Cybersecurity is a big deal today. Over the last few months, we have seen the trickle-down effect to the consumer of ransomware attacks with the Colonial Pipeline, JBS meat processing company, and the Kaseya Anti-Virus compromise estimated to have impacted thousands of small to medium-sized businesses nationwide.
Many business owners consider these attacks specific to large corporations, but this is not the case. In fact, according to a 2018 Ponemon Institute study, 67% of Small and Medium Businesses (SMBs) experienced a cyber-attack. Also, a recent study by Keeper Security found that 66% of senior decision-makers at SMBs do not believe they are likely to be targeted by cyber-attacks, and about 60% of those SMBs do not have a prevention plan for cyber-attacks. Correlating those numbers, you see that approximately the same amount of the decision-makers who did not believe they were a target experienced an attack.
In an open letter to business leaders from the White House, Deputy National Security Advisor of Cyber and Emerging Technology Ann Neuberger states, ”All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.” She says private companies that ”view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
There is good news here, and you can do many things to prevent cyber-attacks and secure your business. Our top ten list includes:
- Conduct a Security and Risk Assessment: A regular security or risk assessment helps a company understand where its gaps are. Knowing the gaps will allow your company to plan for and update its security posture and reduce risk.
- Train your employees in cyber security fundamentals: Employees are your company’s first and last line of defense. Teaching them how to be more secure with security awareness training will help decrease the chances that you have a breach or catastrophic event.
- Create straightforward cybersecurity policies and procedures: Well-written and tested policies and procedures ensure that your organization is tested and prepared before a security event instead of trying to figure out what to do – after something bad has happened.
- Establish a Business Continuity Plan (BCP) and back up your data so your business can survive. What will happen to your business when something interrupts it? Your BCP tells everybody in the organization what to do, when to do it, and how – to keep your business running when something bad happens.
- Provide firewall security for your Internet connection (including secure Wi-Fi): If you do not have a decent firewall protecting your data from the Internet and keep your Wi-Fi separate from your core operations, it’s like leaving the doors and windows open so that criminals can simply reach in and steal from you.
- Create a mobile device action and security plan: Mobile devices are great; they are handy and help enable business on the go. They are also easy to steal or lose and often contain critical data or information vital to your business’s survival. Having a plan before they are lost or stolen is easier than figuring out what you may have lost when this occurs.
- Employ best practices for all payment cards and customer data: Payment card information is an agreement between your business, the customer, and the processor. Failure to adequately protect this data may cause a loss of customer confidence, fines, and fees from regulators and processors.
- Use unique usernames, strong passwords, and multi-factor authentication: Shared or duplicate usernames and passwords mean that when credentials are compromised in one place, they put other accounts at risk. Each set of credentials should be unique, complex, and changed often. Multi-factor authentication means that if a password is lost or compromised, the attackers still cannot gain access without the other authentication factors.
- Keep ALL systems up to date: update patch vulnerabilities, use the latest security software, web browser, and operating system – this is the best defense against viruses, malware, and other online threats. Patching is the bane of most IT Support operations, but the only way to ensure your software has as many bugs and security issues fixed as possible. You should have a policy, procedures, a schedule for patching, and a method to test that all patches have been applied.
- Hire a Managed Security Services Provider (MSSP): If you do not have the resources to do all of the above or lack time to stay on top of all these security concerns, hiring an MSSP to help you stay on top of threats, issues, and risks is a smart move. Being secure is a complex, 24-hour-a-day commitment, and the MSSP has the staff, the training, the tools, and the knowledge to help you keep your company, its assets, and its business secure.
Many business owners would prefer to focus on running their business and not on cybersecurity, so they outsource their cybersecurity to a Managed Security Service Provider (MSSP). This is an excellent option for SMBs to save time and money and get specialized security expertise. MSSPs have a core focus on monitoring and managing security devices and systems. They can also provide essential security awareness training for employees who are your company’s first and last line of defense.