Remember the time when we didn’t have an Internet? Now most of us can’t imagine living without it. But along with that wealth of information at our fingertips comes an abundance of cyber threats that now looms over every business today. SMBs are especially vulnerable, so knowing the basics of cybersecurity is a must for every small business owner.
Here are 10 things every SMB should know about cybersecurity:
1. There are many attacks you need to watch out for
The most common attack method for cyber adversaries remains an email. Cybercriminals have come a long way with their email skills. We’re well past the days of the annoying male performance enhancement emails and the ever-humorous Nigerian prince scams. These days, you’re more likely to receive very believable and sophisticated emails that seem to come from trustworthy sources, like your bank or UPS – but they contain attachments that will place malware on your system in seconds. These general phishing emails are getting trickier to spot, and as a result it’s not uncommon to get malware on your systems by email spoofing and customized spear-phishing campaigns.
Beyond emails, companies also should be concerned about websites that appear to be legitimate but have embedded malicious code to infect your computer. An interesting New York Times article described one example of this type of attack: “Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.”
Of course, there are other attack methods including physical removable media (like USB drives), hacking public facing websites, and the ever-popular remote desktop. The threats are all around us and the situation will worsen as the number of people online continues to increase. By 2020, Microsoft estimates that:
- Four billion people will be online—that’s double the number as today
- Fifty billion devices will be connected to the Internet
- Data volumes online will be 50 times greater than today
2. Small businesses are the primary target of cybercriminals
We often hear about the major breaches in the news. It started with Target and has continued with a string of high-profile hacks: Facebook, Home Depot, Yahoo, Sony, Experian, Anthem and Equifax. The problem with all the high-profile cases is that it often masks the real target of cybercriminals, which are small businesses. In last year’s Manta poll of 1,420 small business owners, 87% didn’t think their business was at risk of experiencing a data breach, because they didn’t think they had anything worth stealing. Do NOT make the same mistake. Last year more than 55% of small businesses were hacked. In fact, the Securities and Exchange Commission wrote in a 2015 report, “Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses. The reason is simple: small and midsize businesses (‘SMBs‘) are not just targets of cybercrime, they are its principal target.” Why is that? Well, first of all, SMBs have more computers than individuals but less security than large enterprises. The other reason small businesses are appealing targets is that hackers know these companies are less careful about security, partly because they don’t think they are at risk. SMBs also generally lack the time, budget, and expertise to properly address network security.
3. Security is getting more expensive and difficult to manage
As attacks grow in size and complexity, it is hard for SMBs to keep up. Only a third of organizations believe they have adequate resources to manage security effectively, assuming they can afford the systems in the first place. Then they have to worry about hiring people to manage these systems and watch for compromises. This is no easy task given that there is a 0% unemployment rate in the cybersecurity field.
Adding to the challenge is the fact that organizations now have an average of seven different agents installed on endpoints, each requiring its own monitoring and expertise along with a constant stream of software updates. Simply put, the majority of organizations feel like they’re underwater when it comes to cybersecurity.
4. Who is behind cyberattacks and what are they after?
The days of single individuals in hoodies trying to hack you are long over. How long did it take for Matthew Broderick’s character in the movie War Games to figure out the password was “Joshua” anyway? Today, well-organized crime syndicates are responsible for much of the cybercrime. Sure, there are hacktivists and nation state actors and the like, but the real threat are the crime organizations. Why are they so interested in cybercrime? The same reason why a robber robs a bank – because that’s where the money is! If the end goal of a cyberattack isn’t to directly steal money (which they can do by stealing credentials to access banking accounts), it’s to steal employee details or customer data (including credit card information or social security numbers) which they can quickly turn around and sell on the dark web. Did you know the cyber adversaries can also take over your computer and use it to mine for crypto currency, all without you knowing it? Cyber-crime pays, and it pays handsomely. In fact, it pays so much that criminals are incentivized to constantly invest in developing new ways to infiltrate data-rich environments. There are 111 billion lines of new software code being produced each year — which introduces a massive number of vulnerabilities that can be exploited – and cybercriminals want to be the ones to exploit them for their financial gain.
5. The most common types of cyberattacks are…
While the threat landscape is constantly changing, it is important to understand the most common types of attacks out there right now.
- APT: Advanced persistent threats, or APTs, are long-term targeted attacks designed to break into a network and remain undetected while establishing a presence on the system, with the ultimate goal of copying data from the network.
- DDoS: Distributed denial of service, or DDoS, attacks occur when a network is intentionally overloaded with requests until it shuts down.
- Insider attack: Someone from within the organization purposely misuses his or her credentials to gain access to confidential company information.
- Malware: “Malicious software” includes any program introduced into a computer with the intent to cause damage or gain unauthorized access.
- Password attacks: Attacks which seek to discover a system’s or user’s credentials to gain access.
- Phishing: Uses a legitimate-looking website or email in an attempt to gain access to a device.
- Ransomware: A type of malware that infects your machine, then demands a ransom to return the system to normal.
- Zero-day attack: Vulnerabilities in software and systems that were not previously known and therefore there are no security measures in place to combat them. These are what the cybercriminals are constantly working to discover.
