Cybersecurity Challenges & Best Practices for Small to Medium Sized Businesses
In the era of digital advancement, we must take necessary steps to protect sensitive data. Since the inception of the Internet, we have come a long way. These days, the Internet has become an essential tool in any successful business, large and small. Businesses of all sizes have incorporated the Internet into almost every aspect of its operations. With the tremendous growth of the Internet and other technologies, there are more and more security risks involved. These security risks at times are taken lightly by businesses, but it is an even bigger worry than most businesses believe it to be. Since most businesses do not believe they are at risk, they are not prepared to defend against a cyber attack. Contrary to popular belief, small to medium sized businesses (“SMB”) are actually principal targets for cybercrime. Not only are they targets, but are also the gateways into larger organizations based on direct and indirect business relationships these smaller businesses have with the larger organizations. Once a cybercriminal gets access to private data in a small to medium sized business, they also have access to data in larger organizations. This article outlines security risks and best practices to ensure data privacy for small to medium sized businesses and safeguard against cyber attacks.
Why are Small to Medium Sized Businesses Attractive Targets for Cybercriminals?
SMBs are attractive targets for cybercriminals because they are easier targets than larger organizations. Smaller organizations are faced with the same threats as those of larger organizations, but have far fewer resources. While larger organizations have protocols and precautionary measures, smaller organizations don’t have the resources or a fully equipped team to deal with threat incident response. Apart from resources, many small to medium sized businesses are not taking cybersecurity as seriously as they should be, and therefore are not serious about taking precautionary measures that could potentially thwart a cyber attack. Unfortunately, the lack of seriousness toward this issue is only getting worse as more and more small to medium sized businesses are facing cyber attacks they can’t stop or protect themselves from. With a rise of attacks, small businesses have to take a more proactive approach and prioritize cybersecurity and ensure they remain prepared for a breach at all times.
Types of Attacks
Cybersecurity is becoming a growing issue, as cyber crime is growing at a tremendous rate. A cyber attack is generally launched to obtain and exploit sensitive data. This sensitive data can further be used in multiple ways for multiple purposes. There are numerous potential attacks any businesses could face, and some are more dangerous than others. With new threats emerging everyday, it is important to know some of the most common threats so proactive measures can be taken to avoid becoming a victim to a cyber attack. The following list explores some of the most common cyber attacks businesses are facing today.
APTs: Advanced persistent threats are targeted attacks that attempt to break into a network in multiple periods in order to avoid detection.
DDoS: Distributed Denial of Service attacks are when a server is intentionally overloaded with requests in order to shut down the targeted company’s website or network system.
Inside Attack: An inside attack occurs when someone with administrative privileges within the organization purposefully misuses his or her credentials to access confidential company information. Here, former or disgruntled employees are threats and companies should therefore revoke access to company data immediately upon employee termination.
Malware: Malware is a term that describes malicious software, and covers any program that is introduced into a company computer with the intent to cause damage or gain unauthorized access.
Ransomware: Lately ransomware has been on the rise and is one of the most dangerous, as it may put a company out of business and ruin its reputation. Ransomware is a malicious software that carries out an extortion attack by encrypting data blocking access to the data until a payment is made to unlock the data. Some of the latest ransomware does not only encrypt data on a laptop or desktop, but looks for where the data is stored on file servers, and encrypts that data as well. In this case, one does not have access to his or her own data, but worse, loses access to customer data unless the ransom is paid to release the data. Things are getting so bad with new ransomwares, that the FBI recommends paying the fees. Please look at the Best Practices section of this article to learn more about the recent WannaCry ransomware attacks and specific recommendations.
Password Attacks: There are three main types of password attacks: (1) brute-force attack involves gaining access by guessing passwords; (2) dictionary attack is when the hacker uses a program to try different combinations of dictionary words to gain access; and (3) keylogging tracks a user’s keystrokes including user IDs and passwords.
Phishing: Phishing involves collecting sensitive information, such as login credentials and credit card information through a legitimate looking, but fraudulent, website. Access to this fraudulent website is often sent to unsuspecting individuals through an email.
Since there has been a rise in cyber attacks on small businesses, it is imperative to be proactive. Everything starts with best practices. Best practices consist of actions, and plans an organization can develop in the face of cyber threats that can ultimately save the company. While best practices cannot thwart all risks in the rapidly evolving world of cyber attacks, using best practices can minimize the damage against the company that would otherwise result in significant financial loss and significant liability. SMBs should use the following tips as a guideline in securing the company against cyber attacks.
- Protect Against Viruses, Spyware, and Other Malicious code – it is imperative that each business computer is equipped with antivirus and antispyware software that is updated regularly. Updates are important because the software providers provide patches and updates to their products to correct security problems and improve functionality. It would be a best practice to configure all the software to install its updates automatically once released.
