Get to Know the Major Security Risks SMBs Face
Nearly all businesses nowadays have an online presence. It’s the cost they pay to remain competitive. If they’re not careful, it might not be the only cost they incur. Data breaches are steadily increasing among small to medium businesses (SMBs), and if you’re not prepared, it could cost you your business.
Having a website compliant with the latest security measures helps to mitigate some of the worry; although, it alone can’t entirely repel attacks. This is why you need to know how to secure your business from potential cyber threats.
Social Network Security Risks
In today’s digital world, several challenges arise from how interconnected and networked the current marketplace is. For instance, social networks are good examples of businesses leveraging technological advancement for promotion. Even though it brings small businesses closer to their customers, it also increases their online security risk.
As your employees or sales representatives engage in networking and sales activity across various social networking platforms, new pathways into your business open up, making it vulnerable to attack. Because cyber attackers make it their mission to know how to exploit those avenues, you need to protect your business against social network cyber attacks.
What Are my SMB Security Needs?
Sophisticated phishing and malware attacks are the most common forms of cyber attacks nowadays. If these threats are not identified and stopped, they can cause huge losses for businesses. These security threats often seek to infiltrate the cloud applications you use, your business network, and endpoints.
There are several Saas-based third-party security services to help protect your business. Because they are Saas-based, you don’t need to invest in hardware, which means these types of solutions are easier to deploy.
Perhaps the most crucial thing to consider is to take security risks seriously and to assess all your security measures proactively. Many small businesses don’t take their online security seriously until something goes wrong. Assess your level of security needs and invest accordingly.
Generally, after a serious security breach, it will be much more costly to clean up than if you invested in its prevention from the beginning.
People Are Your Biggest Security Threats
People remain the major security risk for any business. As cybersecurity threats become more sophisticated, even careful and committed employees may become victims by accidentally opening files or attachments with malware or viruses.
In this case, the best way to defend your business against cyber threats is to ensure you and your employees have consistent security training.
Every business should consider bringing in a third-party to get a proper security vulnerability assessment. If your business operates through an online website, protecting sensitive business data from hackers and other cyber criminals should always be your first priority.
It’s, therefore, advisable to update your software with patches as soon as they appear; use proper security tools, helping to protect your entire IT from attack; and, more importantly, promote a culture of security awareness.
Hackers Target Low Hanging Fruit
Small businesses often assume cyber criminals only target large and well-established businesses. It’s not true; according to Verizon’s Data Breach Investigations Report, 58 per cent of all cyber attacks are focused on small businesses. The reason cyber attacks target SMBs is because, even though they don’t have as much data as large business entities, their networks are easier to access. They are low hanging fruit to cyber criminals.
Typically, a small business will have less networks than a larger organization. Since, there are less networks for cyber criminals to contend with, they are better able to target and penetrate. Combined with the lower amount of networks a small business has, there is also less security. Most SMBs don’t invest in proper security measures due to lack of time, expertise and budget. This makes it far easier for someone to steal valuable credit card and personal identification information.
Small businesses should be aware of the security risk position they are in. Because they obtain less digital assets than a large company but more than an individual consumer, they fall in the “cybersecurity sweet spot,” says Stephen Cobb, Senior Security Researcher, ESET. Moreover, since small businesses deal with larger enterprises as well, they are targeted as entry points for access to larger businesses. A complacent attitude towards security will do no good to a business after they experience a major data breach. Either they are devastated by the attack and have no other recourse than to pay a ransom to get their data back or go out of business – according to the U.S. National Cyber Security Alliance, 60 per cent of small businesses who experienced a significant breach shutdown their business 6 months after an attack.
Here, you have a digital security version of Pascal’s Wager: even if the chance of a cyber attack is low, you’re better off investing in security, so when it does happen, you’ll be protected from potentially losing your business.
