It’s tough for small-to-medium businesses (SMBs) to feel cyber-secure when there are newsworthy breaches that have hit major, household-name companies, affecting millions of customer records. Equifax (148 million customer records), JPMorgan Chase (83 million), Marriott International (500 million), Target (110 million), and Yahoo (3 billion) are just a few examples. The situation for SMBs is even worse: they are inherently limited, by comparison, in the amount of money, the number of employees and the kind of technology they can devote to cybersecurity. But that doesn’t mean SMBs are helpless.
When it comes to seeking protection from emerging cybersecurity threats, there are four key challenges that SMBs often run into:
- SMBs are very concerned about security but face constraints ranging from a lack of funds to in-house expertise.
- Because most SMBs lack sufficient cybersecurity staff, they need to rely on simple, but effective, security solutions.
- Attacks on SMBs continue to escalate, particularly phishing attacks, which often result in malware infecting their networks.
- Adding to the complexity of cybersecurity is the increased reliance by SMBs on new IT architecture with new services such as cloud computing and software-defined networks.
We dove into this particular topic further with our 2018 SMB IT Security Report. We found that as many as 80 percent of SMB operators we surveyed rank security as a top business concern for them. However, 52 percent of them share cybersecurity responsibilities across several people in their workforce. Only 27 percent have a dedicated security professional on staff, and only 17 percent of them contract with an outside vendor for cybersecurity.
Thankfully, there are several steps SMBs can take now to mitigate future problems and educate their employees on how they can be more cybersecurity aware when it comes to issues such as hacking, malware, phishing, and other threats. As it’s often said, employee training is the best first line of defense to protect the organization against breaches.
To focus your SMB’s attention on cybersecurity, here are five key steps to secure your organization’s network and future.
Though email is a critical system for you to communicate with your colleagues, customers, vendors and others, it’s also a key tool of cybercriminals. “Phishing” emails are designed to look legitimate but often contain malicious links or attachments designed to trick you into clicking them. Once you do, the attacker can gain access to your device to obtain your credentials, personal information or other critical information about your business. Further, the hacker can also gain access to any other devices on the same network, causing further damage. A high-profile example of this is the Target breach in 2013 that involved hackers getting into the retailer’s network via a trusted third-party vendor called Fazio Mechanical Services, which, once infiltrated, gave them access to Target’s servers. The hackers targeted the third-party vendor knowing they had a better chance of accessing their systems than Target’s directly.
Companies need to train employees — and others with access to the network — to be on the lookout for suspicious emails and to avoid being tricked into opening them.
Virtual Private Networks (VPN)
VPNs are designed to provide a safe and secure connection when people are communicating with the corporate network from remote locations. While VPNs ensure a secure connection between bilateral traffic on a corporate network, not all employers offer them. When employees use their own or work-provisioned devices over a public Wi-Fi network, such as at a coffee shop or an airport terminal, without a VPN, they can be vulnerable to a range of issues such as packet sniffing or man-in-the-middle attacks. Your employees need to be trained to avoid using public Wi-Fi without a VPN, particularly when it involves sharing sensitive company or personal information. Better yet, seek out VPN solutions to provide a secure connection to a safe network anywhere the device may roam.
Bring Your Own Device (BYOD)
When smartphones and tablets became popular, employees started using devices they bought for personal use in the workplace, causing employers to scramble to protect the network against promiscuous devices that could carry malware payloads.
To accommodate BYOD and secure your network, SMBs should adopt an Acceptable Use Policy (AUP) — just as enterprises do — that provides rules for what individuals can access when connecting to the network. Companies can also create a Captive Portal page, forcing users to agree to certain terms before accessing the network. Once accepted, the IT administrator can enforce rules and have visibility over what those devices are doing.
SMBs should also force all guest devices, and personally owned devices, to connect to a separate network that does not have access to the company’s critical data. This limits the impact in the event one of those devices is breached, protecting company data and minimizing the reach the hacker could have on other devices.
Antivirus and Anti-malware Solutions
It’s critical for your SMB to deploy technology on your network that protects against spam, malware and computer viruses. But this is not a set-it-and-forget-it solution. Cybercriminals are constantly changing their plan of attack and revising their formulae to outsmart security solutions. You may have heard the term “zero-day attacks,” which are cyberattacks that don’t match existing signatures. To keep up with these constant attacks, your malware or antivirus solution must be constantly monitored and upgraded as the threats change.
General Security Awareness
Besides all the specific policies and strategies we’ve mentioned so far, it’s important for your SMB to adopt cybersecurity as a core function of your organization just like sales, marketing, finance, product development and the like. You should consider conducting cybersecurity training and continuous testing to keep employees aware of the evolving tactics hackers are using. Adding basic cybersecurity hygiene and awareness training will pay dividends.
No organization is too small to risk being a target for cybercriminals. When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Start conversations early and often about what you can do to protect your business-critical systems and data. Otherwise, you risk losing not only time and money, but also the trust of your customers.
CREDIT: Dirk Morris, Smallbizdaily