How Secure is Your Small Business from Cyber Attacks?

cyber attacks

Small businesses underestimate the threat hackers pose to their business. About 87% of small businesses think cyber-criminals will not attack them, when half of them actually experience cyber-attacks. To compound matters, about half of small businesses which experience a cyber-attack go out of business within the next six months.

Hackers love small businesses. Most of them have minimal security deployments in place. The small scale of operations equates to a modest budget, which almost always means an absence of a proactive security policy, let alone deployment of the latest state-of-the-art security measures. Hackers can breach information with relative ease, to steal employee details, customer’s financial information, vendor information, and trade secrets. Worse, they can use the breach as a springboard to steal from the people whose credentials they usurped.

There is no point in locking the stables after the horse has bolted. When it comes to cyber-security, there is no shortcut to a proactive and preemptive approach. Is your business equipped to keep cyber-attackers at bay? Cyber-security need not always mean a huge investment in infrastructure and resources. Consider the following factors.

 

Does the business have a cyber-security plan in place?

While a cyber-security plan may seem a no-brainer in today’s age where cyber-criminals strike at will, the reality is 73% of small businesses do not have a formal cybersecurity plan in place.

A standard cyber-security plan lists out security protocols and best practices. Some key inclusions in any plan include: security deployments such as passwords, two-factor authentication, the recommended anti-virus and anti-malware suites, firewalls and network monitoring mechanisms in place, a policy on regular updates of software, a list of whitelisted apps, and more. It may also co-opt a security incident response plan.

However, what makes a cyber-security plan effective is not the laundry-list of security deployments, but rather the approach. An effective cyber-security policy understands the nature of human fallacy, and co-opts measure to pre-empt damages caused by employee errors or omissions. Likewise, it is broad enough to take cognizance of both digital and physical threats.

An effective cyber-security plan is never static either. The world of computing is fluid, with big changes taking place by the day. Cyber-security mirrors such a fluid environment. Smart enterprises monitor their cyber-security environment on a regular basis. They then make changes to their cyber-security plan, to deal with emerging situations on a proactive basis.

 

Does the business have a data policy in place?

A data policy is indispensable to implement cyber-security plans in a practical way.

Security is a cost-center. One way to keep costs low is classifying data by sensitivity and importance to the enterprise. All businesses have a mix of financial data, customer data, intellectual property, employee records, and more. Highly confidential data, such as customer’s personal-identifiable information, the breach of which could cause far-reaching financial implications, and even sound the death-knell of the business, require high levels of protection. A lesser level of sensitive data, such as performance evaluations, internal audit reports, and marketing plans, may cause severe embarrassment in the event of the breach, but its impact could be contained. Such data, primarily require access control. A good chunk of the data would have no value. For instance, marketing collateral may anyway be in the public domain, making it senseless to invest money to secure such data.

Success requires classifying data in a systematic way. Conduct a data inventory up front, to identify the type of data. Next, classify data depending on its importance to the enterprise, and sensitivity. Having identified and classified the data, move the important or sensitive data to safe locations, implement strict access control, encrypt it, or deploy and other necessary security measures. Deploy different plans for different types of data, as relevant.

 

Does the business have a privacy policy in place?

privacy policy

Side by side with a cyber-security plan and data policy, a privacy policy is also essential. The privacy policy outlines what the business does with the information it collects. It is, in essence, the business making a pledge to the customer regarding how they will use and protect the collected data. In fact, various legislations now make such a policy mandatory.

Make sure the privacy policy recognizes:

  • Personally Identifiable Information, such as names, addresses, credit card and bank account numbers, taxpayer identification numbers, Social Security numbers, and more.
  • Customer information, including credit or debit card numbers, email addresses, addresses,
  • Phone numbers, purchasing history, employee payroll records, and more.
  • Personal Health Information, including sensitive patient information

The Better Business Bureau offers a free copy of a standard privacy policy, which serves as a good starting point.

