As more small businesses embark on digital initiatives, moving more of their business into cyberspace, they are increasingly exposed to cyber risks and find it more complex and difficult to stop hackers. How does a business with limited IT resources prevent hacking?
Today, the heightened cyber threat landscape and the increasingly punitive regulatory environment means that a cyber attack or data breach can have significant financial impact on an organization. A report by the U.S. National Cyber Security Alliance found that 60% of SMEs go out of business within six months after a cyber attack.
Small businesses are not ‘too small to fail’. The number of cyber attacks (including phishing, advanced malware and ransomware attacks) is rising. Increasingly, small and medium businesses face the same cybersecurity risks as larger companies.
Small businesses are not ‘too small to fail’
It is precisely the common misconception that small businesses are not the target that makes them attractive for the cyber criminal. Small businesses spend less on cybersecurity and, in most cases, do not have the resources compared to larger enterprises. Many small businesses also serve as the gateway to larger enterprises due to business relationships. Cyber criminals will exploit this trust to breach the business partners or customers of the small business.
1. Don’t be a target – Test yourself
Cyber criminals are constantly scanning the internet for vulnerable systems they can exploit. This activity increases in intensity whenever a major vulnerability is announced (e.g. BlueKeep) as threat actors rush to compromise as many systems as possible before a patch is released, or systems are updated.
Cyber criminals couldn’t care less if you are a large multinational corporation or a small business. It’s imperative for all types of organizations to take certain fundamental steps to prevent hacking.
You need to get ahead of the game and stop hackers by knowing your vulnerabilities before the bad guys do. Scanning your own systems regularly for vulnerabilities to detect any weaknesses and fixing them as soon as possible is critical. Network vulnerability scans are designed not only to identify weak spots, but also to help identify the best particular countermeasures to prevent hacking methods specific to them. These scans can be performed either internally by IT staff or by a third-party contractor. There are also cloud-based self-service solutions that you can employ to scan your IT assets according to your schedule.
You need to get ahead of the game and stop hackers by knowing your vulnerabilities before the bad guys do
A good vulnerability scan should also result in a prioritized list of security risks in the hands of your IT staff, as these tests often kick out more trivial vulnerabilities and false positives than the team can be expected to keep up with.
Vulnerability scans are generally limited to known security vulnerabilities, those that have been cataloged by software/hardware developers and security researchers. A third party scan will not get creative in trying to socially engineer employees or invent novel ways to get in; that sort of more in-depth breach simulation is called a “penetration test.”
How often should you scan to prevent hacking? Cybersecurity experts often recommend that it be done weekly; however, it’s important to consider that frequent scanning is of little help unless patching of security issues is also going to be equally frequent.
And since hackers do not simply use scanners to breach your network, conducting a penetration test on your external facing systems at least once a year would be a prudent cyber security practice.
2. Train your employees to stop hackers
Employees are the first line of defense against cyber attacks and data breaches, but can also be the weakest link in the security chain. It’s important to make them conscious of how their behavior can have an impact on securing your small business. You have to be constantly training, testing and reinforcing; studies show that retention of information security awareness fades drastically after a few months without any kind of refresher. Phishing campaigns aren’t going to take a break, so you shouldn’t either.
Also consider ditching the boring yearly training sessions with boring presentation slides. Rarely does anyone remember these. An involving security awareness program should use real-life stories that have practical application. Interactivity is also a great way to improve retention. Use quizzes or interactive scenarios that apply to common attack types (such as phishing emails) that the organization expects to face. A helpful lens through which to look at this from is that of a marketing campaign, using the techniques that you would use to win over a customer as a means of training effectively.
Retention of information security awareness fades drastically after a few months
Ideally, training should also be tailored to each department’s role and the risks they are most likely to face. Phishing emails are an attack type that the entire organization is likely to encounter, but other threats are more specific. For example, social engineering attempts by phone are more likely to hit certain types of employees: those with public contact information listed, those that have more privileged levels of access to the network, and those that work with billing and have access to bank accounts. Physical security is another example for employees that take company hardware or confidential information out of the facility.
Some common mistakes for small businesses to avoid in educating employees include singling out individuals in front of the group as public examples, sending phishing tests and security quizzes at predictable times, and failing to demonstrate to employees what to do when attacks are detected (incident response plans and security points of contact).
3. Secure the network perimeter
What does it mean to “secure the network perimeter?” It basically means securing the various “doors” that connect the internet to your internal network. This primarily refers to network ports. But those are far from the only points of entry to be considered in a perimeter defense plan. Employee email addresses and devices are another example, as are cloud services and the systems of third-party contractors that have access.
Small businesses will thus want to implement a secure network architecture design that uses defense-in-depth principles to stop hackers. One key aspect is to use firewalls to control what is allowed into your network, another is to have an intrusion detection system for early warning of anything that slips by. For a small business that likely has limited IT budget and personnel, this might seem like an unmanageable way to prevent hacking. One option that can make it much more manageable is a “unified threat management” (UTM) approach. This means that you have one overarching hardware or software of installation that takes care of all of these various needs on its own, rather than trying to implement different solutions for different problems.
