We are on a journey of highlighting industry specific security risks and tips and best practices for a stronger security environment. From healthcare, manufacturing and education to financial services, public sector and energy & utilities – we’ll take a closer look at the risks and how to mitigate them in this Friday series. Today we’re looking at the security risks and tips for small- and medium-sized businesses.
Are small businesses too small to be a target of cyber attacks? That’s like asking if your business information is too irrelevant to appeal to hackers. And the answer is: No, definitely not. In fact, small businesses are often most lucrative because they are the path of least resistance.
The common assumption by SMBs that they are too small to be of interest is a dangerous one. In March of 2021, Vodafone published research that suggests that over 1 million small businesses would go bust if they were targeted by hackers.
Small organisations cannot always afford to pay ransom payments, but also don’t have enough reserves to survive an ongoing disruption of service.
The sad truth is, small and medium businesses are frequently the subject of attacks and with relative success, be it by malware injections, data breaches, or brute force login attempts.
5 top security risks for SMBs
First, let’s explore the question of why small- and medium-sized companies are impacted more rather than less than their larger counterparts.
1. There are often no dedicated security resources
Smaller businesses are less likely to have a dedicated resource for information security, e.g. a Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Security often remains at the bottom of the priority list and is sometimes even forgotten about completely. Without resources a data breach is more likely to go unnoticed for an extended period of time.
2. They are working with (much) smaller budgets
Smaller businesses are less likely to have big budgets, so may try to save costs around security. Until there is an attack or data loss, it may not seem obvious why security investments are worth their cost. When tough choices have to be made about where company leaders should invest their funds, other priorities that can yield a more visible immediate return take precedent.
3. The company has been set up without security in mind
Smaller businesses have often been established and set up by someone that is an expert in their respective field, so the setup does not necessarily reflect security best practises. Security might suffer at the hands of other needs and workflow efficiencies.
4. They have little – or no – emergency funds
A data breach will impact smaller businesses more than enterprises, who may have access to bigger funds for data ransom payments or can survive longer periods of revenue loss.
5. The limiting effects of a data breach can be devastating
When a breach happens, it can stop all work processes, effectively rendering the company unable to do any business. As a small company, it is often not possible to move to another division, server, or country base to ensure business continuity.
There are many more reasons, and they are of course not applicable to every SMB or SME. It’s important to note there are some smaller players that excel when it comes to security (well done you!).
However, when a small company is not prepared for a cyber attack, the consequences are severe. Not only can an attack hurt a small business more than a large enterprise, but they are often more frequently targeted with relative success. They may be small, but if the effort to breach is worth the pay-out, have no doubt that malicious actors will try their luck.
Top security tips and best practices for SMBs
So, what can businesses do to establish a secure environment? As always, it boils down to a combination of measures, and one alone is not enough.
Documentation
Many times, a small or medium business appoints one person to be responsible for the information security setup. And if this person leaves? Things fall apart. It’s crucial to document processes and establish protocols so a change in personnel doesn’t mean a threat to security.
Safe passwords/Multi-factor authentication (MFA)
123456 isn’t a safe password. Neither is Password123. Recommendations are that a password should consist of a combination of a minimum of 12 letters, numbers, and special characters, forming a word you can't find in a dictionary. So fiI3d%j”)40M could be a good choice. It’s equally important to keep those passwords safe, either by memorising them or by using a password manager. A multi-factor authentication approach (e.g. using a combination of a username, a password, a fingerprint and/or a one-time text message code) makes the login credentials even more secure.
Employee training
Your employees are your last barrier but can also be your weakness. After all, it’s only normal that humans make mistakes. Make security training a priority. Equipped with knowledge and strategies employees will stop to think when a malware or spear phishing attack hits their inboxes.
It’s also important to give guidelines on BYOD (Bring Your Own Device). Are employees allowed to install company systems on their own devices, can they access your network and WiFi? Will you be able to remove them, should they leave the company?
Multi-layered security approach
Security is never a one-size-fits-all, nor will one single tactic protect you. Invest in antivirus software and antispyware. Set up firewall protection. Manage access with multi-factor authentication. Encrypt your data at rest and in transit. Sign your documents and emails. All of these building blocks will help build you line of defence. Once it is all set up, make sure you keep everything updated regularly.
Backups
When it comes to data backups, remember two things: a) Keep them up to date regularly and b) back up more than once to different sources.
The big hacks get the most press – think the recent Exchange Server vulnerabilities, the big Twitter hack or when Healthcare provider Magallan was attacked. But just because they are most talked about, doesn’t mean smaller businesses aren’t being attacked.
GlobalSign can help your small or medium (and also large!) business to develop a strong security environment. Get in contact to speak to one of our experts about your requirements.
