From small business cybersecurity aspect, it’s important than ever to be aware of your unknowns. Ransomware attacks on small businesses have been crippling organisations causing financial and reputational damages. SMBs (Small and Midsize Business) are a target due to their lack of preparedness in terms of people, process and technology. Big organisations can handle such incidents due to support from incident response teams, security automation and budgets.
This excuse “my computer has no top-secret data” doesn’t work anymore. Gone are the days when only a handful of systems used to hold sensitive data in a separate environment. Our experience with SMBs helped us to come up with top ten practical and pragmatic tips that would boost cyber security for SMBs. All this with more thought, less chaos of big spend products.
Data breach scope for SMBs
Looking into the threat research and survey results, it is evident that small businesses have seen an increase in data breaches. Cisco reported 53% of SMBs suffered a security breach. Around 10,000 cyberattacks a day are targeted at SMBs daily. Furthermore, businesses situated in the North West, South East and Midlands most likely to suffer from cyber threats.
Hiscox study shows that just a basic ‘clear up’ post data breach costs £25,700 on average.
Cybercrime costs for businesses
Data breaches cost UK businesses an average 3.86$ million as per IBM study. Amongst data breach records sold in the underground (dark web) markets, customer PII (Personally Identifiable Information) has the highest cost of 150$.
Interpol reports show an alarming rate in cyber attacks during COVID-19. Cybercriminals exploit the fear and uncertainty factors caused by the unstable economic situation due to the pandemic. This goes without saying that we shall see more sophisticated and newer ways of cyber attacks.
Post Covid-19, remote work has increased to the highest levels possible since the start of the internet. This includes fast digital transformations achieved with the goal of ‘go live’, obviously ignoring security aspects. Increased cyber attack activity targeting businesses make it a business case for protection.
What Cyber Security challenges do small businesses face?
Although technological advancements such as latest network topologies without perimeters are making our lives easier, multiple security challenges are posed to endpoints, internet traffic, added software and cloud capabilities. The following are the main security challenges faced by small organisations:
- Lack of Preparedness – All businesses will experience security incidents in one form or another at some point. It’s not ‘if’, it’s ‘when’. Therefore, preparation is key to resilience and ensuring that the business can respond and recover as fast as possible.
- Overreliance on IT Service Providers – IT service providers solve all technological challenges for SMB as they are ‘go-to’ people for anything IT related. Cyber security is a different ball-game. Whilst it is possible your IT service provider is good at cyber security offerings, majority of the small business IT service providers are no more than product resellers for firewalls and antivirus solutions.
- Budget Constraints – It is true that budgets are limited in small organisations. It is equally true that senior management is sometimes unaware of the technological edge to the business, and how SMEs are an easy target for cybercriminals.
- Sensitive Information Theft (Insider Threats) – This could be information belonging to personnel or business’ IP, granular controls over data exfiltration, leakage or related incidents is need of the hour given our boundaries are diminishing. Staff, vendors or contractors are working from personal devices, or public places. Therefore, relevant controls ensure that cyber security is an enabler for growth.
- Mobile Workforce – Although every organisation wants to make use of the latest gadgets in the market, SMBs don’t have resources and processes to think it through from risk perspective. Therefore, mobile devices, BYOD policies may present a wide gap in the IT risk posture.
Our aim with this article or upcoming guides (practical tips, no product to do blogs) is to help organisations improve on cyber security quicker and at low cost. Although not all the following tips would be a breeze, a strategic plan with carefully selected actions would make tangible differences in the medium to long term timescales. This article also covers five steps recommended in NCSC small business guide to cybersecurity.
How to make your business cyber resilient?
World Economic Forum cites reports showing 58% of all cybercrime targets small businesses costing 600$ billion in 2018.
Learn our top ten tips on how to secure your business and prevent the most common cyber attacks. These are sure to boost your business’ profile without spending a lot on products.
0. Less is More
Start small. Assess the most critical assets to your business, review their current situation and leverage the current tools at hand. These include cloud services, free/inbuilt host firewall, anti-virus solutions and maximise the use of active directory (assuming it’s present). Leverage the use of independent consultancy skill-set before spending big on products to know whether it makes sense or just adding on the product pile.