Small businesses that want to go their own way in terms of security strategy will need to first map out the network perimeter and all of its components. One can then determine the level of network security that each component needs: how they are used and accessed (do employees need remote access?), what information they contain (e.g. sensitive customer payment information or employee personal information), and the required uptime.
4. Secure your systems and stay updated
Servers, network equipment and cloud resources need to have security settings configured based on best practices and configuration standards. And don’t forget employee devices: all the desktops, laptops, and mobile devices that might externally connect to the network.
Remote working means devices are outside of your secured perimeter and are exposed. These devices must be accounted for in a cybersecurity plan to prevent hacking, either with measures present on the device itself or at “checkpoints” the device must pass through to access the company network.
Remote working means devices are outside of your secured perimeter and are exposed
Some broad examples of items that can be installed on devices to stop hackers are personal firewalls as well as anti-malware and anti-virus software. This sort of thing is necessarily difficult (if not impossible) to mandate on employee personal devices. The approach that many organizations take is to issue company-owned remote devices meant for work that have company configuration standards (in terms of settings for operating systems and applications as well as mandatory authentication policies).
Scrubbing old accounts is also important in a remote work scenario: promptly removing things like outdated user accounts, unnecessary apps and software, and passwords that have not been changed in a long time. It is also important to always change default passwords immediately and remind active employees to regularly change their passwords as well (and implement strong passwords). Employees should also be encouraged to not re-use passwords; a password manager is a great deal of help in making this a realistic request.
Managing vulnerabilities is another key challenge in today’s enhanced cyber threat environment. More than 100,000 vulnerabilities were reported for commonly used software over the last five years. In 2019 alone, more than 22,000 were reported with 37% proven to be exploitable and one in three given a High or Critical severity rating. Expect every piece of software to have at least one vulnerability develop at some point during its lifetime of use.
More than 100,000 vulnerabilities were reported for commonly used software over the last five years
Keeping systems updated is one of the most fundamental and impactful things you can do to prevent hacking. This includes operating systems, software applications and network devices. Diligence is the key to this aspect of cyber security. If remote worker devices are connecting to the network, there needs to be either a system of regular reminders or a means to push patches out to them. Patches are often issued to address a known security vulnerability that has developed, meaning that prompt patching is critical to stop hackers, malware and ransomware attacks.
5. Backup your important business data
Backup management is critical in order to recover your data in case of disruptions and ransomware.
While the term “enterprise” usually signifies a large business, “enterprise backup” systems are meant for any type of organization. These are data management systems that are specifically designed for business needs (including small businesses). The ideal enterprise backup uses a two-tiered system that stores data on both a local drive and internet-based cloud storage, in the event that one of those sources is compromised by a breach.
The ideal system also takes full “snapshots” of all of the network data that needs to be backed up at regular intervals. This used to be sufficient as a safeguard against ransomware, but it’s important to note that ransomware groups are increasingly stealing and threatening to expose sensitive documents in addition to encrypting network components. Another factor to consider is that cloud services are not-infrequently compromised, and sometimes a simple mistake in configuration is enough to leave a cloud storage bucket open to the world. Security experts generally recommend identifying the most sensitive data that needs to be backed up and ensuring that it is stored with an “air gap” from the business network to stop hackers, such as a physical media backup system.
6. Write code? Make sure it’s secure
Whether you are writing your own software in-house or outsourcing, code needs to be written in a secure manner. Code exists in all technological devices, and it’s the source of every software vulnerability in the world. The key to building secure code is regular scanning of it for security flaws during development.
There are various types of code analysis that are too complex to explain in detail in this brief overview: static, dynamic, and so on. The important thing to know is that automatic scanning tools and services exist to help small businesses tackle this challenge and implement secure coding practices.
key to building secure code is regular scanning of it for security flaws during development
Even if you are not writing your own custom software applications and have a third party vendor develop the solution, you will probably want to scan the source code just to be sure. If you do have a need to review your source code, “automated code review” tools and services is going to be the place to start looking.
One final tip is that open source software is not automatically a secure option. Problems very frequently develop with open source libraries, and the hidden cost of using these options is frequent patching.
7. Rapid detection and response to limit damage of cyber attacks
If a cyber attack slips by your defenses, rapid detection can mean the difference between a minor incident and a major catastrophe. The key is a well-laid cyber security plan that covers all of the likely ways by which attackers may gain access to the organization’s systems. Once a good plan is drawn up, the key to making it work is to conduct periodic drills and ensure that your personnel know exactly what their role is (in addition to installing appropriate detection systems). This means the average person that might be the target of an attack in addition to the security teams.
Incident response plans are designed to calm and focus the staff when it’s time to stop hackers, leaving no question as to what needs to be done to mitigate damage and contain the attackers’ access. While this is a technical area that will need to be hashed out by your team’s information security professionals, the key thing for all staff to know is what their point of contact is if they suspect data breach activity and what their roles and responsibilities are if an incident occurs. Effective incident response plans should also incorporate lessons learned from prior incidents.