Cybersecurity might seem like a huge challenge for a small and mid-sized business (SMB). But there are many strategies SMBs can implement quickly and relatively inexpensively to reduce cyber risks. In recognition of Cybersecurity Awareness month, Thomas Wolfe, head of strategic development for TalaTek outlines five key tactics SMBs can follow to harden cybersecurity risk management strategy and even prevent financial fallout arising from cyber threats.
As a small or medium-sized business (SMB) owner, you may not see your company as a potential hacking target. But unfortunately, your business is as vulnerable to ransomware or phishing attack as a larger one is, especially during the ongoing pandemic and work-from-anywhere business climate. According to the Verizon BusinessOpens a new window 2020 Data Breach Investigations report, almost a third of data breaches studied involved small businesses. Cybersecurity can seem like a dauntingâ€”and costlyâ€”task for an SMB owner.Â
The good news is that to reduce cyber risk, there are so many activities you can adopt easily and reasonably inexpensively.Â
To strengthen your cybersecurity risk management strategy, here are five things you can do right now.
1. Asset Inventory and Patch Management
Create an inventory of all software installed on your company’s components and hardware that touches your network. Don’t forget to include commonly overlooked (and hacked) components such as routers, switches and cameras. This inventory should include any and all software or hardware that requires patching.
A patch is an update that addresses security vulnerabilities or provides security enhancements to software and hardware. And you must frequently apply them. Some software and hardware check for patch updates and give the option to update automatically. Other patch updates are available on vendor websites for download.Â
Many excellent free patch management tools exist that make the process easier but be sure to access patches only from trusted websites. Never download a patch from an email link or attachment, as these are common methods hackers use to infiltrate your business with malicious files that can cause a security breach or data loss.
2. Data Backup
Data backups are a vital piece of any business’s cybersecurity risk management program. They are especially important because of the increase in ransomware attacks. These attacks lock a targeted computer and encrypt the data until a ransom is paid. But if you have backed up your data, you are not vulnerable to paying a ransom to a cybercriminal to get it back. Best practices dictate data backups be done frequently and regularly, are encrypted, and use remote storage. Remote storage can be a dedicated physical device, online service or cloud solution.Â
3. Two-Factor Authentication
In two-factor authentication (2FA), also called multi-factor authentication, users logging into a computer system must provide another means of verifying their identity besides their password. This increases security because passwords can be easily compromised and are vulnerable to cybercriminal attacks such as brute force and account takeovers. Several types of authentication factors are available, including 2FA apps on mobile devices, security questions, biometrics, and smart cards. Be sure to implement 2FA for any application accessible via the internet.
4. Staff Training
Study after studyOpens a new window shows the weakest link in a cybersecurity risk management strategy is the human element. Statistics of data breaches due to human error are as high as 90% Opens a new window when hackers used social engineering or phishing attacks.
The best way to prevent hackers from exploiting the human elementâ€” your staff â€” is through continuous training. With new cybersecurity attacks evolving every day, the threat landscape changes. If your employees do not know how to recognize a threat, it is hard to resist it. To find the best training program for your business, check that it covers these areas:
- Password security
- Phishing and social engineering attacks
- Internet and social media
- Removable media
- Physical security
For cybersecurity to be a part of your business’s culture, not a one-time check-the-box exercise, cultivate a cybersecurity-conscious workforce where everyone, from executive to entry-level staffer, is alert, educated and engaged. Make it easy to report suspicious activity with well-defined and publicized processes, and positively recognize staff who do so.
5. Access and Account Control
It’s important to control employee internet access for many reasons. However, the number one reason is the potential for a security risk. Employees browsing the internet can accidentally visit websites with clickable links that download viruses, trojans, and spyware, to name a few. Once a breach occurs, it is a matter of time before the vulnerability spreads across your business network, potentially bringing all work to a standstill. No one wants that.
Although controlling employee internet access can seem repressive, you must weigh the sensitivity of your business data with the technical savvy of your employees and decide the best approach for internet access control.Â
User account control (UAC) is a Windows security feature that has been a default feature since the days of MS Vista. It prevents unauthorized changes to the operating system. With UAC, there are two main types of accounts: standard user and administrator. A standard user account cannot install or update software or make other configuration changes. Only an administrator account has those privileges. The best practice is to give all employees a standard user account. This limits their ability to accidentally download malicious software.
Strengthening your cybersecurity risk management strategy is going to cost you an investment of both time and resources. But these efforts can literally save your businessâ€”both from financial ruin that can come with paying ransom to cybercriminals and from loss of reputation that can come from losing/exposing your customers’ information.