A security road map for SMBs

There’s no shortage of headlines highlighting the string of companies that have been targeted by attackers. But it’s not just larger organisations that need to sit up and take notice. While large enterprises have begun strengthening their security protections, small and midsize businesses (SMBs) have become prime targets due to their lack of security.

Many SMBs simply don’t have the budget to hire dedicated security staff members or invest millions in security. With no clear ‘step one’, many SMB owners are frozen into inaction. No more. Here is a simple road map that will help provide a solid foundation that protects sensitive information related to an SMB’s business, customers and employees.

Understand what you’re protecting against

It’s important to understand the motivations and tactics of attackers. Attackers typically have two distinct motivations – either they want to shut your business down or they want money.

Hackers looking to disrupt your business typically search for valuable intellectual property (IP), financial data and customer information. These attackers commonly use phishing emails or social engineering attacks to break in and then use advanced malware to stay in. Once they have access to this valuable data, they can sell it on the dark web to other criminals or – worse – your competitors.

Attackers motivated by money will be slightly more opportunistic. Rather than trying to get in and stay in, their goal is to target as many people as they can, holding their data and systems hostage until they pay a ransom. This malware halts business operations and requires business owners to pony up money before their files are unencrypted.

Protect against phishing attacks

Phishing attacks are often the initial entry point for all attacks. This type of attack can be used to fool employees into handing over sensitive information or clicking on a malicious file by impersonating a reputable entity or person over email, instant message (IM) or other communication channel.

It’s a very real problem. The U.S. Federal Bureau of Investigation (FBI) issued a warning about the dramatic increase in so-called ‘CEO fraud’ – ex. email scams in which an attacker spoofs a message from the boss to trick someone at the organisations to wire funds to the fraudsters. The FBI says there’s been a 270 per cent increase in CEO scams since January 2015 and estimates that organisations lose on average between $25,000 and $75,000 per successful attack.

It’s important to choose an email provider that has high-quality spam and phishing filters, as well as other features like phishing detection and remediation. There are free services like Gmail that do a great job of protecting users against phishing that are affordable for SMBs.

But technology can only do so much. Making employees stakeholders in protecting the business is a must that has to start with security awareness training. Teach employees about the common motivations and tactics of attackers and empower them to make decisions around security. Take advantage of educational tools that are already out there, like this great video by the Canadian government on phishing attacks and email safety. Get your people talking to one another about the phishing emails they receive to promote collective learning. Creating an environment where security is discussed openly and is the shared responsibility of all employees greatly decreases the chances that an attacker will succeed.

Ransomware’s silver bullet

For SMBs, availability of business information is essential. Temporarily losing access to data or important systems like bookkeeping or invoicing can cause costly business disruptions. And permanently losing valuable information can put a company out of business.

The best way to protect yourself against the threat of ransomware is to regularly perform backups of both local data and anything stored in the cloud. You have lots of options for backup solutions, but the important thing is to make sure that it’s done regularly (ideally daily) and follow the Rule of Three as described by Scott Hanselman, a web developer and blogger: Three copies of all important data copies in two formats (for example, local hard drive + Dropbox) and at least one copy offsite (yes, in the cloud counts). Taking these steps ensures that if you do become a victim of ransomware, instead of paying up, you can simply restore your data from backup.   

Develop an Incident Response Plan

Adopt the attitude that asks not if you’ll be breached, but when – and then create a strategy that helps you best counter that event’s negative effects. If an attacker was successful in stealing customer information or shutting down components of your business, what would you do? How would you even know? Think through these questions now and build a clear incident response plan so you’re ready to take action.

Have discussions with partners and advisors. Talk with your lawyers about the laws you would be subject to in the event of a breach. Disclosure laws vary by state and by industry, so make sure you’re aware of what your legal responsibilities – both to your customers and your partners – would be in such a situation. Talk to your agent about cybersecurity insurance, which covers losses and costs due to cyberattacks. Finally, think about your communications strategy. How will you proactively communicate with your customers and maintain their trust?

Too much to handle right now? Consider an MSP

Even after reading this road map, you may be thinking that security is a much larger initiative than you can handle. After all, you have a business to run, right? Business owners that agree with that statement should look into aligning themselves with a managed service provider (MSP). MSPs can quickly assess your organisation’s needs to find the right security solutions at a reasonable rate. Plus, MSPs can be critical partners to lean on to help you track an attack on your business down.

These are just the first steps in establishing a solid data security strategy. These common sense steps are the difference between thwarting a hacking attempt and potentially going out of business. Don’t be the company that invests in security after it’s been hacked. Be smart, be proactive and – most of all – be safe out there.

Todd O'Boyle (@oboyle) is a co-founder and CTO at Percipient Networks, an Allied Minds company. Prior to Percipient, Todd spent 15 years at The MITRE Corporation.