10 Common IT Security Mistakes made by Small Businesses
Here’s the issue – complacency. Companies often become complacent and occupied with other more “urgent” matters on hand, to the extent that more often than not, cybersecurity takes a back seat as long as everything runs smoothly… for now. Then a company is suddenly hit with a ransomware or security breach out of the blue, and that lack of attention to cybersecurity comes back to haunt you.
But here’s the thing – some of the most devastating breaches are actually completely avoidable! Yet, security breaches still happen.
Why is this so, and what are some of the common IT security mistakes made?
#1: Thinking a cyber-attack won’t happen to you
Denial, denial, denial. If you don’t think you’ll be targeted with a cyber-attack, well let me just say that you are not alone. According to a survey by Bullguard, 60% of Small-Medium Businesses (SMBs) do not think that they are a likely target of cybercriminals.
Well, that’s where they are wrong!
The issue here is that small businesses often assume that because they’re small, they won’t be targeted. Yet, on the other hand, data around the world shows that one in three successful attacks targeted small business in 2019!
For cybercriminals, one of the most profitable methods of attack is ‘phishing’, which targets the recipient by email, social media or SMS with the intention to defraud them of money or data. Cybercriminals are able to target thousands of recipients at a time and often target small businesses simply because they don’t think they’ll be targeted
Realistically, it’s not a case of if you’ll be targeted but when. Such an attack has the potential to inflict significant damage to your business through financial loss, stealing your data or exposing your customer’s confidential information.
#2: Not regularly updating your software
The fact is this: 60% of data breaches occur due to unpatched system vulnerabilities. When companies don’t have a patch management system in place to ensure all devices are being updated properly, they’re left more vulnerable to an attack.
A business organization should use a fool-proof firewall and high-end security software for its Websites and servers. This is one of the best ways to keep hackers in check. However, do remember that technology is constantly advancing, and similarly, hackers will also come up with novel techniques to make their way into your systems.
So, the best way to protect yourself from hackers is to update your security software regularly. It is also a good idea to store your p&c files, like income statements, budget reports etc., in a system that is not connected to the server. Small businesses sometimes overlook the importance of this due to their busy schedules and other issues, thus causing a security issue and exposing themselves to hackers.
#3: Failure to back up your data
This is something that most businesses tend to overlook time and again. The fact is that backing up your system can actually come in handy at times when cybersecurity is breached. If your files are all backed up, you can easily clean up the system, install new software and then restore the files from the ones that have been backed up.
However, if you do not do this, it could spell total disaster. This would mean loss of confidential information and can leave your company in jeopardy. So, no matter how busy you are, make sure to set some time aside to back up your systems every now and then.
#4: Not testing your backup recovery
Ransomware continues to be one of the major threats that companies face because of the downtime it causes. Ransomware encrypts data, making it unreadable. This causes companies to be considered “down” because they can’t access their technology system information. 57% of companies hit with ransomware pay the attacker’s ransom request.
In many cases, a small business has a backup of its data, but it never tested restoration of that backup, so is unsure how long it will take. Some of the largest ransomware victims have paid millions of dollars in ransom simply because they thought it would get operations back up and running faster.
Hence, it is important to run through a full backup restoration of your data at least annually as part of your business continuity strategy. This ensures that you’ve chosen a backup and recovery system with fast restoration and that you know exactly how long it will take.
#5: Assuming that antivirus means you are secure
I see this a lot. Small businesses think that having an antivirus software means that they are secure. Let me explain this to you. An antivirus software simply detects and removes malware from your systems and networks. Unfortunately today, cybersecurity threats no longer rely on malware. Sure, it’s still an issue and your business still needs it. But you need to ensure you’re protected against other common and successful threats such as phishing, ransomware and business email compromise.
This doesn’t necessarily mean investing in more technology. Robust cybersecurity is a combination of technology, process and people. Ensuring you have good cybersecurity policies in place and that you’re educating your people goes a long way in protecting your business from a cyber breach.
#6: Not making use of VPNs
Here is something companies do not realise – VPNs are not just for your employees to gain access to your companies’ secure files, but is also vital to keep their (and your) data secure.
If you’re not sure how your “work-from-home” employees are accessing the internet, or if they’re doing so in public spaces using public networks, they could be at a higher disk for data breaches.
Setting up a secure VPN can create remote data portals which securely send information back and forth, meaning your employees will be able to access your systems more easily and won’t have to keep sensitive files on their own computers.
#7: Having too many privileged accounts
Here’s a little nugget for you: Everyone shouldn’t be made an admin in a cloud tool just in case they might need access to something later.
Another mistake that many small businesses make is to hand out too many privileged accounts. Privileged accounts are particularly valuable for hackers because they allow them to do things like change account security settings, add and remove users, and access sensitive account data. The more of these high-level accounts you have, the more risk you are at of a breach that can do serious damage.
Using the Rule of Least Privilege is a good way to control privileged accounts. It states that users should only be given the lowest possible access level needed for their daily tasks.
#8: Not using strong passwords
Passwords are there for a reason and is not something to be taken lightly. In fact, you might have noticed that time and again, your security software prompts you to use a strong password and even alerts you when you use a weak one. This is one crucial point that most small businesses pay no heed to. Then there are times when the password used is something that is easy to guess like name of the company, year of founding, etc.
Such password practices have been a point of concern for businesses since time immemorial. However, most companies still don’t take this seriously, making it easier for hackers to make their way easily into the business’s files.
In fact, 81% of cyber security breaches happen because of weak passwords! So, even though frequent password changes and waiting for verification on your phone can be annoying, it could save you thousands of dollars.
#9: Not using multi-factor authentification
On top of having a strong password, multi-factor authentication (MFA) is 99.9% effective at stopping fraudulent sign-in attempts on your cloud accounts. And yet, many companies don’t use it because they’re afraid it will inconvenience employees and hurt productivity.
However, do remember that having a cloud account breached is a much bigger and more costly inconvenience. MFA is a standard safeguard that businesses should be using. Further, there are single sign-on (SSO) solutions that can be put in place to reduce the time it takes to log in to all accounts when using MFA.
#10: Not training employees on cybersecurity awareness
Did you know that 1 in 8 employees accidentally installs some virus or malware each year. Scamming systems have become so complex that even if you email a client back asking if their attachment is legitimate, the systems can send you back a verification email that it is (which is also why 92% of cyber-attacks occur via email).
So, even if your business doesn’t deal in highly secure data, hackers could still access it and damage it. Hence, making sure your employees are up to date on their training could save you all a headache.
Addressing cyber security honestly and openly, and training your employees in correct email use, internet access and password authentication processes can make your business stronger and safer. ~ Lena Klein
Bonus: Not having a corporate cybersecurity policy
This goes hand-in-hand with raising security awareness among your employees.
An effective cybersecurity policy lays out rules and responsibilities when it comes to protecting IT systems and company data. Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security.