Cybersecurity is obviously a big deal today. Over the last few months, we have seen the trickle-down effect to the consumer of ransomware attacks with the Colonial Pipeline, JBS meat processing company, and the Kaseya Anti-Virus compromise that is estimated to have impacted thousands of small to medium size businesses across the country. Many business owners think of these attacks as specific to large corporations, but this is not the case. In fact, according to a 2018 Ponemon Institute study, 67% of Small and Medium Businesses (SMB’s) experienced a cyber-attack. Also, a recent study by Keeper Security found that 66% of senior decision-makers at SMB’s do not believe they are likely to be targeted by cyber-attacks and about 60% of those SMB’s do not have a prevention plan in place for cyber-attacks. Correlating those numbers, you see that approximately the same amount of the decision-makers who did not believe they were a target, experienced an attack.
In an open letter to business leaders, from the White House, Deputy National Security Advisor of Cyber and Emerging Technology Ann Neuberger states, “all organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.” She continues by saying, that private companies that “view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
There is good news here, and many things that you can do to prevent cyber-attacks and secure your business. Our top ten list includes:
- Conduct a Security and Risk Assessment: A regular security or risk assessment helps a company understand where their gaps are. Knowing the gaps, will allow your company to plan for and update its security posture and reduce risk.
- Train your employees in cyber security fundamentals: Employees are your company’s first and last line of defense. Teaching them how to be more secure with security awareness training will help decrease the chances that you have a breach or catastrophic event.
- Create straightforward cybersecurity policies and procedures: Well-written and tested policies and procedures ensures that your organization is tested and prepared in advance of a security event, instead of trying to figure out what to do – after something bad has happened.
- Establish a Business Continuity Plan (BCP) and back up your data so your business can survive: What will happen to your business when something interrupts it? Your BCP tells everybody in the organization what to do when to do it, and how – to keep your business running when something bad happens.
- Provide firewall security for your Internet connection (including secure Wi-Fi): If you do not have a decent firewall protecting your data from the Internet, and to keep your Wi-Fi separate from your core operations, its like leaving the doors and windows open so that criminals can simply reach in and steal from you.
- Create a mobile device action and security plan: Mobile devices are great, they are handy and help enable business on the go. They are also very easy to steal or lose and often contain critical data or information vital to your business’s survival. Having a plan before they are lost or stolen is easier that trying to figure out what you may have lost when this occurs.
- Employ best practices for all payment cards and customer data: Payment card information is an agreement between your business, the customer and the processor. Failure to properly protect this data may cause loss of customer confidence, fines and fees from regulators and processors.
- Use unique usernames, strong passwords, and multi-factor authentication: Shared or duplicate usernames and passwords mean that when credentials are compromised in one place, they put other accounts at risk. Each set of credentials should be unique, complex, and changed often. Multi-factor authentication means that if a password is lost or compromised, the attackers still cannot gain access without the other authentication factors.
- Keep ALL systems up to date: update patch vulnerabilities, use the latest security software, web browser, and operating system – this is the best defense against viruses, malware, and other online threats: Patching is the bane of most IT Support operations, but the only way to ensure your software has as many bugs and security issues fixed. You should have a policy, procedures a schedule for patching, and a method to test that all patches have been applied.
- Hire a Managed Services & Security Provider (MSSP): If you do not have the resources to do all of the above or lack the time to stay on top of all these security concerns, hiring an MSSP to help you stay on top of threats, issues and risks is a smart move. Being secure is a difficult, 24 hour a day thing and the MSSP has the staff, the training, the tools, and the knowledge to help you keep your company, its assets, and its business secure.
Many business owners would prefer to focus on running their business and not on cybersecurity, so they outsource their cybersecurity to a Managed Security Service Provider (MSSP). This is a great option for SMB’s to save time, money, and get the specialized security expertise that is needed. MSSP’s have a core focus to monitor and manage security devices and systems. They can also provide essential security awareness training for employees who are the first and last line of defense for your company.