While small businesses and their employees have certainly benefitted from the advancement of technology in recent years, it has also introduced an unprecedented number of cybersecurity risks. Ransomware attacks, for example, hit businesses every 11 seconds in 2021,1 and cybercriminals are increasing their attacks year over year. If you want your business to succeed and thrive, you must understand the harsh realities of cybersecurity, and how it affects your small business.
The Reality of the Current Threat Landscape
Almost every small business will encounter cybercrime at some point. It is no longer a question of IF, but rather WHEN a business will become a victim of cybercrime, putting yours and your customer’s data at risk. This can be an alarming fact to some, but it doesn’t need to be! There are several proactive steps that you can take to secure your small business and achieve peace of mind. But first, let’s discuss what you need to know about cyber threats.
The most serious and prevalent cyberthreats facing business owners right now are Ransomware, Phishing, Dos/DDos, and Insider Threats.
What is Ransomware?
Ransomware is malicious software that encrypts your data and prevents access to it until a ransom has been paid. While this is bad enough, many cybercriminals using ransomware as a form of attack now threaten to reveal sensitive business data to competitors and/or the public if the ransom is not paid. This can result in not only the theft of sensitive and/or proprietary information about the company, but in many industries, this can result in fines, lawsuits, or even criminal charges for negligent business owners.
What is Phishing?
Phishing is a cybercrime that involves a hacker impersonating a legitimate person or business mostly through emails or through other methods such as SMS. Cybercriminals employ phishing attacks to send links to look-a-like websites or attachments that can be used to extract sensitive data, login credentials, or install spyware or malware to a device.
Similarly, business email compromise (BEC) is a scam in which cybercriminals use compromised email accounts to trick victims into sending money or revealing sensitive information or stealing passwords.
An insider threat arises from within a business. It could happen because of a current or former employee, vendor, or other business partner who has access to important corporate data and computer systems. Insider threats are hard to detect because they emerge from within and are not always intentional or malicious in nature. However, many businesses have no policies or procedures in place to detect such threats.
Denial-of-Service/Distributed Denial-of-Service (DoS and DDoS)
These attacks are widespread and easy to carry out. When a DoS or DDoS attack occurs, hackers flood the targeted system with repeated data requests, forcing it to slow down, crash or shut down.
If you are still unsure whether you should be concerned about these sophisticated threats or not, the following statistics may help you make up your mind:
- It takes an average of 280 days to identify and contain a breach.2
- Malicious attacks with financial motivations were responsible for 52% of breaches.2
- Personal Identifiable Information (PII) is compromised in 80% of data breaches (PII).2
Implement These Measures to Secure Your Business
Now that you know what types of cyberthreats to look out for, let’s take a look at some measures you can put in place to protect your business against cybercrimes.
Strict Password Policies/Management Tools
Strict password policies and the use of proper password management solutions can help improve your organization’s overall password hygiene. It is the most basic step in preventing cyberattacks.
At minimum, you should enforce password policies that require a minimum of 10 characters consisting of uppercase and lowercase letters, numbers, and symbols. You should never include any publicly available information in your password, such as the names of children or pets or your birthday.
Ideally, you should use a password manager that generates and stores unique passwords for each of your accounts. At DragonTech, we utilize Password Boss or Passly for our clients.
Multifactor Authentication (MFA)
However, even the best passwords are only a single line of defense, and attackers who gain access to your password can often log in with no further actions needed. To combat the current threat landscape, strong identity controls that go beyond traditional username-password authentication are required. All of your accounts should be protected with Multifactor authentication, which includes features such as one-time passwords (OTPs) and security questions. Most online software & service providers support this.
Microsoft 365 for Business includes an MFA App that supports both One-Time Passwords and Biometric Login for your Microsoft 365 account. Other options can include Google Authenticator, JumpCloud, Passly, or Cisco DUO.
Virtual Private Network (VPN)
Not to be confused with consumer VPNs such as NordVPN or ExpressVPN, a corporate VPN allows you to grant secure remote access to your employees. To avoid a security breach, you should set up a corporate VPN that encrypts all your connections. Once connected, corporate security policies can be applied to the device, such as Web Content Filtering, Threat Detection, and Data Loss Prevention policies. However, you should always test a VPN deployment to ensure that users are connecting properly and securely in their remote locations.
Business Continuity Strategy
When disaster hits, a solid business continuity strategy ensures that mission-critical operations continue uninterrupted and that IT systems, software and applications remain accessible and recoverable. A Business Continuity Strategy includes not only backup and recovery processes but also network continuity, incident response procedures, and documented levels of acceptable risk and downtime.
Regular Risk Assessment
This process aids in the detection, estimation, and prioritization of risks to an organization’s people, assets and operations. Risks to a business change constantly as employees come and go, changes occur to hardware and software the business uses, and as new regulations are imposed by governments. A single Risk Assessment will never be enough information for a business to maintain its security.
Continual Security Awareness Training
The best security systems in the world may fail when “Dave from Accounting” forgets proper security procedures. Continuous security training empowers your employees to recognize complex cyberthreats and take appropriate action, resulting in a transformative security culture within your organization.
If you’re ready to strengthen your cybersecurity posture but aren’t sure where to start, don’t worry. We can help your company build a digital fortress of protection solutions. Contact us today to schedule a free consultation.
If you want to learn more about the realities of the current threat landscape, download our infographic “20 CYBER STATISTICS You Should Know” by clicking <here>.
Cybersecurity Ventures (https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/)
IBM Cost of Data Breach Report (https://www.ibm.com/downloads/cas/QMXVZX6R)