August 13, 2019

20 tips to help small businesses supercharge their cybersecurity game

House of Straw

Small businesses, whether they like to admit it or not, are vulnerable to many of the same cyber threats as their larger counterparts. A recent Keeper Security study uncovered a startling truth; two-thirds of small to medium-sized enterprises (SMEs) don't believe they will ever fall victim to an attack! This is a shocking stance, given the evidence to the contrary. In the year prior to this survey, 67% of businesses sustained cyberattacks of various degrees of severity. The study showed that a paultry 12% of SME leaders recognize that an attack is a matter of when and not if.

Why have so many SMEs assumed the first-little-piggie position?

Studies, like the Keeper Security survey, reveal that many in small-to-medium enterprises believe their businesses are simply not appealing to hackers by virtue of their size, their business model, or the type of product/service they offer. The dominant cyber-buzz surrounding the issue of cyber threats does nothing to subvert their conviction. The typical cyberattack horror stories involve large corporations, the big guns, and the decimation of their data defenses leading to the theft of millions of dollars. The takeaway that many SMEs run with is that small means safe. They are wrong!

Little pig, little pig let me in

It is true that large businesses are enticing targets for hackers because they store vast swathes of valuable data (credit card details, passwords, etc), but SMEs have their own allure for the black hat. Often SME defensive strategies and resources are limited by their margins and, as we discussed, they may not even perceive themselves as vulnerable in the first place.

Even if attackers are not drawn by the data SMEs hold, they frequently sniff out the type of access to computing resources, be it cloud or locally hosted, at their disposal. Unprotected SME computing resources can clear a path for attackers to breach the defenses of larger enterprises. In this scenario, the SME can become the unwitting collateral victim of an attack on a larger business they may depend upon to survive. An example of this scenario is the 2013 Target attack where HVAC, a subcontractor, inadvertently provided the conduit for the attack, costing Target an estimated $162 million.  

Even the simple, tried and trusted failsafe of comprehensive password protection is not getting the love it deserves from SMEs. The Keeper survey reveals that despite the fact that 69% of respondents extolling the virtues of strong password policies as a cyber-attack prevention option, 60% actually have no prevention policy at all!

And let's not forget the other vulnerabilities that SMEs and big business share: employee/management/subcontractor carelessness or incompetence, disgruntled employees/ex-employees, and internal and external system failures.

So size doesn't dictate safety, what then can SMEs do to lessen their exposure to cyberattack and minimize post-attack fallout? Actually, quite a lot. Here’s our list of 20 tips to help SMEs build their Big-Bad-Wolf defense strategy:

  1. Ensure that all software is up-to-date - never run unsupported software.
  2. Maintain and distribute a list of approved apps - never allow unauthorized software on your system.
  3. Toughen up user applications - at a minimum prevent web browsers from running ads, Flash, and Java.
  4. Disable macros (Excel and Microsoft Office, etc.) from all but the most reliable sources.
  5. Install and maintain the highest standard of antivirus and antimalware software your budget allows.
  6. Educate employees and contractors about the perils of opening unknown email or links.
  7. Guard user privileges - only allow sysadmins to be administrators.
  8. Back up regularly - if possible use a remote site and test your backups.
  9. Use multi-factor authentication (MFA) for all remote access.
  10. Install a next-generation firewall (NGFW) - money well spent for the peace of mind this level of protection provides.
  11. Encrypt and thoroughly password protect all employee laptops.
  12. Never use public WiFion business devices(PCs, laptops, phones, etc.)
  13. Ban removable storage - end of story!
  14. Undertake a comprehensive risk assessment - who/what is a threat? What must you protect and how well?
  15. Examine your compliance with GDPR (EU) and prepare an attack response.
  16. Maintain a clear record of all cybersecurity policies and procedures.
  17. Categorize data - what data is mission-critical and how will you protect it?
  18. Run your drills - annual penetration tests, regular vulnerability assessments, and desktop breach exercises.
  19. Consider cyber insurance  - cover losses from breaches and help with recovery costs and legal claims.
  20. Check invoices - attackers can get their hands on your banking details by posing as known, trusted sources.

There you have it; small may be beautiful but it certainly isn't invisible. The best defense is a good offense, and all that so, why wait? Implement these steps today and don't let that big bad wolf blow your house down.