 

Does the business have a formal policy on software?

The software is the nervous system on which an enterprise runs. Often the vulnerability of an enterprise to being hacked directly relates to the vulnerability of the software.

Investing in developing sound and secure code, or installing ready-to-use software from reputed and competent vendors helps. However, equally critical is updating the software. Regular and systematic updates to the operating system, browsers, and other installed programs, to always run the latest versions, is critical to prevent cyber-criminals from exploiting loopholes. Cyber attackers can exploit code vulnerabilities to infiltrate the corporate network, the best of efforts by employees to adhere to security best practices notwithstanding.

While cloud services update itself, any software installed on the in-house system need to check for new software versions. In today’s mobility driven age, the need to update software on a regular basis extends to the apps.

 

Does the business adopt a layered approach to security?

A sound approach to security is to deploy layers of security apparatuses. In such a setup, even if the attacker breaches the first or second layer, the second or third layer keep the attacker at bay.

The basic security mechanism is still passwords. Make sure all employees have their own unique login ID and unique password. A strong password, as in a combination of capital and lower-case letters, numbers, and symbols, totaling 8 to 12 characters in length, is hard-to-crack. Such passwords can withstand brute-force and other attack tools in the cyber-attackers arsenal. To be doubly-secure, avoid personal data such as birthdates and common names in passwords, taking the guesswork out of the equation. The industry standard is to change passwords every 90 days. Changing it earlier makes it even more secure.

Many enterprises now deploy two-factor authentication, where the second layer of authentication manifests after the password. The most common second layer is an OTP sent to the registered mobile number. Alert to the old number, in the eventuality of a hacker gaining control of the account to change the mobile number, preempts the user to imminent fraud.

A physical token, and fingerprint or facial scan are also viable as second, or even a third layer of authentication.

 

Is the network locked?

“Wardriving,” a technique exploited using Wi-Fi networks, take down many businesses. Hacker gangs roam around cities, armed a powerful car antenna, scanning for unlocked networks, or networks with poor protection. On identifying a vulnerable Wi-Fi hotspot, they make their entry and steal anything of value accessible through the network.

The best defense against wardriving is not deploying Wi-Fi networks at all, and instead opting for more secured wired networks. When Wi-Fi is inevitable, disable the service set identifier (SSID) on the wireless router. With the SSID broadcast function disabled, the Wi-Fi remains visible only to users having the exact network name. As an extra security measure, change the name of the network periodically.

Another important consideration when deploying Wi-Fi networks is encrypted traffic using the latest encryption standards.

 

Is the data encrypted?

encrypted data

Encryption is fast emerging as the Holy Grail of cyber-security. Encrypted data is gibberish to the cyber-thief, as long as he does not have access to the encryption key. Financial institutions have already ingrained encryption to their operations. The time has come for other businesses, even small businesses co-opt encryption as an integral part of their operations.

Small businesses would do well to consider FIPS-certified (Federal Information Processing Standard) certified encryption standard. FIPS certification means a certified standard, for compliance with federal government security protocols. It offers an effective trade-off in offering robust protection, without being too costly. Advanced military grade encryption offers higher levels of security, but costs more.

Most modern operating systems now offer full-disk encryption tools. For example, Windows OS comes with BitLocker, and Mac machines have FileVault. These services encrypt every file and program on the drive. Activating these options takes only a few minutes, and there is no performance lag afterward. The catch is the encryption activating only when the login is not in use, meaning the system may still be vulnerable when employees take a brief break. Setting the system to log out after five to ten minutes of inactivity preempts such a danger.

Effective cyber-security is all about paying attention to such minor and often overlooked finer points. While seemingly insignificant and often overlooked, such minor gaps are all hackers need to strike big.

 

Is the business website secure?

The company’s website also offers big windows for cyber attackers to gain unlawful entry to the network. Cyber-criminals may exploit software bugs in the website server, to execute malicious commands. Apart from the threat of stealing confidential and sensitive information, there is also the threat of commandeering company system as “bots” for DDoS attacks.