6. The cost of a network breach continues to go up
While the number of data breaches have gone up recently, the costs associated with them have also risen significantly over the past two years. For small and medium businesses, the average financial impact of a data breach now stands at $120k for SMBs, a 36% increase from 2017. What makes these breaches so costly? There are many factors that play a contributing role, including downtime when compromised devices are taken offline, theft of data, productivity loss, damage to infrastructure, lawsuits and fines, and reputation damage. All of these factors can add up to devastating consequences that go far beyond the initial compromise. In fact, 60% of small businesses go out of business within 6 months of an attack.
7. Prevention is cheaper than the cure
Another reason why SMBs are not properly securing their networks and data is the perception that security is too costly. More than half of businesses cite cost as a reason why they aren’t doing more for their security. When you look at the costs of a breach and compare it to the costs of protecting data and networks, it is clear that prevention is cheaper than remediation. Most companies that suffer a large-scale breach end up paying thousands, sometimes even millions of dollars to fix all the damage – and monetary damage is not the only thing to repair. A damaged reputation can put a company out of business just as easily. The Benjamin Franklin axiom thus holds true here: an ounce of prevention is worth a pound of cure.
8. Network security requires a comprehensive approach
When trying to protect your data and networks, it is important to know where your key assets are. Since price is a concern for businesses, knowing where the sensitive data is can help companies focus their limited resources where they are needed most. A perimeter firewall is a must-have for any business seeking to secure their network, along with an anti-virus solution on their endpoints. Email is another important asset that needs to be protected. These three areas make up what I like to call the “security trinity.” Beyond that, businesses should look to encrypt their sensitive data in case there is a breach. Also, two-factor authentication is a great way to combat brute-force password attacks and confirm identities on the network. Because threats are constantly changing, regular patching of systems and computers is necessary to limit vulnerabilities. Finally, a backup solution can ensure that whatever may happen on the network, critical data and systems remain accessible at all times and avoid that costly downtime.
There are also some approaches that can help protect data that don’t necessarily cost businesses any money. The most important thing anyone can do is to use strong passwords. Companies that enforce a strong password policy will be better protected than those who don’t. Along with passwords, companies can restrict access to sensitive data and systems to only those who need access. This can also be done with permissions, but because we know that credentials can be stolen, it is often more important to use access control lists to restrict even the ability to get a log in prompt. Systems should not be reachable via the public Internet whenever possible. Network segmentation is another way to restrict access and will also help reduce lateral movement in case there is a compromise. Most importantly, businesses need to educate their employees on security. The human factor is by far the greatest factor when it comes to breaches, and it is best dealt with through education.
9. Security is not a set-it and forget-it type of thing
Network security threats are constantly evolving, and businesses need to transform their security along with it. If what was true 5 years ago still applies today, now there are at least ten times more things to worry about. One of the most significant trends we’ve seen in 2017 and 2018 is the ongoing shift to fileless attacks. This type of attack doesn’t install new software on a user’s computer, so antivirus tools are more likely to miss them. In 2017 over 40% of US businesses were compromised due to fileless attacks and exploits. To address the rise of fileless attacks, many businesses are looking to augment their traditional anti-virus solutions with an Endpoint Detection and Response (EDR) solution, which looks at the processes running on a computer to determine if something malicious is happening. Businesses also need to update their old firewalls with more robust Next Generation Firewalls (NGFW) that can more easily adapt to changing threats.
Just remember – you simply can’t just implement security and forget about it. In the cybersecurity industry, things change rapidly and businesses need to change too. You need to review and modify firewall policies, patch your systems and update permission lists regularly and often. You also need to constantly evaluate your endpoint protection to ensure it is meeting current threats.
10. There’s no silver bullet to security
In the end, every business needs to understand that there is no silver bullet when it comes to cybersecurity. No single system or approach can fully protect a network, and even the most secured networks may be compromised. If an attack does happen, it helps to detect it as soon as possible so the damage can be minimized. The compromised host may not be where the sensitive data is, so you’ll need to stop the intrusion before it can get there.
It is important that businesses are prepared in case there is a breach. Visibility and logging of network traffic can go a long way in helping to get ahead of the problem when it does occur, but this means nothing unless there is someone watching the logs or monitoring the network. The famous breach against Target triggered alerts that a breach had occurred, but no one acted on it. As we move forward, we are likely going to see the rise of cyber insurance as another means for businesses to augment their security.
If all of this sounds pretty bleak, don’t despair – there is good news. All of this has led to the development of more robust security offerings as a service. Even better news is that a Managed Service Provider (MSP) can help you handle your security needs for less than if you were to do it all by yourself. TPx has invested in state-of-the-art technologies and seasoned security professionals who help thousands of clients nationwide with cybersecurity. You have enough to worry about – let TPx deal with your security challenges so you can focus on your core competencies and grow your business. Request a free consultation today.
About the Author
Erik Nordquist is the Senior Product Manager for TPx Communications’ managed security services. He’s led a broad range of critical activities, including Field Operations and the Hostmaster team where he built TPx’s anycast DNS network to service its 55,000 customer locations. His work on the Network Integrity team made him the resident expert for mitigating Denial of Service (DoS) attacks. After interfacing with customers for years, Erik is bringing his customer-focused approach to his Product Manager role, helping to deliver first-in-class security services to TPx clients with unsurpassed customer support.
Want to learn more? Here’s a video with 10 more things you should know about cybersecurity.