The topic this week is about confidence. How confident are you that you and your company are prepared for a potential cyber-attack?
Are you on the “very, bring it on” side of the spectrum, or the “man, I really don’t know. I’m almost nervous that I don’t know what I need to know” side of the spectrum?
Because whether you like it or not, small to medium-sized businesses (SMBs), aka those with 100 employees or less, are more vulnerable than ever to cybersecurity breaches and attacks.
So with that in mind, let me tell you what are the 10 common SMB security mistakes:
#1: Think they’re too small to be a target
Ok, I will admit that it is true that small and medium-sized businesses are not at the top of the target list for nation-state actors. But that doesn’t mean that they are completely safe as well. Because it is also more likely that such attacks on these small businesses go undetected and unreported.
Moreover, with the limited resources small companies have, these breaches tend to also more likely lead to data disclosures. In fact, while in general less than 10% of cyber-attacks are breaches leading to data disclosures, for SMBs specifically, that percentage is up to 50%! So while there may not be as many actors out there targeting you, as an SMB, as our targeting large public entities know the odds that when they get in, that you’re going to know about it or probably less.
And from the perspective of a malicious actor, the idea is not necessarily to target a specific business and to get their data. It’s kind of like fishing if you get what I mean. You know, the larger net you cast, the more fish you’re going to catch. And so, while somebody might not be targeting your business individually, somebody might be targeting business, as in the context of an entire wide net that they’re sending out there.
#2: Haven’t made a thorough asset inventory assessment
Getting some form of automated asset-inventory solution is critical for an organisation of any size. You have to start with knowing what is connected in your environment.
It’s about making sure that everything that you’ve got is in that asset inventory, but also making sure that all of those things that you’ve bought are actually on your network and connected, because, otherwise, you’re just throwing good money after bad.
So from business-operations perspective, from a security perspective, you’ve got to start with an asset inventory, and you got to steer away from the mode of human beings going around to do manual inventories and updating spreadsheets. Because in today’s world, that’s just not sustainable, and it’s not going to give you the type of information you need in a world that changes this fast.
#3: No network segmentation
Imagine you are a zookeeper. The thing that you want to do is you want to make sure that all of the animals are in their proper cages. You don’t want to put one big cage with your lions and your gazelles, right?
It’s the same for your devices – what would happen if you took all of the devices, all of the assets on your network, and put them in one big, flat network and hope on the stars and moon that none of those devices get breached?
Proper segmentation is therefore critical so that there won’t be a domino effect, where if there is a breach with one set of devices in one area of your business, it will not propagate across and take down your entire business operation.
So have your guest network separated from your enterprise network, and put in place reasonable protections to ensure that you’ve got controls over which devices are able to communicate to which destinations on your network.
#4: Ignore fundamentals
When talking about budget, I know, it is always viewed as an operational expense. Companies are always looking at “how much money should I invest in my company’s IT security to keep it secure”, rather than looking at the more important question which is “how much would I be paying if a breach were to occur?”
And this is where the fundamentals come in. Because I think some of the smaller steps that you can take that actually don’t cost very much and will reduce that risk greatly. And I think it’s important to understand that those fundamentals are not something that only IT people should be aware of, but everybody in the organization should be aware of what the risk exposure would be.
#5: Don’t know what “normal” activity looks like
A lot of organizations, especially small and medium businesses, they don’t necessarily understand what normal looks like, as far as everything from CPU usage, to network usage and things like that.
And so when something happens, let’s say somebody gets into a system, and they using a ton of data, they don’t notice that all of a sudden, 750 gigs have left this network, and they just don’t see that kind of thing.
So always make sure to monitor your network in and out traffic and how that is doing. Know what is typical and normal, so that if a spike were to occur, you will know that something is not right.
And a large portion of this monitoring process comes with user awareness. You must make users aware of the fact that hey, if your computer is running slow, it may not be because it’s getting old. It may be because there’s something else going on. Raising that level of awareness and making sure that everybody in organization that’s conscious of these changes and was able to escalate them appropriately is very important.
#6: No 2FA
Implementing two-factor or multi-factor authentication may not be a silver bullet but it does act as another line of defence and also an alert as to what is going on with your accounts.
#7: Misunderstanding cloud security
Taking your data off-premise to the cloud does not mean that it now becomes someone else’s responsibility. That is the most common misconception businesses tend to have.
So just like how precautions and security measures have been put in place to secure your on-premise infrastructures, like let say security cameras, the same should be done for the cloud infrastructure.
#8: Lack of security training
People misunderstand though; you can’t just train somebody in January for an hour of cybersecurity and then be like, OK, you’re cool till next year.
We have to break it down into smaller things that are relevant to them. Like right now, I’m telling people, it’s holiday season. This is a great time to alert people to keep an eye on holiday scams, because they’re going after your credit card information especially with online shopping become more prevalent.
And as they learn that, they’re also learning how to defend for the organization, as well. So you break it up across there, You cover these things like phishing. You cover these things like passwords, you cover the basic hygiene parts of security.
#9: Lack a business continuity plan
Having a business continuity plan is one thing; having a business continuity plan where cybersecurity has a place at the table is another thing.
And while having a business continuity plan is critical, companies must also conduct regular testing on these plans, and have backups.
#10: Lack of strategic asset allocation and budgeting
Cybersecurity budget should not be looked at from a top-down approach. Instead, one should be looking at it from what actually rescue protecting from more of an insurance perspective on that allocation.
But the thing that should really resonate with you is that not all cybersecurity initiatives are expensive, and a lot of them are actually free.
And really, what the small to medium sized business owner needs to be aware of, is where these opportunities lie, and you can, have tons of layers. You can have an organization that manages and network, all this other stuff. But you could also just enable two factor authentications. You could segment your network, do all these things that are cheap or free, but the problem lies within the fact that a lot of people don’t do it because it’s complex to look at the business problems.
So, realize where the risks are. And you should figure out what your cheap or free solutions are in order to mitigate those things, and you will be a long way ahead compared to a lot of organizations out there if you do that.