Businesses of every size must devote resources to reducing the ever-increasing risks posed by cybersecurity threats. Not a day goes by without news about new data breaches, hacks or ransomware attacks. While large multinationals may seem like prime targets, many hackers make their living focusing on smaller, more vulnerable organizations.
Top 7 Cybersecurity Threats for Small Business
In its 2019 “Global State of Cybersecurity in Small and Medium-Sized Businesses” report, the Ponemon Institute identified the following threats as the seven most common tactics that bad actors are currently using to steal data and breach small business IT security.
- Phishing — Phishing attacks have become more sophisticated over the past few years, evolving beyond basic phishing emails into complex deepfakes that are surprisingly effective. For example, bad actors are now transforming audio clips into realistic conversational phrases that trick employees into thinking they are speaking with an in-house authority figure and revealing valuable information.
- Web-based attacks — These attacks seek to gain access to systems that store or interact with your data through services exposed to the internet, such as websites, applications and APIs. Hackers typically exploit a vulnerability within an operating system or an associated application.
- Malware — Installing malware, or malicious software, to infiltrate and damage computers remains a popular attack vector. Basic and advanced viruses, spyware, worms, Trojan horses, and rootkits are all forms of malware.
- Compromised and stolen devices — Hackers who steal physical devices have many ways to break into them, even if they are password protected or otherwise secure Unencrypted sensitive data, such as credit card information, can be sold or used to commit identity theft.
- Credential theft — Cybercriminals often target credentials like tokens, session cookies, digital certificates, user ID and password combinations, and other access-based keys. They can use those credentials to get inside your network and steal valuable data.
- Zero-day attacks — Zero-day attacks target vulnerabilities in software before the vendor even knows about the issue or can develop a patch.
- Denial of service (DoS) attacks — DoS attacks are a particular type of web-based attack. Hackers attempt to disrupt a machine or network resource by flooding it with requests or using a protocol or application layer attack.
8 Tips for Improving Information Security for Small Business
Small business owners do not have to have invest in expensive cybersecurity resources to reduce risk. The following eight commonsense precautions will greatly improve protection against common cyberattacks.
1. Adopt and enforce the least-privilege model.
Provide each user with only as much access to systems and information as they need to complete their duties. Strictly enforcing this principle limits the damage that a user can do, either deliberately or accidentally, and it similarly limits the reach of an attacker or malware that takes over a user’s credentials. Conduct regular entitlement reviews to make sure all access rights are up to date as both your IT environment and your workforce evolve.
2. Use layers of security.
The best computer security for small businesses (or enterprises) involves layers. Your security program should include all of the following:
- Asset inventory — Regularly review what hardware and software you have, and ensure that it is up to date and supported by the vendor. Maintain an inventory of all your sensitive and business-critical data. Regularly review user and computer accounts, and disable and then delete any that are no longer needed, since inactive accounts are ripe for credential theft.
- Perimeter and network security — Divide your network into different zones with different level of security. Consider using solutions like web application firewalls to block suspicious traffic coming to and from web applications, and shore up SQL code so that it is less vulnerable to SQL injection attempts.
- Activity auditing — Routinely review user and computer account activity, including who accessed what information or resources.
3. Configure your software properly and keep security patches up to date.
Make sure to configure applications and operating systems properly, including those on mobile devices, and deploy patches as soon as they are released and tested.
4. Centralize hardware management.
Centralize management of on-site hardware and mobile devices that travel with employees, including establishing a baseline configuration for different devices. Maintain a detailed asset inventory of all equipment, and audit your network logs for unauthorized device access.
5. Strengthen your password policy.
Enforce strong authentication and implement strict password security policies across your organization. Be sure to communicate password policies clearly and explain why it is vitally important to create strong passwords and protect them. Changing passwords on a regular basis is a best practice as well. Enforce your password policy through appropriate Group Policy settings.
6. Monitor your environment for suspicious activity.
Monitoring activity and changes across your environment is one of the most important security best practices. Quickly spotting suspicious changes and access events can help you detect an attack in time to prevent real damage.
7. Back up your data regularly.
Create regular backups and store at least one copy offsite. That way, if you do find yourself the victim of a disaster or an attack, you can get your business back up quickly, without ever having to pay for a ransomware decryption key.
8. Educate your employees.
According to Ponemon research, 53% of attacks on small businesses are phishing or other forms of social engineering. Take another look at the 7 most common attacks listed above; the chances of most of them being successful depends a great deal on the security savvy of your employees. In particular, train your employees to use strong passwords, recognize and refuse to open suspicious emails, and never leave their devices unattended. Also educate them about how to report suspicious events and security incidents. Gear the training to the needs of different groups of users, and regularly test your employees using strategies like fake phishing emails.