Talk of Chinese hackers infiltrating government systems and news of big corporate data theft may steal the headlines, but SMBs are the real victims of cybercrime most of the time.
A recent Data Breach Investigations Report published by Verizon showed that 71 percent of cyberattacks actually occur at businesses with less than 100 employees. An astonishing 85 percent of SMBs interviewed for the report acknowledged that they had suffered a security breach in the past year, while only a little more than half of 1 percent of enterprises reported the same. Another survey, the 2016 State of SMB Cybersecurity, offered a slightly lower SMB breach rate of 50 percent, but it found that only 14 percent of SMBs said their defenses against cyber attack were highly effective.
“Unfortunately, SMBs are a growing target for cybercriminals,” says Mark Nunnikhoven, vice president of cloud research at security firm, Trend Micro. “The mix of valuable customer and business data with limited defenses makes SMBs easier to victimize when compared to larger enterprises.”
With 60 percent of SMBs going out of business within six months of a cyber attack, according to the Endurance Group research, it isn’t hyperbole to suggest that cybersecurity is one of the most pressing issues smaller firms face.
So unless your SMB is among the 14 percent that stand confidently behind their security practices, you might want to review these seven best practices for keeping your business safe.
1. Get Passwords Right
The problem starts with bad passwords. The CIO report found that 59 percent of SMBs have no visibility into employee password practices and hygiene, and 65 percent that have a password policy do not strictly enforce it.
All it takes is one breakable or stolen password for cybercriminals to infiltrate your business, and there’s a big black market for stolen password lists.
Always change the default password on new devices, and use unique passwords for every service and device. Use different password reminder strategies to mix it up, and of course include letters, numbers and special characters in cryptic combinations.
2. Secure Email Closely
Although services such as Slack are coming into wide use, email still is the nerve center for most SMBs. It also is one of the primary vectors for cybercriminals. So if you secure only one thing, make it your company’s email.
“The vast majority of attacks start via email,” says Nunnikhoven at Trend Micro. “Investing here will pay off significantly for SMBs.”
3. Limit Software Usage and Keep Systems Updated
They may seem annoying, but automatic software updates are your friend. A 2016 Hewlett Packard Enterprise Cyber Risk Report found that the top 10 vulnerabilities exploited in 2015 were more than a year old, and 68 percent were more than three years old. Software vulnerabilities are a fact of life, but most get patched fast. The trouble starts if your company doesn’t download the update and keep your system running the latest software. Updates aren’t about features, they’re about security.
“Turn on automatic updates for all of your laptops, tablets, etc.,” stresses Nunnikhoven. “Keeping software up to date reduces the number of vulnerabilities that cybercriminals can take advantage of.”
Another defense is minimizing the threat surface by only installing apps and software you actually use—and only giving your data to a limited number of cloud services. The less software, the less threat potential.
4. Identify and Focus on Key Data
“The first important thing SMBs can do to reduce a security risk is to identify what are the most important data assets in the business that need protection,” says Michael Kaiser, the executive director for the National Cyber Security Alliance. “This could be customer data, employee data or intellectual property. Knowing what that data is and where it is on the network, and ensuring that all measures are in place to protect it, is one of the best ways to reduce the risk of a loss.”
Prioritization also is important for SMBs, according to Josh Goldfarb, chief technology officer for emerging technologies at security firm, FireEye.
“Instead of trying to protect everything all the time (which is often an extremely difficult and costly undertaking), an organization can focus on protecting the most critical and sensitive data first,” says Goldfarb. “As resources allow, additional data can be protected based on its priority.”
5. Establish a Security Plan with a Reporting Mechanism
When security threats emerge, and they probably will, your business will be much better placed to handle the threat if there is an incidence response plan in place and a clear way that employees can signal a breach or possible security issue.
“The days of deploying security technologies and walking away are gone,” says Goldfarb. “Develop and follow an incident response plan to ensure that you are continually evaluating and mitigating risk to the organization.”
6. Educate Your Staff
Human error is the most likely cause of security failure. CIO found that the most prevalent attacks against SMBs are web-based and phishing or social engineering.
“The user is often considered the ‘weak link’ in any security posture,” says Farshad Ghazi, enterprise global product manager for Hewlett-Packard Enterprise Security. “A cybersecurity education program that focuses on the employee themselves, not just the organization, can be effective and relevant.”
7. Outsource Your Security
Most SMBs wouldn’t dream of handling their own legal issues, but most still take care of their own IT security. Endurance Group found that 83 percent of small businesses handle security in-house.
With the number of threats rising, and systems more complex than ever, your business should consider outsourcing security to a firm that specializes in hardening businesses against cyberattack.
Cybersecurity is a lot like insurance. It can seem like an unnecessary cost center, but going without it is a dangerous game. This is especially true for SMBs in 2016