Beyond investing in antivirus and firewalls, how can SMBs improve their cyber security? Tabby Farrar, Senior Outreach Specialist, outlines some crucial cyber security fundamentals for small businesses.
Whatever type of business you run, it is almost inevitable that it will become the victim of some form of cyberattack – if it hasn’t already.
While the general public may only hear about the most high-profile attacks, such as those against major corporations like Facebook or British Airways, small businesses are actually the most likely to suffer a cyberattack. One report estimates that small businesses make up 71% of all ransomware victims.
To understand why SMBs suffer the majority of breaches, it is important to understand the motivations behind a typical cyberattack. While some hackers will identify large targets, most will be aware that around two-thirds of data breaches are the direct result of preventable human error.
Couple this with complacency, with SMBs feeling that they are not big enough to be noticed or have nothing worth stealing, and it becomes clear why wide-reaching attacks such as ransomware are so common.
What can SMBs do beyond investing in antivirus and firewalls? Many lack the resources to dramatically increase security spending, but thankfully there are a number of effective measures that allow SMBs to improve the fundamentals of their security, significantly reducing the chances of suffering an attack.
Also of interest: Top five human errors that impact data security
It is frustrating when you are in the middle of something and see an update notification pop up. It’s always at the worst possible moment, and you know that it means being out of action for half an hour while your computer reboots and updates. It is no surprise that many people instinctively click ‘remind me later’.
This common behaviour is well-known, and hackers will always prefer to exploit people’s bad habits rather than tackling an encrypted and well-protected system head-on.
In most cases, software patches and updates are the result of companies identifying and repairing vulnerabilities that could be exploited. Announcing a patch tells the hacker where the weak points are in older versions of the software.
By targeting these weak points, an attack could be launched against every device that has not been updated, making it vital to install updates as soon as they are available.
It’s also important to remember that updates are not just limited to printers and laptops. With the increase in IoT products, homes and offices are now filled with internet-connected devices – from smart speakers to automated heating and lights.
While most of these devices are easy to setup, many are used with default passwords and present a potential backdoor into your network. No matter how small a device is, if it connects to your office’s internet it will need to be installed with a secure password and be checked for updates regularly.
Also of interest: Should we fear Huawei?
With the numbers of people working remotely growing at a rapid rate, it is becoming normal for people to spend more time working from outside the office. Technology has certainly made office working more flexible than ever before, but the illusion of simplicity can cause unnecessary risks unless staff are trained to be aware of them.
Free WiFi at stations, airports and coffee shops might seem incredibly convenient for someone who just needs to check work emails or amend a shared document, but it can create a number of risks, not least that many free connections are not secure, meaning there is nothing to stop a third party accessing your data.
To make sure that business data is kept safe and secure outside of the bricks-and-mortar office, companies should make sure that staff all use a virtual private network, or VPN, when sending and receiving work-related information.
VPNs add end-to-end encryption to everything you send and receive while connected. This means that documents, passwords and other sensitive information cannot be intercepted and read. If a hacker were to get hold of a user’s data somehow, it would be encrypted as an indecipherable string of alpha-numeric characters, making it useless to prying eyes.
Also of interest: It’s time to kill the VPN
Personal devices (BYOD)
While your office might be protected with antivirus software, firewalls and malware scanners, none of this will make a difference if employees are using unsecured personal devices to access secure data. This is the equivalent of investing in security cameras and alarms for your home, but leaving the back door open.
Before working remotely, staff should be required to sign a bring your own device (BYOD) policy to agree to maintain certain levels of security on their personal devices. This could include installing security software, using two-factor authentication and enabling tracking software should a device be lost or stolen.
The policy should be transparent, clearly explaining the reasons for each condition. By producing an open document, staff will not feel like they are being monitored and the company will be confident that every device accessing sensitive data is maintaining a high level of security.
Also of interest: How to turn your people into your best defence
Best practices & staff training
It might seem like the essentials are covered. However, the threat caused by human error has not yet been fully addressed.
An excellent example of this are passwords. Despite years of warnings about the importance of strong passwords, SplashData found that users still persist with incredibly weak passwords, “123456” and “password”, remaining two of the most common in 2018. As a company, it is vital that these seemingly little things are not neglected by staff.
Establishing best practices has to be about the organisation as a whole and cover all levels of the company. While many people may be comfortable using technology, they might not be as confident installing updates and identifying potential phishing emails, or do not understand the importance of a strong password.
With regular staff training and building a company-wide culture of responsibility around security, cyber security can become part of the everyday routine rather than something that is only the responsibility of the IT department. Individuals will become more aware, more confident and more proactive, helping to minimise the threat human error poses.
Also of interest: “This is high gloss colour stuff and the security has to match that” – Nick Nagle, CISO of Condé Nast International
Prepare for the inevitable
It is important for small business to remember that the most fundamental rule of cyber security is that a ‘when, not if’ attitude needs to be adopted.
Just as no large company is safe from breaches, no company is small enough to evade an attack, and hackers will know this. The challenge is not just about trying to prevent a breach, but how to handle it and minimise the damage should the worst occur.
Data security is constantly changing, reacting, innovating and adapting. But there is no single solution. For this reason, the development of a wide-reaching holistic strategy is essential to ensure that the little things do not undermine your larger security efforts.