Nearly all businesses nowadays have an online presence. It’s the cost they pay to remain competitive. If they’re not careful, it might not be the only cost they incur. Data breaches are steadily increasing among small-to-medium businesses (SMBs), and if you’re not prepared, it could cost you your business.
Having a website compliant with the latest security measures helps to mitigate some of the worry; although, it alone can’t entirely repel attacks. This is why you need to know how to secure your business from potential cyber threats.
Social network security risks
In today’s digital world, several challenges arise from how interconnected and networked the current marketplace is. For instance, social networks are good examples of businesses leveraging technological advancement for promotion. Even though it brings small businesses closer to their customers, it also increases their online security risk.
As your employees or sales representatives engage in networking and sales activity across various social networking platforms, new pathways into your business open up, making it vulnerable to attack. Because cyber attackers make it their mission to know how to exploit those avenues, you need to protect your business against social network cyber attacks.
What are my SMB security needs?
Sophisticated phishing and malware attacks are the most common forms of cyber attacks nowadays. If these threats are not identified and stopped, they can cause huge losses for businesses. These security threats often seek to infiltrate the cloud applications you use, your business network, and endpoints.
There are several Saas-based third-party security services to help protect your business. Because they are Saas-based, you don’t need to invest in hardware, which means these types of solutions are easier to deploy.
Perhaps the most crucial thing to consider is to take security risks seriously and to assess all your security measures proactively. Many small businesses don’t take their online security seriously until something goes wrong. Assess your level of security needs and invest accordingly.
Generally, after a serious security breach, it will be much more costly to clean up than if you invested in its prevention from the beginning.
People are your biggest security threats
People remain the major security risk for any business. As cybersecurity threats become more sophisticated, even careful and committed employees may become victims by accidentally opening files or attachments with malware or viruses.
In this case, the best way to defend your business against cyber threats is to ensure you and your employees have consistent security training.
Every business should consider bringing in a third party to get a proper security vulnerability assessment. If your business operates through a website, protecting sensitive business data from hackers and other cyber criminals should always be your first priority.
It is, therefore, advisable to update your software with patches as soon as they appear; use proper security tools, helping to protect your entire IT from attack; and, more important, promote a culture of security awareness.
Hackers target low-hanging fruit
Small businesses often assume cyber criminals only target large and well-established businesses. It’s not true; according to Verizon’s Data Breach Investigations Report, 58 percent of all cyber attacks are focused on small businesses. The reason cyber attacks target SMBs is that, even though they don’t have as much data as large business entities, their networks are easier to access. They are low-hanging fruit to cyber criminals.
Typically, a small business will have fewer networks than a larger organization. Since there are fewer networks for cyber criminals to contend with, they are better able to target and penetrate. Along with the lower number of networks a small business has, there is also less security. Most SMBs don’t invest in proper security measures due to lack of time, expertise and budget. This makes it far easier for someone to steal valuable credit card and personal-identification information.
Small businesses should be aware of the security risk position they are in. Because they obtain less digital assets than a large company but more than an individual consumer, they fall in the “cybersecurity sweet spot,” says Stephen Cobb, senior security researcher, ESET. Moreover, since small businesses deal with larger enterprises as well, they are targeted as entry points for access to larger businesses. A complacent attitude towards security will do no good to a business after it experiences a major data breach. Either the SMB is devastated by the attack and has no other recourse than to pay a ransom to get its data back, or it goes out of business. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses who experienced a significant breach shut down their business six months after an attack.
Here, you have a digital security version of Pascal’s Wager: Even if the chance of a cyber attack is low, you’re better off investing in security so when it does happen, you’ll be protected from potentially losing your business.
Although your security strategy may not be as air-tight or comprehensive as those used by larger corporations, never underestimate the importance of creating roadblocks on the way to your business data/information. It is important to put measures in place to prevent any possible security threat to your business.
Types of cyber attacks
Advanced persistent threats are attacks designed to gain entry into a network system and remain there undetected. The attacks work in multiple phases to lower any sign of their presence. Once inside, the attackers look to secure other routes into the system even if the initial breach is repaired, so they can access your data at will.
A DDOS attack is one anyone who has played online games will be familiar with. It’s short for distributed denial of service. This attacks works to intentionally overload an end-point system with requests from multiple systems until it shuts down. Types of DDOS attacks include traffic, bandwidth, and application attacks.
To understand this type of attack, think of Mafia movies where there’s an informant working with the FBI. This one is coming from someone inside your organization with administrative privileges. The most common example is when an employee gets fired and, in his final act of indignation before leaving, uses his credentials to release restricted company information.
Malware is a portmanteau of the words “malicious” and “software.” It’s an all-encompassing term used to describe programs seeking to harm networks or gain illegal access. These types of programs comprise software the likes of viruses, worms, spyware, and ransomware.
Password attacks come in many in forms, but there are three that stand out: brute force, dictionary, and keylogging.
Brute-force modes of hacking incorporate using programs that straight-up try to guess your password until they are successful. Brute-force hacking is a trial-and-error method of hacking through exhaustive effort, but is not technically illegal. It works by combining every combination of letter and number characters together in every possible sequence.