Although your security strategy may not be as air-tight or comprehensive as those used by larger corporations, never underestimate the importance of creating roadblocks on the way to your business data/information. It is important to put measures in place to prevent any possible security threat to your business.
Types of Cyber Attacks
Advanced persistent threats are attacks designed to gain entry into a network system and remain there undetected. The attacks work in multiple phases to lower any sign of their presence. Once inside, the attackers look to secure other routes into the system even if the initial breach is repaired, so they can access your data at will.
A DDOS attack is one anyone who has played online games will be familiar with. It’s short for distributed denial of service. This attacks works to intentionally overload an end-point system with requests from multiple systems until it shuts down. Types of DDOS attacks include traffic, bandwidth, and application attacks.
To understand this type of attack, think of mafia movies where there’s an informant working with the FBI. This one is coming from someone inside your organization with administrative privileges. The most common example is when an employee gets fired and, in their final act of indignation before leaving, uses their credentials to release restricted company information.
Malware is a portmanteau of the words “malicious” and “software.” It’s an all encompassing term used to describe programs seeking to harm networks or gain illegal access. These types of programs comprise software the likes of viruses, worms, spyware, and ransomware.
Password attacks come in many in forms, but there are 3 that stand out: brute force, dictionary and keylogging.
Brute force modes of hacking incorporate using programs that straight-up try to guess your password until they are successful. Brute force hacking is a trial and error method of hacking through exhaustive effort, but is not technically illegal. It works by combining every combination of letter and number characters together in every possible sequence.
A dictionary attack is an one that, at some point, uses every word in a dictionary to try and crack into a system. These have proven successful at infiltrating some companies in the past because they use generic passwords (the kind you could find in the dictionary).
Known as a keylogging attack, this type of threat uses a system monitor as surveillance to record each keystroke typed on a device. They are spyware applications typically used to steal personal identification information (PII) and login information. In the context of stealing information, they are illegal; however, in other contexts, like parental control monitoring, they are deemed legal.
The most common tactic of cyber criminals, phishing is when you are tricked into signing up to a fraudulent site that appears to be legitimate. It tempts you to sign up by entering sensitive information, like your credit card information or login credentials. These types of cyber theft plays are typically achieved through email.
The more targeted a phishing email is, the more likely it is to lure people and, ultimately, steal their information.
One of the most insidious developments in criminal cyber warfare, ransomware infiltrates your system and demands a ransom in exchange for access. It can lock you out of your computer or release private information unless you pay a select price.
Zero Day Attacks
These are attacks that leverage and exploit flaws in systems unbeknownst to security staff. Exploits such as these can live for days, month and even years until they are finally discovered and repaired; however, by that time, hackers are most likely to have already established APTs.
Cybersecurity Measures You Can Take Now
People are always going to be the biggest threats to you and your business. Some threats will be intentional and, others, unintentional. In order to ensure your employees are not the ones causing data breaches, create a cybersecurity strategy and culture and train your people on network security processes that go further than just setting firewall permissions.
One in every 5 data breaches are caused by human error; therefore, train your employees to secure their devices and to not click on incoming suspicious links or attachments from emails. They should also know to not give out any confidential information until they know the legitimacy of the source asking for it. The umber 1 rule to make sure it’s safe to hand out info is to check if the website has a SSL certificate.
Most breaches occur because password management is non-existent. Have a password policy created for your business that goes over which employees have access to which passwords. Make sure you don’t have just a variation of the same password for every account. It’s important to diversify in case one gets leaked. Keep accountability if passwords are lost. If you find one employee is always the reason for a lost password, you can investigate further. Always update your passwords every few months. You’ll cover the possibility of a password related breach if you’re always changing your passwords.
Every business should use anti-malware software. They are software designed to scan for and delete malware programs. There are 3 forms of anti-malware: definition, heuristics, and sandboxing.