The best security is configuring the server and software properly, leaving no loopholes. Default hardware is often set for ease of use, at the expense of security. Many enterprises fail to customize it, based on security requirements. Also consider removing or disabling unnecessary services, configuring the resource controls, and installing any additional security controls required, promptly. An effective risk assessment audit helps to plug loopholes.

 

Does the business take email and social threats seriously?

Most attacks are through network hacks, where cyber attackers exploit some loophole in the system to gain unlawful entry and wreak havoc. However, an increasing proportion of attacks are by slipping in malware into the system, through e-mail phishing, spoofing, and infected apps. Phishers, active on social media forums, WhatsApp, and other avenues, send malware disguised as official looking documents. Enterprising cybercriminals have perfected the art of phishing, or tricking people into believing they are dealing with a trusted entity.

If an unsuspecting or gullible user clicks on the infected link, it actually means the user overrides the security protocols in place, and downloads malware into the system. Such malware entrenches itself in the system, to transmit data, and even provide hackers with remote control capabilities. It could also install spyware and adware, which send pop-up ads, redirect to certain websites, and monitor browsing activities conducted on the system. Worse, keyloggers could transmit information such as passwords and account details to its command and control center, as the unsuspecting user types it on the keyboard.

Make sure employees across the board is aware of safe browsing habits. Inculcate in them the need to take precautions, such as verifying the identity of the recipients before sharing sensitive information. They should likewise refrain from clicking on links or documents received by emails, unless they have requested for it, and it comes from a trustworthy source.

Side-by-side, enforce acceptable and prohibited online activities. Install strong spam filters to send suspicious emails straight to the spam folder. Email in its native form is not designed to be secure, and as such, the enterprise needs to take extra precautions.

 

Does the business place special emphasis on mobile security?

With the proliferation of mobility, a good proportion of attacks are now carried out through mobile devices. The fragmented mobile ecosystem, with a varying operating system and hardware configurations, and the personal nature of mobile devices makes it very difficult to implement traditional cybersecurity best practices on mobile devices.

If the enterprise allows BYOD (Bring your own device), make sure an effective policy guides its use. Install the company’s security software on all mobile devices connected to the corporate network. Users connect mobile devices through unsecured public Wi-Fi, opening up a big hole in the network, for attackers to exploit. To fill the breach, encrypt all sensitive data. If an in-house app store is outside the enterprise budget, make a whitelist of secure and reliable apps, authorized to download.

 

Does the enterprise give physical security its due?

physical security

Many businesses equate cyber-threats to online threats, remaining oblivious to the dangers in the physical form. Cyber-attackers could infiltrate the enterprise as an employee, supplier, or agent, to gain physical access to systems. They could lurk around unsuspecting employees, to steal laptops or mobile devices. They could indulge in dumpster-diving to unearth scraps of paper when employees have written down their passwords. The possibilities are endless.

Consider the case of a Seattle company, where cybercriminals enforced a break-in and took off with older laptops. A month later, the company found its funds siphoned off through fraudulent payroll accounts.

The basics of physical security, such as locking the room housing servers and systems, and feeding a cable through the computer’s Kensington lock port to secure it to their desk, all tip the odds against physical attackers. Physical attackers always race against time, and anything to tie them up until the cops arrive on hearing the alarm is a lifesaver for the enterprise.

Laptops and mobile are vulnerable to theft when employees are on the move. Deploy tracking software, to track the device in such eventuality. It is also a good idea to equip the software with remote wipe capabilities, to protect the data inside such stolen devices.

Very often, sensitive information, including customers’ personally identifiable information and live passwords end up in the trash can. Many enterprising cyber-criminals routinely perform dumpster diving, or scouring trash in search of such valuable information. Invest in a good shredder, and dispose of the e-waste securely. Wipe the drives of old electronic devices. Still better, remove the hard drives and memory chips before disposal.