A dictionary attack is one that, at some point, uses every word in a dictionary to try and crack into a system. These have proven successful at infiltrating some companies in the past because they use generic passwords (the kind you could find in the dictionary).
Known as a keylogging attack, this type of threat uses a system monitor as surveillance to record each keystroke typed on a device. They are spyware applications typically used to steal personal-identification information (PII) and login information. In the context of stealing information, they are illegal; however, in other contexts, like parental control monitoring, they are deemed legal.
The most common tactic of cyber criminals, phishing is when you are tricked into signing up to a fraudulent site that appears to be legitimate. It tempts you to sign up by entering sensitive information, like your credit card information or login credentials. These types of cyber-theft plays are typically achieved through email.
The more targeted a phishing email is, the more likely it is to lure people and, ultimately, steal their information.
One of the most insidious developments in criminal cyber warfare, ransomware infiltrates your system and demands a ransom in exchange for access. It can lock you out of your computer or release private information unless you pay a select price.
These are attacks that leverage and exploit flaws in systems unbeknownst to security staff. Exploits such as these can live for days, month and even years until they are finally discovered and repaired; however, by that time, hackers are most likely to have already established APTs.
Cybersecurity measures you can take now
People are always going to be the biggest threats to you and your business. Some threats will be intentional, others unintentional. In order to ensure your employees are not the ones causing data breaches, create a cybersecurity strategy and culture and train your people on network security processes that go further than just setting firewall permissions.
One in every five data breaches is caused by human error; therefore, train your employees to secure their devices and not to click on incoming suspicious links or attachments from emails. They should also know not to give out any confidential information until they know the legitimacy of the source asking for it. The No. 1 rule to make sure it’s safe to hand out info is to check if the website has an SSL certificate.
Most breaches occur because password management is nonexistent. Have a password policy created for your business that goes over which employees have access to which passwords. Make sure you don’t have just a variation of the same password for every account. It’s important to diversify in case one gets leaked. Keep accountability if passwords are lost. If you find one employee is always the reason for a lost password, you can investigate further. Always update your passwords every few months. You’ll cover the possibility of a password-related breach if you’re always changing your passwords.
Every business should use anti-malware software. This is software designed to scan for and delete malware programs. There are three forms of anti-malware: definition, heuristics, and sandboxing.
Definition-based anti-malware programs find malware by using a set of archived malware signatures, which are blacklisted. The program then compares suspicious files to blacklisted definitions that match the same signature. If the functions are the same, it gets flagged as malware and deleted. Heuristic-based anti-malware programs scan for programs exhibiting odd behavior, like automatically deleting programs. It then deletes those programs. Sandboxing anti-malware isolates the program, runs it, and if there are signs of malicious intent, deletes the program.
When authorization is built into security systems, it can limit the scope of user activity if set by an administrator. This can be set and changed under the permission-and-privileges settings in any network, and can apply to individuals or groups as needed. It’s here where administrators can mitigate risk through setting privileges to select groups and excluding others. It’s advisable to restrict access to sensitive information as much as possible. Only give permission to those who need to use it.
Encryption and authentication
Encryption adds another layer of protection to your data in the event your system is infiltrated. If you use encryption, your precious data will become unreadable to a hacker because the data will be scrambled into unintelligible bits. The only way it becomes readable is if it’s decrypted with the appropriate key. Keep the key safe and you’ll have no worry about hackers accessing your information.
Authentication is an added security benefit for persons who wish to access your data. It does not protect the data itself.
There are two ways authentication works: client-side and server-side. Client-side authentication includes things like usernames, passwords, and tokens, while server-side authentication uses certificates to identify trusted third parties. Authentication makes it possible to understand whether people are who they say they are.
As great as these tools are for protection, they cannot completely prevent unauthorized access to a network.
Multi-factor authentication means confirming your claim through multiple pieces of evidence or factors. The most typical instance of this is logging in to an account on your computer, entering your credentials, having whichever program you’re using send a code to your phone via text, and inputting the code into the prompt, so you can corroborate your claim.
This is especially powerful because the code being sent is uniquely generated every time from the authentication server. The new trend is having employees use their cellphones as a second layer of protection. For someone to steal your login credentials, steal your phone, unlock your phone, and then use multi-factor authentication to login as you would be a long and unlikely process.
Mobile / personal device security
Working remotely and using new mobile technologies for business are becoming more common. This presents more opportunities for intruders to access your network, thereby making you more vulnerable. Here are some guidelines you can enact now to make your network more secure:
- Make a firm bring-your-own-device-policy wherein employees are not allowed to access business data on their phones or personal devices outside of their primary work device.
- If they work primarily on their personal device (laptop), make sure they secure the device.
- Back up all your devices on a consistent schedule.
- Have encryption on all mobile devices.
- Employees must include a remote wipe feature in case their personal device is lost.
Breaching your system directly isn’t the only means a hacker has to get access to your information. If you work with third parties or vendors, they may become targets themselves. Since they have access to your information such as credit card processing, payroll, and security, they could pose a threat to your business’s sensitive data, if their network systems are compromised. Check third-party security capabilities before moving forward with them.
