Amidst the Covid-19 pandemic, reports of cybercrime have quadrupled according to the FBI. Moreover, attackers have specifically targeted vulnerable small businesses for their important credentials, personal data and other internal business-related data, as reported by the Verizon Business 2020 Data Breach Investigations Report. While any type of cybercrime can be extremely detrimental, the negative consequences of a data breach to a small business in particular are numerous and overwhelming. From paying a ransom for data, to notifying customers and law enforcement, a cyberattack can consume every minute of a small business owner’s time until resolved and could cost them their entire business. In fact, the 2019 Hiscox Cyber Readiness Report found that digital breaches cost businesses $200,000 a year on average. Yet, only 14 per cent of small businesses are prepared to defend themselves, as stated in a Keeper Security study.
On top of needing to be prepared for potential cybercrimes, many small businesses are dealing with the impacts of the pandemic and have struggled to stay afloat due to lack of revenue, location closings and overall absence of resources brought on by the coronavirus. As small businesses forge forward with reopening—or even preparing for a second round of closures due to a virus resurgence—owners will need to ensure the right measures are in place to keep their business and customer data protected. To do so, every small business owner or key decision-maker should ask themselves the following questions.
Do I have firewalls in place?
Ideally, a small business would have a properly configured firewall that acts as an active filter and sits in between the internet and the business’s network. Firewalls are purposefully configured to let “good” traffic in and out of the network and block “potentially harmful” traffic. However, the definitions of “good” and “potentially harmful” can change over time as hackers find new ways of attacking networks. This requires business owners to be on top of reconfiguring their firewalls to effectively repel new types of attacks. Luckily, with the right software provider, doing so can be a simple update given firewalls are connected to a software application.
What are patches and why are they important to my business?
Patches are updates that are applied to operating systems and applications to fix bugs and security vulnerabilities. Many software vendors, like Microsoft, publish new software versions and updates in order to actively prevent critical security issues. Patches and updates need to be applied carefully and religiously as unpatched systems could allow hackers to take control of the business’s network and data.
Small businesses should use Windows Update and System Update Server to regularly patch their PCs and servers. Additionally, running a vulnerability assessment tool on a quarterly basis can help validate that everything is working and fix any issues found. If the business’s software products are on the cloud, updates to the software and servers are deployed and tested automatically – a peace-of-mind for the busy business owner who may forget to run this regularly.
Do we have a process for onboarding and offboarding employees from the system?
Removing departing employees’ access from all business systems is critical. Unused, active accounts are a major security risk and an easy target for cybercriminals; if a hacker gets control of a user account, they can infiltrate the network to gain greater access to customer data. To prevent this, owners should apply role-based access to employee accounts. This would limit employee access to only the systems that are needed for them to perform their jobs. Another important component to protecting user accounts is an automatically enforced password “complexity and change” policy. This will ensure users are changing their password often (e.g., every 180 days) and following strict password complexity requirements that typically involve both uppercase and lowercase letters in conjunction with a digit and/or symbol. Additionally, small businesses should consider having a written policy and procedure for onboarding and offboarding employees that is followed and audited annually.
Am I educating my employees on security holes?
Security holes, like phishing attacks, are some of the most common causes of ransomware infection. Such attacks impersonate an authority, like a bank, and exhibit an urgent request for sensitive information or to open an infected document. Employee education on how to handle these attacks and proper security procedures on dealing with financial institutions, emails and phone calls is crucial and can eliminate a significant amount of risk to the business.
Providing an annual security education training for all employees can be a great start, and some software solution providers may even provide this for users. Dependent on the businesses’ needs, software providers can offer various forms of training so employees can become self-sufficient on their own time, at their own pace and with their own desired learning style. For example, employees could take part in classroom training which offers a variety of classes specifically designed around a user’s role and skillset; virtual training which has live, online instructor led classes that offer role specific hands-on training; or on-demand video tutorials which presents a database of materials that can be accessed 24/7 from anywhere. Regardless of how business owners choose to educate their employees, they should mandate that everyone becomes trained on cybersecurity best practices.
Should I move my data to the cloud?
Small businesses are historically more inclined to manage their operations on paper and pen or through on-premise solutions, often finding a move to the cloud risky. However, data in the cloud is actually more secure than on-site data, as the cloud environment’s firewall is much stronger than most businesses’. Cloud providers offer layers of security that involve automatically backing up data and storing at multiple sites—a practice known as “redundancy.” The cloud is also safe from server theft, fire or a natural disaster that might strike small businesses unexpectedly. Moreover, any business operating on a cloud-based enterprise resource planning (ERP) system is greatly reducing their data security risks. These systems deliver stronger protections against all threats—from malware and phishing, to password and denial-of-service attacks—than if a small business was to attempt to implement these on their own. Moreover, should a small business suffer a calamity—like the Covid-19 crisis—they will be back in business much faster with the cloud because their data is accessible from anywhere with an internet connection, allowing them to maintain business continuity despite doors being closed.
These questions are a good starting point for cybercrime prevention, but it’s critical that every small business owner – no matter their experience-level or current security measures – make protecting data a number one priority. Given the high-risk small businesses are exposed to, especially in the wake of Covid-19, it is crucial that owners set contingency plans and begin executing on preventative measures to ensure the safety of the business’s data. By not doing so, small businesses put their information and their customer’s information at risk of being a prime target for malicious cyber attackers.
Grant Howe, CTO, ECI