In definition based anti-malware programs, they find malware by using a set of archived malware signatures, which are blacklisted. It then compares suspicious files to blacklisted definitions that match the same signature. If the functions are the same, it gets flagged as malware and deleted. Heuristic based anti-malware programs scan for programs exhibiting odd behaviour, like automatically deleting programs. It then deletes those programs. Sandboxing anti-malware isolates the program, runs it, and if there are signs of malicious intent, it deletes the program.
when authorization is built into security systems, it can limit the scope of user activity, when set by an administrator. This can be set and changed under the permission and privileges settings in any network and can apply to individuals or groups as needed. It’s here where administrators can mitigate risk through setting privileges to select groups and excluding others. It’s advisable to restrict access to sensitive information as much as possible. Only give permission to those who need to use it.
Encryption & Authentication
Encryption adds another layer of protection to your data in the event your system is infiltrated. If you use encryption, your precious data will become unreadable to a hacker because the data will be scrambled into unintelligible bits. The only way it becomes readable is if decrypted with the appropriate key. Keep the key safe and you’ll have no worry about hackers accessing your information.
Authentication is an added security benefit for persons who wish to access your data. It does not the protect the data itself.
There are two ways authentication works: client-side and server-side. Client-side authentication includes things like usernames, passwords, and tokens, while server-side authentication uses certificates to identify trusted third-parties. Authentication makes it possible to understand if a person is who they say they are.
As great as these tools ares for protection, they cannot completely prevent unauthorized access to a network.
Multi-factor authentication means confirming your claim through multiple pieces of evidence or factors. The most typical instance of this is logging in to an account on your computer, entering your credentials, having whichever program your using send a code to your phone via text, and inputting the code into the prompt, so you can corroborate your claim.
This is especially powerful because the code being sent is uniquely generated every time from the authentication server. The new trend is having employees use their cellphones as a second layer of protection. For someone to steal your login credentials, steal your phone, unlock your phone, and then use multi-factor authentication to login as you is a long and unlikely process.
Mobile / Personal Device Security
Working remotely and using new mobile technologies for business are becoming more common. This presents more opportunities for intruders to access your network; thereby, making you more vulnerable. Here are some guidelines you can enact now to make your network more secure:
- Make a firm bring-your-own-device-policy where employees are not allowed to access business data on their phones or personal devices outside of their primary work device
- If they work primarily on their personal device (laptop), make sure they secure the device
- Back up all your devices on a consistent schedule
- Have encryption on all mobile devices
- Employees must include a remote wipe feature in case their personal device is lost
Breaching your system directly isn’t the only means a hacker has to get access to your information. If you work with third-parties or vendors, they may become targets themselves. Since they have access to your information such as credit card processing, payroll, and security, they could pose a threat to your business’ sensitive data, if their network systems are compromised. Check third-party security capabilities before moving forward with them.
Here are few security focused questions to ask when working with third-parties:
- Ask about their latest security updates, policies, and procedures
- Ask how frequently they back up their data on hard drives
- Ask how frequently they perform system checks and sweeps
- Ask about their data security employee training program
Back up Your Data
If you take one thing away from this article, make sure it’s to back up your data. Backing up your data should be a routine process.
Go back in time, when you were still in school, and remember when you had to write essays. Most people can attest they’re not fond memories. Picture this, you’re writing an essay, almost complete, and the power goes out. You lose everything because you didn’t save it every 30 minutes. Now you have to start all over from the beginning, with little idea of how you wrote it to begin with. That’s what it’s like to begin again once you’ve lost all your data. Not only will it reset your business, but it will drastically cost you in time and money to recover.
Back up your data on hard drives. Have at least 2-3 physical copies of your data stored in different locations in case of emergency. Backing up to the cloud is a good idea as well; however, it’s not good enough to just back up to the cloud when it’s your livelihood on the line.
Back up all your crucial correspondence, decks, word processing files, client databases, spreadsheets, contracts and accounts to hard drives immediately, if you haven’t already done so.
