, risk-based adaptive authentication, and geolocation will provide small businesses with next-generation cybersecurity systems.
New systems often include multiple-factor authentication that occurs through separate routes. This makes it more difficult for those trying to access data without authorization. It is also interesting that while multiple-factor authentication may seem more complicated, it can often reduce user friction by allowing employees and users to choose how they access digital information. Below are just a few of the tools that you can use to enhance system security, improve user experience, and accelerate your business goals.
- Facial recognition
- Iris Scan
- Vein scan
- Voice analyzer
Other authentication tools
- Usage times and access patterns
- Soft tokens
Step 9 - Focus End To End
Endpoint security or endpoint protection is another approach to protecting computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones, Internet of Things (IoT) devices, and other wireless devices to corporate networks create attack paths for security threats.
CSO Online shares recent trends in endpoint security.
- Machine learning and AI
- SaaS-based endpoint security
- Layered protection against fileless attacks
- Putting IoT devices under the protective umbrella
- Reducing complexity and consolidating agents
Step 10 - Open Lines Of Communication
While technological solutions will undoubtedly reduce the lion's share of cybersecurity threats, there is no substitute for open and regular communication. This is even more critical in remote teams.
According to an Information Systems Audit and Control Association (ISACA) survey, only half of the business owners and team leaders were highly confident that their teams were ready to detect and respond to the increased threat of cybersecurity attacks. Speaking up and addressing concerns will help keep your small business, or your clients, working safely now and in the future.