If you manage the IT of your own small business, or you are responsible for managing IT, then you already know that it's a jungle out there, one with criminals behind every tree.
According to the recent Verizon Data Breach Investigations Report, over the last two years, small businesses have become the top targets of cybercriminals and are beginning to suffer from cyber breaches more than large businesses. Cyber attacks against SMB's are on the rise, primarily because cybercriminals expect a small business to have fewer resources dedicated to their security. Most small businesses do not have a dedicated security professional, they are just too small to justify the cost and this is the problem because it leaves them vulnerable and easy pickings for cybercriminals.
In this context, security through obscurity is no longer an option and the expectation that you are too small to attract the interest of cybercriminals is no longer realistic.
Top Five Cyber Threats Affecting Small Businesses
- Unpatched operating systems and software – Making sure that your computers and the software that runs on them is up-to-date is absolutely essential and is the bedrock of good security practice. Hackers take advantage of the vulnerabilities in unpatched software and operating systems to infiltrate organisations far too often. Failing to apply software and operating system updates when they are released puts your business at risk and weakens the overall security of your IT infrastructure. Don't make it easy for them, make sure your servers & workstations have the latest operating system patches applied and that all 3rd-party applications are always up-to-date.
- Phishing Attacks – Those sneaky phishers are getting smarter and the bad news is that with them targeting humans and not computers, there is no truly effective method of stopping them. By posing as legitimate contacts who may be known to the organisation, the phishers can fool the best of us sometimes and the only real way to defend against a phishing attack is through employee education. Helping your employees understand the threat and regularly showing them different examples of phishing attempts reduces the likelihood of them clicking on something they shouldn't.
- Weak Passwords – Humans are terrible at choosing good passwords that are difficult for hackers to guess. Even worse, we often reuse the same password on multiple websites - making it even easier for hackers to find a way into your corporate applications or infrastructure. Implement a good password policy and use password vaults to store and generate passwords for your employees. Your staff should also be taught about the dangers of reusing passwords, as one bad password used twice can lead to a very expensive breach.
- Secure Your Wi-Fi – We have all visited businesses that provide a single Wi-Fi network to both their employees and visitors, where the password is the telephone number of the business or an easy-to-guess word. Simple Wi-Fi passwords might be convenient when you need to remember them but they present a significant threat from a security perspective - making it easy for hackers to infiltrate your wireless network if they have guessed the password. If no network controls are in place, an attacker on your wireless network will most likely have access to your entire internal network.
If the attacker is using a long-range Wi-Fi antenna, they don't even need to be that close to your business to launch an attack on your wireless network. Lock your Wi-Fi down by changing your routers default administrator password, change your Wi-Fi network password encryption to WPA2+AES and changing your Wi-Fi password to something that is long and hard to remember (or crack). If you want to allow guest users to have Wi-Fi access when they visit your organisation, a separate SSID should be implemented which allows guests to access the Internet but isolates their devices from the rest of your network.
- Make Yourself Malware Resistant – There are a number of things that you can do to make your business more resistant to malware attacks. The nuclear option is to completely lockdown your employees workstations by removing their admin privileges, so that neither they, nor malware can install anything on the machine. Restrict the kinds of websites that your employees can visit on their computers, websites that contain pirate streaming movies, pornography and gambling often contain malware waiting to infect visitors foolish enough to click on their links. Make sure that you have a good antivirus (AV) on the workstations and your network, one that forces scans of all downloaded files as well as your email contents. When AV is properly updated it can catch a lot of viruses before they spread across the network.
While these are ITSEC's top five threats facing small businesses today, they are by no means the only threats that could affect your business. That being said, if you can stay on top of the above five threats then you will go a long way to ensuring a decent level of security for your business and dramatically reduce the chances of becoming a victim.
Ultimately management awareness and employee training on cyber threats is essential no matter what business you are in and with all of the recent news about cyber attacks large and small, ignorance of the threat landscape is no longer an excuse. The good news is that there are hundreds of different groups and services that can help you improve your overall cyber security posture and help your small business get to grip with these threats, often for free.
We recommend that you invest in Cyber Essentials Certification at a bare minimum, its an inexpensive certification process run by the UK National Cyber Security Centre (NCSC) that will put your company on a security minded footing. A Cyber Essentials certification for your business demonstrates your commitment to security in the eyes of your customers.
The National Cyber Security Centre (NCSC) also provide a brilliant small business cybersecurity guide that you can download for free and comes with video guides, infographs, employee training materials and small business action lists for improving your company's cybersecurity.
With some careful practices, good internal processes and a regular employee education, both you and your employees can do a lot to help secure your business against cybercriminals. Even if all you do is pass through the Cyber Essentials certification process, its technical control requirements will put your business on a much firmer footing from a security perspective and help you proactively defend your business against a wide range of different cyber threats.