Our Tip: More products = more chaos! Perform a thorough review of the current tech stack to leverage the already present never utilised features. After this phase, you can set up a strategic plan to introduce new products/solutions as necessary for business.
1. Endpoint Protection
Endpoint refers to end-user systems or devices such as laptops, desktops/workstations and mobile devices. These endpoints serve as an entry point to an organisation. From an attacker’s point of view, this serves as an attractive opportunity. For instance, an attacker who successfully gains access to a staff system is often due to weakness exploited on the endpoint system. For example, a threat actor successfully establishing a connection with a staff computer due to phishing attack (or another form of attack) is due to malicious code bypassing the endpoint controls. Therefore, the security of entry points is important by utilising antivirus or anti-malware solutions that detect suspicious activity and deter such attempts. Additionally, after implementation, it is important to ensure full system-wide scans are performed periodically along with regular vendor updates.
Our Tip: Ensure that regular anti-malware/antivirus scans and backups are scheduled. Most of the big vendors perform automatic updates, ensure that settings are configured.
2. Network Segmentation
It is the most underrated control in the cyber security domain. Just like a submarine structure, you need to ensure there are different compartments within your organisations. In case a cyber attack has led to the compromise of a system or segment of the network, an attacker will not have immediate access to the entire organisation. This may lead to limited impact, containment or detection of intrusion activity based on the incident scope.
Our Tip: Always keep business-critical assets and important servers in a separate network segment with restricted access.
3. Principle of Least Privilege
Apply the rule of least privilege. This concept relates to the implementation of privileges on the need to know basis. This tip ensures that multiple tangible and intangible benefits are delivered across the organisation. In case of a system compromise, threat actors shall face increased resistance to escalate their privileges. Any requirements related to compliance, framework or standards would be a breeze. There are several tools and tactics:
- Privilege Access Management
- Network segmentation
- Separation of Privilege
- Systems Hardening
See this Microsoft guide to implementing Least-Privilege Administrative Models across Windows systems.
Our Tip: Start with separate accounts for privileged users. For example, Chris who is a database administrator should have one corporate account (for routine tasks such as email, intranet, timesheets, etc) and one production account (for privileged tasks as part of his role) with different password policy restrictions.
4. Secure Internet Access
Internet is the backbone of any business. Since the rise of remote working during and post Covid-19, this is even more important in our lives. Ensure that a restricted internet use policy for employees is served via emails, meetings and contracts (where needed). If there is a web proxy, filter or internet traffic access solution in place, order an immediate review to ensure it is serving the intended purpose. If there is no such software in place, purchase internet filtering solutions.
Our Tip: Remove unrestricted internet access from servers with exceptions to services needing internet access.
It is a common myth that the use of facial or biometric authentication means you can keep an easy password because that won’t be used. It is important to use non-dictionary, difficult to guess, multi-character set based password.
Change default passwords on all equipment such as network devices, printers, scanners, security devices.
If possible, try to mandate the use of password manager software in your organisation. This, although may require users to acknowledge the new software usage, shall offer multiple benefits in the long run such as:
- Cultural shift towards importance of cyber security
- Offering hard to remember, randomly generated non-dictionary long and complex passwords
- Allowing users to select different passwords for different services
- Separating their personal information (the football team or dogs’ name that they may be used as password otherwise) from office.
Our Tip: Start with password managers, enforce strict password policies and add a list of blocked passwords to active directory (Free modules are available).
6. Multi-factor Authentication
Multi-factor authentication includes the use of two or more methods of authentication (for example, a user password and a one-time code). Implement multi-factor authentication on all your devices and internet-facing portals. At times, employees’ credentials could be compromised without any cyber attack activity linked to your organisation. This technique, known as credential stuffing, is a type of cyber attack where stolen account credentials from one service are used to gain unauthorised access to other accounts on the internet. For instance, your work email accounts get hacked due to your selection of same password being used on your email account (assuming this got compromised). A threat actor got your stolen credentials from leaked database online (forums, dark web, etc places) and researched more information on you, attempting the same password against your email (email = username) account.
Our Tip: The majority of the service providers offer two-factor authentication. If this is not an option, look for alternatives such as passwordless authentication or two-factor authentication modules such as Duo, Authy, Okta, etc.