Making sure to stay up-to-date on the latest security patches is the easiest way to help prevent becoming a potential target to cyber criminals.
Here are some tips to stay ahead of the curve:
- Turn on automatic updates for PC or Mac
- Use browsers that continually receive security updates when going online such as Chrome
- Turn on security extensions like Blur or Sneekr for an added layer of security
- Ask for a monthly report from your IT provider to scan for any suspicious activity
Use a Range of Data Security Controls
The most effective way to deflect hackers is to use as many modes of security as possible. Security control can be broken down into three categories: encryption, authentication, and authorization.
Encryption methods for web include Secure Shell (SSH) and Socket Layer (SSL) protocols.
- In SSH sessions, when communicating at the shell, data is encrypted between the client and server
- In SSL sessions, data is encrypted between the client browser and the web server before any data is transferred
Authentication and authorization are typically used together; for example, when you login to a website, your login credentials act as your authentication; your authorization is what you are permitted to access on the website, once you have been authenticated. Encryption would be the protection of the content on the page, in this example.
By using all specified types of security together, you have a better chance to successfully ward off cyber criminals.
How to Recover From a Cyber Attack
Extent of the Damage
- When was the breach noticed?
- Which services, systems, etc. have been affected?
- What type of attack is it?
- Who committed the attack and do they have an agenda? (external or internal?)
- Who or what is the target of the attack?
- Isolate the damage
Have an incident report plan in place. It is tremendously helpful to you as a small business owner. It’s your go to guide if you ever experience a data breach. Remember, it’s always better to report an incident than not to. After a breach, you have the choice to own up to it or not. If you do, your reputation will be impacted negatively for some time; however, if you keep that information sensitive, and it somehow gets out, you’ve just lost all your customers’ trust. Of the two options, the first can be a hurdle for businesses, while the latter is a death sentence.
After you have ascertained the extent of the damage to your system, it’s time identify the messages you will be sending to each of your audiences. Although, it’s far more beneficial being transparent with your public, it doesn’t mean you have to overshare information. Share as many details as you can with each audience to convey the message without doing further damage to your reputation. This means not everyone should hear the sensitive details of the attack, but they all deserve to know what generally happened and how it affects them.
Your messaging strategy will differ for internal and external audiences. Internal groups will consist of audiences like employees, stakeholders, and third-party partners, while external audiences will include clients and media. Your messages will begin internally and, from there, flow to externally. Messages to stakeholders, clients and the media will have varying levels of details included applicable to their importance to your business. Give consideration to the timing you send out messages to each audience.
The content of your messages should follow the golden rules of crisis response: begin with the cause of the incident and any key findings or learnings you’ve come across so far, move on towards the steps your business is taking to remedy the situation, and end with an apology and any actions your stakeholders should complete to safeguard their information going forward.
After having been breached, it’s imperative you reset your passwords. These are popular pathways into systems and there’s a good chance you can deny future entry just by doing this one simple thing.
Recover Data from Back up
After you have reset your passwords, you want to start over again fresh. The best way to do this is to wipe and reformat your hard drive volumes (the infected devices – not the ones with your back ups). After that has been done successfully, reinstall your operating system. The next step requires you to verify your back up. This means to make sure the data on your back up is not corrupted. Once it’s corrupted, it’s unusable. One you verify the back up, you can then import it.
If no one in your staff feels comfortable with this task, hire a third-party security services provider to help you recover your data.
How to Identify a Cyber Threat
It’s better to have anti-malware and security programs do this for you; however, if you have a feeling your system is compromised, here are some common indications:
- Unusual login times
- Slower speeds across networks
- New devices on networks
- New users with admin privileges
- Errors in applications
- Errors or unusual entries in system event logs
- Workstations with unusually high traffic
Now you understand the risk tied to small business enterprise and the importance of security protecting from potential cyber attacks, do yourself a favour and invest in security before you need it.