It’s been over six months since the disastrous SolarWinds zero-day breach, and the threat environment is becoming progressively worse for SMBs, despite the ‘Sputnik Moment’ urgency of the media headlines. Up to 60 percent of small businesses that get hit by cyberattacks close their doors and 43 percent of breaches happen to SMBs: it’s not a problem that’s exclusive to the enterprise. Those are the statistics, here’s the response: Security is a process, not just ‘stuff,’ and SMBs can initiate minimal, free, or low-cost solutions, while adapting world-class cybersecurity measures to protect their businesses. It starts with everyone understanding their role, planning an incident response, and establishing good IT hygiene.
Over 40 percent of data breaches happen to small businesses, and the costs can be staggering. Cybercrime costs SMBs more than $2.2 million a year, and there was a 424 percent increase in new small business cyber breaches last year and new attacks, such as emphasis on supply chain weaknesses, are growing exponentially. Hackers aren’t always particularly targeting anyone, but 80 percent of all attacks are unsophisticated drive-bys where unprepared SMBs will fall victim to cybercriminals. Email is the number one entry point into IT systems and threat actors are counting on lack of employee security awareness. SMBs are the highest targeted sized organization by malicious email rate, because it’s very effective.
- Check out the best antivirus solutions on the market today
Everyone should get the message
Human error – i.e., an employee clicking on a malicious link or opening rogue files – is the gravest IT threat to your business. Security awareness training is a simple, proactive step to train staff to identify red flags, inform IT about suspicious messages, and to contact colleagues through a different medium. Red flags include social engineering tactics such as urgent requests, spoofed password resets, and seemingly legitimate requests for confidential information.
Emails may also contain spelling errors, graphics that just don’t seem right, and insignificant-looking irregularities in the sender’s email address. There are numerous affordable services available to train and educate your staff, including simulations, and incentives to participate. This will have an immediate and tangible effect on your security posture.
Supply chain security
‘Everyone’ also includes your purchasing department and IT partners. The SolarWinds incident is just one high-profile example illuminating a growing problem: supply chain security. There’s been a definite increase in attacks where systems are compromised through third-party applications: 430 percent year-over-year. It’s an unwelcome prospect when half of SMBs are already struggling with managing their suppliers.
The problem is more complex than logistics: cybercriminals exploit vulnerabilities within commercial and open source applications through source code, network protocols, unsecured third-party servers, and update mechanisms. An application may even include components that are sourced through additional parties, which compounds the problem of controlling your supply chain. Fortunately, there are several practices that will help your organization to reduce its risks.
Employ least privilege security and zero trust principles, meaning information security is governed by a need to know and a need to do. That’s especially true when a third party is accessing your data and zero trust also applies that principle to your IT systems with additional authentication, validation, and continued verifications over time. Your IT partner can assist you to deploy zero trust solutions to protect your systems.
Follow the aforementioned steps for security awareness and use up-to-date endpoint protection solutions. Many security systems will analyze PCs for irregular behavior and preemptively halt applications from running, which along with network security and monitoring, help to safeguard your data. However, people are always your first defense and defense-in-depth (meaning a combination of these tactics) improves protection.
Auditing and assessment of third parties is crucial: perform your due diligence with service level agreements. Your suppliers should have trusted security standards and best practices in place. Compliance standards such as European Union’s General Data Protection Regulation (GDPR) hold SMBs accountable for customer data breaches. Your company’s reputation and financial health are at risk via supply chain attacks.
- These are the best Windows 10 antivirus software right now
Have a ‘plan for that’
Incidents can and will happen, despite these precautions. SMBs are familiar with regularly scheduled fire or tornado drills to be prepared for an emergency. The unseen, shadowy cybercriminal that’s targeting your business is no less a material threat to operations. Every moment counts once you discover that you’re under attack. Having answers to simple questions such as, “Do we have people and policies to act?” and “Can they analyze the necessary information to keep you up and running” and “do they understand our network’s layout?” are essential to have.
77 percent of SMBs don’t have a basic Incident Response Plan (IRP), but an IRP and a designated person who has the background and authority to respond are enormously valuable to protecting your business’ data, revenue and overall reputation. Your business can simulate attacks with simple tabletop exercises where every team member plays their role in the IRP. You must also have assets in place to recover from.
Quality back-ups are invaluable
Your ability to restore IT systems and resume business operations is only as good as your back-up system. There are various types of systems with different costs from full to differential (what’s changed) and incremental. It’s best to consult with your IT professional to decide which is most appropriate for your organization, but no business should be without data back-ups/duplicates. The importance of planning your back-ups and having several copies, on and off site, cannot be undervalued. Back-ups can significantly lessen the impact of a data breach and get your company back to work much more rapidly.
Good IT hygiene
Passwords are still one of the soft underbellies of security: especially system passwords that are set to default, passwords that haven’t been changed in a long time, as well as passwords with inadequate complexity and length. Compromised employee passwords cost businesses $383,365 on average, which is totally preventable.
A minimum password length is more effective than complexity alone; think about it as a ‘passphrase’ where special characters combine with a memorable expression. For instance, “Th3Qu!cKbR0wNF0xJump3dov3rtheL@azyD0G” is far more secure than “P7HtL9!” and more user friendly. Password complexity is a good thing but could lead to your employees using Post-It notes.
Adding a second factor (MFA) to your authentication will reduce the likelihood that a compromised password will result in a data exfiltration or systems compromise. There are many systems available to deliver this capability, and it’s important to select the solution that’s best for your company. A biometric system may not be a good choice for a shop floor where workers have no fingerprints from intensive manual labor or a system that’s too complex that may not receive buy-in from your department heads. However, MFA is something that every organization should implement and have enabled ASAP.
Your IT team should also ensure that users are operating systems with the least privileges necessary to perform their role and no PC user should be running as an administrator for day-to-day work (and that includes your IT department). Use the minimum number of required applications, keep them updated, and patch your operating system as quickly as possible. Drive-by attacks seek out un-patched systems.
Good physical security is another important aspect: employee badges, security cameras, code locks on the server room door, and strong policies for off-boarding employees are all effective measures that will further reduce risks. Great network security is meaningless if someone can just walk in the front door.
Monitor your network security
Training and preparation won’t stop attacks -- there’s always a way in. The steps outlined above will reduce your risk and exposure to cybercriminals, but it’s important to have visibility into your environment and whether irregular activities are occurring. Hackers don’t always make demands. Instead, they’ll scope out your systems and amplify the potential for damage to maximize the payback for their efforts.
A SOC platform will help your IT team to focus on the most important events and analyze indicators of compromise. Buying security systems that run-in silos where key signals can be missed during an attack isn’t advisable, nor is spending money on systems that your organization isn’t prepared to use effectively. Large organizations spend millions to build out this capability, but it’s now available for SMBs to detect cyber threats and be advised about how to stop them in their tracks.
The steps outlined above begin with policies and training, which are foundational before any new security systems are purchased. Security is a process that involves everyone within your organization. Technologies can assist your efforts to become more secure, but it’s equally important to understand how to use them and have the appropriate guidance to uncover and respond to security incidents.
- Keep your organization safe with the best business antivirus solutions right now
Nadav Arbel, CEO and Co-Founder, CYREBRO