Each year more and more businesses of all sizes are suffering from cyber breaches. The big names Equifax, Yahoo, Anthem, eBay, JP Morgan Chase, Home Depot, Target and Adobe to name a few grab all the attention. But, don’t be fooled that it only happens to these big businesses.
The latest surveys show that small businesses need all the help they can get. In the last 12 months, hackers have breached half of all small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report. Small businesses, which often don’t have the revenue to afford their own IT departments, are especially susceptible to phishing attacks via email or fraudulent activity happening in their e-commerce shops.
It is impossible to predict who will be affected by such an attack and when, but 97% of the breaches could have been prevented with today’s technology. Below are the 12 ways you can take action today to reduce your chances of becoming a statistic.
1) Routine Security Assessments
Conducting routine security assessments is a great way to keep all parties accountable for the security requirements of the business. Engaging with a 3rd party to conduct internal and external security assessments is a great way to shore up vulnerabilities within your business. Making this a daily, monthly, quarterly routine process is key in catching anything that might have changed without proper oversight and approval.
2) Email Filtering Protection
Advanced email filtering can prevent the threat before it reaches your end users, acting as the first line of defense. This would involve blocking emails, scanning attachments, and links and then removing any threats. The number one method bad actors use to infect businesses with Ransomware is email. It has been reported that 93% of phishing emails are now ransomware.
3) Give your Users Powerful Passwords
Weak password policies are a surefire way of inviting in multiple data security issues, including Ransomware. According to the key findings on the 2016 state of SMB Cyber Security report, 59% of SMBs have no visibility into employee password practices and hygiene, and 65% of SMBs that have a password policy do not strictly enforce it. It is apparent that password policies for small and medium businesses in the United States is at a crisis level.
4) Cyber Security Awareness Training
How susceptible is your business to being phished? This is a metric based on your employees email savviness that can and should be tracked at all businesses. Did you know that global spending on security awareness training for employees is predicted to reach 10 billion by 2027? Businesses should think of Cyber Security awareness training as a requirement for new employees during their onboarding process. If implemented, you will see phish-prone percentages go from 15 to 20 percent down to one to two percent after a year.
5) Advanced Endpoint Protection
Advanced endpoint protection is night and day from basic anti-virus. Advanced endpoint security solutions take a multi-level approach to protecting computers and servers. For example, advanced antivirus utilizes machine learning, behavioral heuristics, is a low impact on computer resources, has the ability to protect against threats from email, browsers, files, URLs, ads, apps and all in real time. In addition, if Ransomware were to get on a computer protected by advanced endpoint protection software, you have the ability to rollback any changes restoring all files to their uninfected state.
6) Enable Two-factor Authentication
Passwords are convenient, robust and tried-and-tested when it comes to securing your online presence and digital data. However, the main downside is their susceptibility to being stolen utilizing spyware or through trickery. The use of two-factor authentication (2FA), however, is an excellent defense against account compromise even when the bad guys have your passwords. 2FA adds another zone of protection after your password, usually by linking one factor (your password) with a secondary factor such as a rotating code on a physical device or a text message/verification code sent to your cell phone number.
7) Update Your OS
The WannaCry ransomware targeted computers using outdated versions of the Windows operating system. It is critical to keep your software updated and to download security patches when they are updated. Manufacturers stop supporting outdated operating systems after ten years or so. This will be well publicized, and users should follow the instructions of the manufacturers to ensure their devices are secure as possible.
Do not ignore that prompt from your software provider to update! Software providers regularly improve and fix vulnerabilities in their рrоduсtѕ, so updating and having the most current system in place gives you the best chance to prevent hackers from manipulating vulnerabilities.
8) Dark Web Research
The Dark Web is easy to find. With the appropriate tools and a stomach made of steel, anyone can access and scan the internet’s underbelly. Lurking under cover of the clear web—sites we browse every day with traditional search engines and web browsers —are indeed black markets loaded with stolen credit card information, black hat hackers, and human and drug traffickers. We scan the Dark Web and take action to protect your business from stolen credentials that have been posted for sale.
9) Business Class Firewall or Security Appliance
For many SMBs, security appliances also known as unified threat management (UTM) devices are the most functional, manageable and upgradeable devices. Notable UTM appliances can be found from many vendors such as Cisco, Fortinet, SonicWall, and WatchGuard. The UTM concept is based on the assumption that a combination of security solutions bundled in the same appliance creates a better security umbrella for organizations.
10) Encrypt Files and Portable Devices
While there are many benefits to portable devices such as mobile phones, laptops, tablets and USB devices, they inherently create security risks of data getting into unauthorized hands. For many of these portable devices, there are already built in methods for securing the data with encryption. Let’s face it, there will be a time when a portable device gets misplaced or worse, stolen. Having encryption on these devices that go missing for whatever reason will give you peace of mind that your data will not be stolen or used with bad intentions.
11) Update Your Backup Process
Long gone is the time where overnight backups every 24 hours is adequate for proper data protection. A quick and easy fix? Increase your backup frequency. To minimize downtime connected with an outage, you should be backing up in 15-minute increments. Your answer should be able to set policies and procedures on those backups alert the administrator to any errors and faults.
Also, to defend against ransomware, data should be safely stored both on-premise and off-site. Also, you want to ensure that you shield all of the servers in your environment, whether they be virtual or physical, with the same level of security. You may instinctively concentrate on mission-critical applications like Exchange, Microsoft SQL, and your financial systems, but do not overlook those file servers that are also susceptible to attack.
12) How Cyber Insurance Can Help
If a company falls victim to a cyber-extortion event, the costs can quickly escalate. In general, cyber insurance can help offset many of the costs a company might incur, including:
- Hiring a security firm: The costs and fees of hiring a security firm to evaluate an extortion threat can be significant. Cyber insurance can offset costs to determine the severity and validity of an extortion threat.
- Managing Public Relations: It is the state law in California that if you have a big enough Cyber Security breach that you have to make the public aware. Managing the reputation of your business that you have worked so hard to build can take a lot of time and money after a Cyber Security Breach. Most Cyber Security Insurance policies will include resources to help with this task.
- Reward adjustments: Victims sometimes need to offer a reward to gain information leading to the imprisonment and conviction of the invader. If an external informant’s identification of the invaders leads to their capture and conviction, cyber insurance can potentially cover the reward payment.
It is impossible to predict who will be affected by such an attack and when, but by utilizing the 12 ways listed above it will greatly reduce your business’s vulnerability to be impacted by a Cyber attack. The first step is to use these 12 ways to audit what you currently have in place at your business. Once you know your deficiencies you can then start planning to shore up the areas you need to. Of course, if this still feels like a major uptaking to tackle then, by all means, give us a call at 760-454-0140 and we can help.