Here are few security-focused questions to ask when working with third parties:
- Ask about their latest security updates, policies, and procedures.
- Ask how frequently they back up their data on hard drives.
- Ask how frequently they perform system checks and sweeps.
- Ask about their data-security employee-training program.
Back up your data
If you take one thing away from this article, make sure it’s to back up your data. Backing up your data should be a routine process.
Go back in time, when you were still in school, and remember when you had to write essays. Most people can attest they’re not fond memories. Picture this: You’re writing an essay, almost complete, and the power goes out. You lose everything because you didn’t save it every 30 minutes. Now you have to start over from the beginning, with little idea of how you wrote it to begin with. That’s what it’s like to begin again once you’ve lost all your data. Not only will it reset your business, but it will drastically cost you in time and money to recover.
Back up your data on hard drives. Have at least two or three physical copies of your data stored in different locations in case of emergency. Backing up to the cloud is a good idea, as well; however, it’s not good enough just to back up to the cloud when it’s your livelihood on the line.
Back up all your crucial correspondence, decks, word processing files, client databases, spreadsheets, contracts and accounts to hard drives immediately, if you haven’t already done so.
Making sure to stay up to date on the latest security patches is the easiest way to help prevent becoming a potential target to cyber criminals.
Here are some tips to stay ahead of the curve:
- Turn on automatic updates for PC or Mac.
- Use browsers that continually receive security updates when going online such as Chrome.
- Turn on security extensions like Blur or Sneekr for an added layer of security.
- Ask for a monthly report from your IT provider to scan for any suspicious activity.
Use a range of data-security controls
The most effective way to deflect hackers is to use as many modes of security as possible. Security control can be broken down into three categories: encryption, authentication, and authorization.
Encryption methods for web include Secure Shell (SSH) and Socket Layer (SSL) protocols.
- In SSH sessions, when communicating at the shell, data is encrypted between the client and server.
- In SSL sessions, data is encrypted between the client browser and the web server before any data is transferred.
Authentication and authorization are typically used together; for example, when you login to a website, your login credentials act as your authentication; your authorization is what you are permitted to access on the website, once you have been authenticated. Encryption would be the protection of the content on the page, in this example.
By using all specified types of security together, you have a better chance to successfully ward off cyber criminals.
How to recover from a cyber attack
Extent of the damage
- When was the breach noticed?
- Which services, systems, etc., have been affected?
- What type of attack is it?
- Who committed the attack and do they have an agenda (external or internal)?
- Who or what is the target of the attack?
- Isolate the damage.
Have an incident-report plan in place. It is tremendously helpful to you as a small business owner. It’s your go-to guide if you ever experience a data breach. Remember, it’s always better to report an incident than not to. After a breach, you have the choice to own up to it or not. If you do, your reputation will be damaged for some time; however, if you keep that information sensitive, and it somehow gets out, you’ve just lost all your customers’ trust. Of the two options, the first can be a hurdle for businesses, while the latter is a death sentence.
After you have ascertained the extent of the damage to your system, it’s time to identify the messages you will be sending to each of your audiences. Although it’s far more beneficial being transparent with your public, it doesn’t mean you have to overshare information. Share as many details as you can with each audience to convey the message without doing further damage to your reputation. This means not everyone should hear the sensitive details of the attack, but all deserve to know what generally happened and how it affects them.
Your messaging strategy will differ for internal and external audiences. Internal groups will consist of audiences like employees, stakeholders, and third-party partners, while external audiences will include clients and media. Your messages will begin internally and, from there, flow externally. Messages to stakeholders, clients and the media will include varying levels of details, according to their importance to your business. Give consideration to the timing of when you send out messages to each audience.
The content of your messages should follow the golden rules of crisis response: begin with the cause of the incident and any key findings or learnings you’ve come across so far, move on toward the steps your business is taking to remedy the situation, and end with an apology and any actions your stakeholders should complete to safeguard their information.
After a breach, it’s imperative that you reset your passwords. These are popular pathways into systems and there’s a good chance you can deny future entry just by doing this one simple thing.
Recover data from backup
After you have reset your passwords, you’ll want to start over again fresh. The best way to do this is to wipe and reformat your hard-drive volumes (the infected devices — not the ones with your backups). After that has been done successfully, reinstall your operating system. The next step requires you to verify your backup. This means making sure the data on your backup is not corrupted. Once it’s corrupted, it’s unusable. One you verify the backup, you can then import it.
If no one in your staff feels comfortable with this task, hire a third-party security-services provider to help you recover your data.
How to identify a cyber threat
It’s better to have anti-malware and security programs do this for you; however, if you have a feeling your system is compromised, here are some common indications:
- Unusual login times.
- Slower speeds across networks.
- New devices on networks.
- New users with admin privileges.
- Errors in applications.
- Errors or unusual entries in system-event logs.
- Workstations with unusually high traffic.
Now that you understand the risk tied to small-business enterprises, and the importance of security in protecting against potential cyber attacks, do yourself a favor and invest in security before you need it.