 

Are employees trained?

The effectiveness of all the cyber-security measures depends on how well the enterprise can implement plans. For employees to adopt the security protocols and best practices, they need an awareness and training.

While formal training is important to maintaining security, what is more critical is institutionalizing security best practices as daily procedures in the normal conduct of business. Awareness and training is not a one-off project. It is a continuous initiative, involving sending regular security tips and best practices to the employee’s inbox, periodic audits, refresher classes, and more.

The Department of Homeland Security’s “Stop. Think. Connect” Campaign offers valuable resources for businesses to train their employees on cybersecurity basics: www.dhs.gov/stopthinkconnect

 

Does the business recognize the potential threat of rogue insiders?

At times, the danger lies within, in the form of rogue employees. Enterprising cybercriminals may infiltrate the company as employees or agents. Even more enterprising cybercriminals may find ways to blackmail otherwise honest employees. Loyal employees may turn renegade if they embrace some ideology, if they feel they are hard done by the company, the boss ticks them off, they didn’t get the raise they deserve, or they were overlooked for promotion. The potential is endless.

Enterprises should always hire employees after a thorough background check, and preferably with recommendations. Once hired, give employees only the least requires access.

The best security protocols work on the basis of least privileges. In other words, each employee gets access only to the resources he or she requires to carry out their work. An access policy where no person has access to a system they do not need, makes for a sound security practice. Clients borrowing a company laptop, or a scenario where a lower ranked employee given the admin password to tide over a contingency, and similar situations, are potential red-flag situations.

Look out for telltale signs of suspicious behavior, such as the employee lurking around corridors outside his area of work, the employee staying back or entering the office at odd hours, and more. Have CCTV cameras in place at all possible locations, but without intruding into the employee’s private space.

Create a security checkout checklist for departing employees, regardless of the circumstances of their departure. Make sure to secure all company devices handled by them. In case of BYOD, block access to the company network. The U.S. Chamber of Commerce and security experts recommend small businesses erase accounts of terminated employees from all network devices and drives immediately after they leave.

 

Does the business take backups?

Small businesses would do well to back up records on a systematic and regular basis. Cyber attackers come in many forms. Ransomware attacks occur when hackers take control of the system and lock it up. They demand money for the decryption key. With a system of backups in place, the enterprise can restore the data and resume normalcy, leaving the cyber attackers in the lurch.

Sync the backup data, to have the latest and up-to-date information always. Also, deploy encryption, password protection, and any other security deployment applied to normal data, to the backed-up information as well.

 

Is the business prepared to counter-attack?

As the adage goes, an offense is the best defense. At times, the best deterrent may be to take the battle to the enemy camp. A case in point is Mykonos web security software, which indulges in reverse-hacking. The suite provides hackers with false information too tempting to ignore, sending them on wild goose chases. The software also bogs them down with information, slowing down their machines to the point it becomes useless.

No business is safe from a cyber-attack, and all attacks sting. Research by IBM estimates the total expected cost of security breaches in 2017 at over $7 million.

A security breach of customer information or internal company information is akin to a train wreck. Disruption of the business would be the least of worries. Public loss of confidence, back-breaking regulatory fines, angry customers spreading venom on social media, and more, could sound the death knell of the business. About 66% of IT professionals are not confident of the ability of their enterprise to recover from a cyber-attack.

Raising the stakes further, reports suggest cybersecurity increasingly becoming a driver for consumers’ purchasing decision. No amount of preparation or investment in cyber-security is a waste.

 

Reference:


About the Author:

Susanna VargheseSusanna has been involved in the field service industry for more than 4 years. She has been providing marketing tips for field service businesses across the globe. She loves to read about the latest updates on digital marketing, playing and is an ardent fan of Arsenal. She is currently working at ReachOut Suite. You can reach her at these social sites: Twitter, Linkedin.

Leave a reply