7. Secure Configuration
Secure configuration is important for all systems used within or outside the organisation. This includes mobile device management solution to control mobile devices, operating system hardened images used as a secure operating system base for desktops and servers and secure hardening based network equipment configurations. CIS benchmarks are a great start to prepare internal checklists that cover patch management, system hardening, services configuration and many other areas. In case of your mission-critical assets such as revenue-generating website, opt for a penetration test at the least once a year or after any major changes. This would pick up on the various cyber attacks that target retail or your business-specific websites, infrastructure.
Our Tip: Add security benchmarks as an extension to your IT team’s OS build checklist. Ensure that sign-off from the security point of contact is a mandatory part of the process (ensures accountability) before any build is released into the production environment.
8. Secure and Regular Backups
Backups are an essential part of your cyber security strategy. In case of a cyberattack, data could be either compromised or deleted. Given the SMB businesses lacking strict processes and procedures, there is a large amount of data on staff laptops and mobile devices (tablets, phones). Ensure that a secure and regular backup policy is in place. This includes utilising a backup solution that allows automatic ability to schedule backups.
Use the cloud. Modern devices and services offer easy cloud-based backups. This offers multiple benefits such as backup schedule configuration, secure storage and easy restores accessible from anywhere.
Our Tip: Irrespective of backup solution you opt for – don’t forget to test the backup restore.
9. User Education
Your employees could be your strongest or weakest link in cybersecurity, it all depends upon your cybersecurity strategy. Regular thorough training must be an investment to deliver a baseline of knowledge for all employees. This would mark a shift in company culture with time, ensuring an overall boost for a proactive approach towards cybersecurity. Ensure that staff don’t browse the web or check emails from servers or using administrative privileges. This will reduce the impact of attacks in the event user details are stolen.
Our Tip: In case of a solution, ensure that it’s simple, quick to use and helps users who are the least tech-savvy. If you are using Office 365, add this button “Enable the Report Message add-in” to Outlook clients that helps users report messages with a single click.
10. Secure Wireless Networks
If your business uses wireless network, corporate or staff network must be segregated from guest (visitor) network or vice versa. It is important to ensure this segregation is strictly implemented on both the networks to keep trusted and untrusted users separate. For corporate wireless networks, certificate-based authentication is the recommended authentication mechanism. This ensures user and connecting device identities are validated and cannot be spoofed. Implement a captive portal to manage guest network access for visitors.
Our Tip: We have observed with several organisations, backend infrastructure is shared for guest networks. Ensure that it is a totally separate internet route offering no connectivity with the corporate environment. A captive portal is an efficient way of user management (with approvals) ensuring security and usability aspects remain balanced.
Logging and monitoring, secure communications, in-depth active directory security are further areas that should be considered by a business in the long run. Just before you decide to go on a shopping spree…
Make Informed Choices
After implementing the above-mentioned measures, an organisation should opt for a cyber health check (or IT security health check) to assess their risk. This independent exercise should detail gaps around people, processes and technology in use. Usually, this health check targets all major assets used by a business to identify weaknesses and recommend mitigation measures to address the risks. Based on the results, a remedial action plan should be prepared along with any investment decisions that may be needed. Risk focussed approach shall deliver results straight from critical assets downwards across the estate.
Before purchasing IT security solutions, a few ‘good to knows’:
- Don’t buy products that offer all in one solution.
- Don’t buy a product you heard about from another peer or at an event. Every network is different.
- Don’t rely on your IT/managed service provider to solve all your security troubles. It’s your risk, not theirs by offering them to do all for you.
- Don’t select a single security vendor who says they will do it all for you. Who shall bell the cat later?
- Review the usability and security balance regularly to ensure security is an enabler for growth.
We provide an unbiased opinion (we don’t sell products or endorse vendors) with our services. A layered approach to cybersecurity delivers effective protection designed to protect assets. Just like the physical security in an office, a camera acts as a deterrent and a guard acts to prevent a malicious activity, security countermeasures work in similar way.
To learn more, you can check more blog entries under SME category. Subscribe to our newsletter to stay up to date with relevant tips, tricks, articles and threat reports.