If you are responsible for managing the IT of your small business, then you probably already know that it’s a jungle out there, one with cybercriminals hiding behind every bush. According to the recent Verizon Data Breach Investigations Report, over the last two years, small businesses have become the top targets of cybercriminals and are beginning to suffer from cyber breaches more than large businesses.
To make matters worse, a recent study by the National Cybersecurity Alliance indicates that of those small businesses who have been hit by a cyber attack, 60% of them go out of business within the following six months, so it's a serious situation.
Cyber attacks against SMB’s are on the rise, primarily because cybercriminals expect a small business to have fewer resources dedicated to their security and they represent what the cybercriminals see as low hanging fruit. Most small businesses do not have a dedicated security professional or IT department, they are just too small to justify the cost and this is the problem because it leaves them vulnerable and relatively easy pickings for increasingly sophisticated cybercriminals.
Against this backdrop, security through obscurity is no longer an option and the expectation that you are too small to attract the interest of cybercriminals is no longer realistic. With this in mind, let's take a look at the top five SME threats.
Top Five Cyber Threats Affecting Small Businesses
1) Unpatched operating systems and software – Making sure that your computers and the software that runs on them are up-to-date is absolutely essential and is the bedrock of good security practice. Hackers take advantage of the vulnerabilities in unpatched software and operating systems to infiltrate organizations far too often. Failing to apply software and operating system updates when they are released puts your business at risk and weakens the overall security of your IT infrastructure. Don’t make it easy for them, make sure servers & workstations have the latest OS patches applied and that all 3rd party applications are always up-to-date.
2) Phishing Attacks – Those sneaky phishers are getting smarter and the bad news is that with them targeting humans and not computers, there is no truly effective method of stopping them. By posing as legitimate contacts who may be known to the organization, the phishers can fool the best of us sometimes and the only real way to defend against a phishing attack is through employee education. Helping your employees understand the threat and regularly showing them different examples of phishing attempts reduces the likelihood of them clicking on something they shouldn’t. There are a number of organisations who can help you and offer free phishing training resources, google around for anything with .gov in the address.
3) Weak Passwords – Humans are terrible at choosing good passwords that are difficult for hackers to guess. Even worse, we often reuse the same password on multiple websites - making it even easier for hackers to find a way into your corporate applications or infrastructure. Implement a good password policy and use password vaults to store and generate passwords for your employees. Your staff should also be taught about the dangers of reusing passwords, as one bad password used twice can lead to a very expensive breach.
4) Secure Your Wi-Fi – We have all visited businesses that provide a single Wi-Fi network to both their employees and visitors, where the password is the telephone number of the business or an easy-to-guess word. Simple Wi-Fi passwords might be convenient when you need to remember them but they present a significant threat from a security perspective - making it easy for hackers to infiltrate your wireless network if they have guessed the password. If no further network controls are in place, once an attacker has compromised your corporate wireless network, they will most likely have access to your entire internal network.
If the attacker is using a long-range Wi-Fi antenna, they don’t even need to be that close to your business to launch an attack on your wireless network. Lock your Wi-Fi down by changing your routers default administrator password, change your Wi-Fi network password encryption to WPA2+AES and changing your Wi-Fi password to something that is long and hard to remember (or crack). If you want to allow guest users to have Wi-Fi access when they visit your organization, a separate SSID should be implemented which allows guests to access the Internet but isolates their devices from the rest of your network.
5) Make Yourself Malware Resistant – There are a number of things that you can do to make your business more resistant to malware attacks. The nuclear option is to completely lock down your employee's workstations by removing their admin privileges so that neither they nor malware can install anything on the machine. Restrict the kinds of websites that your employees can visit on their computers, websites that contain pirate streaming movies, pornography and gambling often contain malware waiting to infect visitors foolish enough to click on their links. Make sure that you have a good antivirus (AV) on the workstations and your network, one that forces scans of all downloaded files as well as your email contents. When AV is properly updated it can catch a lot of viruses before they spread across the network.
While these are the top five threats facing small businesses today, they are by no means the only threats that could affect your business. But if you can stay on top of the above five threats then you will go a long way to ensuring a decent level of security and dramatically reduce the chances of becoming a victim.
Ultimately management awareness and employee training on cyber threats is essential no matter what business you are in and with all of the recent news about cyber attacks large and small, ignorance of the threat landscape is no longer an excuse. The good news is that there are hundreds of different groups and services that can help you improve your overall security posture and help your small business get to grip with these threats, often for free.
With some careful practices, good internal processes, and regular employee education, both you and your employees can do a lot to help secure your business against cybercriminals and put your business on a much firmer footing from a security perspective against a wide range of different cyber threats.