Having recently heard from small businesses here in town, I thought it might be helpful if I reiterate some of the concepts I have previously written about here on TLS.
Small businesses generally don’t think they’re a target for hackers. After all, they’re just small fry compared to the big businesses. Mostly they think why would hackers be interested in me?
The truth is, when it comes to cybersecurity, size is not an issue. Small businesses most definitely must put some simple security steps in place. Small businesses generally don’t think about cybersecurity, and hackers know it.
According to Verizon, the number of small businesses being hit has climbed steadily in the last few years – 46% of cyber breaches in 2021 impacted small businesses.
Protecting Yourself Is Not As Complicated As You Might Think
Securing your business is actually not very complicated or expensive. There are a few simple ways help the smaller business secure their systems, people and data.
Install anti-virus software everywhere. On all your desktops, notebooks, tablets and phones. Most anti-virus vendors offer multiple discount plans which, for the price of the protection provided, the benefits outweigh the risk. Generally, these programs update themselves automatically to the latest threats, so that’s one less headache to maintain.
Businesses that rely on shared database servers and web servers which support the core of their business, are frequently overlooked. It’s important to consider all entry points into the network and have anti-virus deployed on every server, as well as on every employees’ own personal devices.
Hackers will inevitably find weak entry points to install malware, and anti-virus software can serve as a good last-resort backstop, it’s not the be all, end all by any means but by it continuously monitoring your devices you can identify certain weaknesses and vulnerabilities before hackers do.
Monitor Your Perimeter
Your business is exposed to remote attacks because your connections to other clients, vendors and partners are available 24/7. Hackers are constantly scanning the internet for weaknesses. It’s important to scan your own perimeter too. It’s easier than ever before for attackers to discover your connection’s internet facing weaknesses and exploit them.
The longer a vulnerability goes unfixed, the more likely an attack will happen. Most security professionals agree that it’s not “if”, its “when”. There are free or inexpensive open-source tools easily available for most administrators to use to conduct penetration tests and internal scans.
Even organizations that cannot afford a full-time, in-house security specialist can use online services or local experts to run vulnerability scans to uncover your weaknesses.
Most of these will pretty quickly find the high-impact flaws, changes in the “attack surface” of the perimeter, and rapidly scan your network for existing and emerging threats.
Shrink Your Attack Surface And Use Multi-Factor Access
Your attack surface consists of all the systems and services exposed to the internet. The larger the attack surface, the greater the risk. Exposed services like Microsoft Exchange for email, or content management systems like WordPress , as more common examples, provide an easy target for persistent brute-force password discovery, using or altering user and admin access credentials.
New vulnerabilities are discovered almost every day in these software systems. Definitely remove public access to sensitive systems and interfaces which don’t need to be accessible to the public, and ensure you have Two Factor or Multi Factor Authentication enabled. By having logins verified with codes sent via phone, email or text messages to the user, you will greatly limit your exposure and reduce risk.
Use A Virtual Private Network (VPN)
Another simple step to reducing your attack surface is to use a secure virtual private network (VPN). By using a VPN, you can prevent exposing sensitive systems directly to the internet whilst maintaining their availability to employees who are working remotely, or in the field. A VPN will disguise your internet address and encrypt the data transmitted from your network or devices essentially hiding you and making your data incomprehensible to outsiders. VPNs should be used on everything that connects to the internet.
Keep Your Software Up To Date
Every day, new vulnerabilities are discovered in every kind of software, from web browsers to business applications. A single unpatched weakness could result in a complete compromise of a system and a breach of customer data. Hundreds of thousands of customer records have been stolen from our own local businesses, non-profits, schools and government agencies as well as many local websites, both business and non-profits, than is publicly known to have been hacked.
If you are storing electronic personal data of your customers, which is common, especially among healthcare, education and non-profits you are likely to already have had breaches. Patch management is key. Keeping all your software up to date is essential to cyber security, and there are tools and services to help you check your software for any missing security patches. Your administrators can find these resources in a few minutes with a simple internet search.
Back Up Your Data
Ransomware is on the increase. In 2021, 37% of businesses and organizations were hit by ransomware. Ransomware encrypts any data it can find, making it totally unusable, and can’t be reversed without a “key” to decrypt the data. The perpetrators will extort money from you to get the key and if you are lucky, you will get it, but all bets are off on this one.
Data loss is arguably the biggest risk to any business. It can happen one of three ways: through malicious intent, an uninformed user, admin or a technical problem such as a hard disk failure, so backing up data is absolutely a necessity. Being able to recover your data without having to pay the ransom, as systems affected by ransomware can be wiped but can be restored from the latest unaffected backup without needing the attacker’s key.
Make Your Staff Security Aware
Cyber-attacks are more often than not due to human error, so your staff must be trained in “cyber hygiene”, so they recognize risks and respond appropriately. They must know about the dangers of malicious emails (phishing), text messages (smishing), phone calls and impersonated websites and callers. The Cyber Security Breaches Survey of 2022 revealed that the most common types of breaches were staff receiving fraudulent emails or phishing attacks (73%), followed by people impersonating the organization in emails, on the phone or online (27%), viruses, spyware /malware (12%), and ransomware (4%). Many of these fraud tactics are very sophisticated so don’t reply. Delete the email, text or hang up. Call the real company, bank, agency, etc., and check for yourself.
Requiring the use of complex passwords and training staff to spot common attacks such as phishing emails and malicious links, will ensure your staff are a strength rather than a vulnerability.
Protect Yourself According To Your Risk
Your cyber security measures should be appropriate to your organization. A small business which handles banking transactions or has access to sensitive information such as healthcare data should employ much more stringent security processes and practices than say a pet shop or toy store.
That’s not to say a small retail store doesn’t have a duty to protect customer data, it’s just somewhat less likely to be a target. Hackers are motivated by money, so the bigger the prize the more time and effort will be invested to achieve their gains. Managed Service Providers, who manage the IT systems of a few or many clients need to identify the client’s threats and vulnerabilities as well as their third party connections. At the end of the day, it is the providers’ responsibility to follow appropriate regulations and accept liability.
Small businesses are just as, or even more vulnerable targets than larger enterprises. Having adequate security processes in place is key because hackers will always follow the path of least resistance.