- Protecting Against Ransomware – Recently the National Cybersecurity and Communications Integration Center (NCCIC) has received multiple reports of “WannaCry” ransomware infections worldwide. Ransomware is a malicious software that infects and restricts access to data on a computer until a ransom is paid. While there are many methods of delivery, ransomware is frequently delivered through phishing emails and exploits unpatched vulnerabilities in software. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or a known individual. These emails lure users to click on a particular link or open an attachment that contains the malicious code. Thereafter, the computer becomes infected with the malware. WannaCry ransomware is far more dangerous than other common ransomwares because it has the ability to spread itself across an organization’s network by exploiting critical vulnerabilities in Windows computers. Therefore, it is very important to use precautionary measures to protect the organization and its members from ransomware attacks. To this extent when a member receives an email, be wary of clicking on links and attachments. Verify web addresses independently before clicking anything. Make sure to back up data and keep it offsite so cybercriminals would not have access to this data, as it is not stored on the company network. Furthermore, exercise caution when revealing personal or company information and refrain from responding to emails that solicit this information. Lastly, be cautious when sending sensitive information over the Internet before checking the website’s security.
- Use Firewall & Secure Networks – The first defense in a cyber attack is a firewall. A firewall should be set up to provide a barrier between your data and cybercriminals. Some companies may also set up internal firewalls for additional protection. In addition to firewalls, if the business has a Wi-Fi network, it should make sure it is secure, encrypted, and hidden.
- Document Cybersecurity Policies – While small businesses operate mostly by word of mouth, it is important businesses document their cybersecurity protocols. Make sure employees are taught about the cybersecurity policy and hold them accountable to report suspicious behavior. Make sure an incident response plan against cyber-attacks is in place and is understood by the employees so the breach can be contained quickly should an incident occur.
- Educate Employees – Make employees aware of the different ways cybercriminals can infiltrate systems, and educate them to recognize breaches and to stay safe while using the company’s network. It is also important to ensure employees are constantly updated on emerging threats and how to avoid compromising themselves and the organization, such as opening unknown attachments in their terminal.
- Establish Security Practices to Protect Sensitive Information – establish policies on how employees should hold personally identifiable information and other sensitive data. Outline strict guidelines and consequences for not following the company’s cybersecurity policy.
- Plan for Mobile Devices – Since many businesses allow Bring Your Own Device (BYOD) these days, it is important to have a documented policy that focuses on security precautions on these devices. Mobile devices can create significant security and management challenges, especially if they hold confidential information or have access to the company network. Require users to use a password to protect their device, encrypt their data, and install security apps to prevent criminals from obtaining unauthorized information while the device is connected to public networks. Also be sure to set up a protocol for reporting lost or stolen devices.
- Enforce Safe Password Practices/Multifactor Authentication – In today’s BYOD world, it is important that all company devices that access the company’s network be password protected. Require employees to use unique passwords (that include capital letters, lowercase letters, numbers, and symbols) and change them often. Consider using a multifactor authentication system that requires additional information beyond a password to gain entry for added protection.
- Back up Data – To ensure data is protected, it is recommended to back up data on all computers. Critical data include word processing documents, electronic spreadsheets, databases, financial files, human resource files, accounts receivable/payable files. It is also important to back up data stored on the cloud as well. Back up data regularly and store copies either offsite or on the cloud.
Legal Advancement – Main Street Cybersecurity Act
Small businesses are a pillar of the American economy and make up for more than half of the jobs in the United States. However, in recent years, these businesses have become the main target for cyber attacks. These attacks can be so harmful to revenue that the National Cybersecurity Alliance has found that 60 percent of these small businesses are forced to close after an attack. In 2014, the Cybersecurity Enhancement Act was created and is a voluntary guide for big organizations and businesses to better manage and reduce cybersecurity risks. While this Act continues to play an important role in improving cybersecurity resilience, additional resources are needed to allow small businesses to use the framework. Thereafter, the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (Main Street) Cybersecurity Act was introduced to provide a set of resources for small businesses to best protect their digital assets from cybersecurity threats. This act intends to ensure that the needs of small businesses are considered when the framework is created and in turn will provide consistent resources specifically geared toward small businesses.
As the technology field evolves, more innovative technologies are on the market. These technologies can be new ways of doing business, and are essential to business growth and success. However, with such advancement, SMBs must be mindful of the critical dangers these new technologies may pose. The primary responsibility for cybersecurity rests with these businesses themselves in that it is up to these businesses to implement basic cyber defense and to adopt best practices. It is alarming to realize how many small businesses do not believe they would be affected by cyber attacks, when in fact they are targeted businesses. It is imperative for small businesses to start taking steps to implement cyber protection and best practices to reduce and defend against devastating cyber-attacks that could seriously damage the company and even force it into closing. Education is the first and most important step to becoming more resilient to cyber threats. Small business owners and employees need to be educated on the severity of these threats and the different ways cybercriminals can gain access to sensitive data. Business owners and employees must also be educated on what precautions to take to reduce the risk, and establish a protocol that ensures quick incident response to cyber attacks. As the Cybersecurity Enhancement Act of 2014 provides resources for big companies to protect against cyber threats, there has to be a more focused approach to small to medium sized businesses, which is what the Main Street Cybersecurity Act hopes to accomplish. This legislation will provide small businesses with a focused approach in becoming more proactive in detecting and thwarting cybersecurity attacks that leave us all at risk. In the meanwhile, small businesses should use best practices and be cautious or face potentially devastating consequences.
Guest Blog Approved By:
Denton Peterson, PC
1930 N. Arboleda, Suite 200
Mesa, AZ 85213