How can businesses that lack the resources and technological expertise of large organizations hold the line against cybercriminals?
Running and growing a business is hard work even in good times, but times of crisis bring a fresh crop of challenges. And as our reliance on technology for so many aspects of our lives increases, so does the realization that global or even regional crises and emergencies will ultimately have ramifications in the digital realm.
Two years ago, many lives and livelihoods were suddenly left hanging in the balance with nary a warning. The COVID-19 pandemic revealed our collective fragility and the inevitably pell-mell rush to off-site working put the resilience of many businesses to the test, all the while creating fertile ground for cybercrime.
The pandemic hasn’t run its course yet, and cybersecurity practitioners are sounding the alarm about another global hazard – the risk of major cyber-fallout from the war in Ukraine that may disrupt the operations of organizations in the world and in some cases trigger a cascading crisis.
The risk is acute for government agencies and multinational corporations all the way to perhaps the most vulnerable – small and medium-sized businesses (SMBs). Devoid of the resources of their larger brethren, small companies may find it particularly difficult to defend themselves against cybercriminals or to bounce back from a successful attack.
Small fish in a big pond?
With much of the media coverage focused on truly big security breaches, many small business owners might be forgiven for thinking that they’re safe. Far from it. These days, no company is too small to be noticed by the criminally-inclined – or become collateral damage from attacks aimed at other targets. Too often, companies fall victim to attacks that are indiscriminately deployed at scale to haul in a bigger catch.
SMBs are known to be the sweet spot of cybercrime, having more assets and money than consumers, but less sophisticated cyber-defenses than bigger enterprises. Regardless of their size and stage of preparedness, businesses should regularly evaluate their incident response capabilities, even more so in times of increased risk.
A matter of survival
If your company is only now assessing its security risk, it is safe to assume your security posture is at a fledgling stage. There are, however, a few simple steps that you can immediately take to protect your data and the data of your employees:
- Make an inventory to assess your risk: If you don’t know what you have, you can’t protect it. Maintain a list of all your hardware: PCs, laptops, mobile phones, routers, and printers. Include also your digital services, software you use, bank accounts, and cloud services such as Google Docs and iCloud. This inventory will make it easier to know where and what could go wrong.
- Define your security policies: Safety and good leadership go hand in hand. Make sure you communicate to your employees why this is an important topic, why only authorized staff can enter the office, or why they should not use personal laptops or other devices to access work data. If they work remotely, explain why they should be careful when connecting to public Wi-Fi hotspots.
- Set up your controls: To ensure that the policies agreed upon are being implemented, it is important to put IT controls in place. A foundational step is to set a unique username and password or passphrase for each employee to access their laptop and the company’s intranet. Set out the protocol that workers should follow in case they encounter any kind of security issue or incident. You should also use security software to protect employees from malware. Finally, consider using encryption to prevent data from being accessed and read by an attacker and two-factor authentication to provide an extra layer on top of the password.
- Test your security policies: With the previous steps taken, your company already benefits from a certain level of protection. But you need to make sure all steps have been well adopted and that they offer a smooth response in case of an attack. Keep in mind that you need to make sure employees use strong and unique passwords.
- Educate: Increasing employee cybersecurity awareness is a long-term effort. Even well-informed workers might fall for simple phishing emails. An effective security strategy depends on your leadership to inform and educate employees.
- Keep testing: Once you’ve been through the previous steps, don’t let your guard down. You need to reevaluate your processes at least once a year or more often during periods of crisis. Make sure that your employees maintain compliance with your guidelines, all your software is up-to-date to stay safe from known vulnerabilities, and to disable or remove the accounts and access of employees who have left the company.
The key to resilience
IBM’s Cost of a Data Breach Report 2021 revealed an increase of 10% from the year prior in the average cost of a data incident, corresponding to a total of US$4.24 million – an amount that covers legal, regulatory and technical expenses caused by malicious attacks to the 537 companies under review. Such an amount is much higher than the investment that companies could make to avoid similar situations.
Following these simple steps will take your security to the next level, but expect attacks to happen. When they do, know who to call for support as threats can show themselves in different shapes and forms. Remember that your client’s data is just as valuable to you as it is for the attackers. They can use it for illicit purposes, share it online to damage your company’s credibility, or steal it to pressure you to pay a ransom. Also, they can simply wipe it out with no apparent motive and seriously harm your business.
Times are tough. Business owners need to add a few more concerns that were not part of their security checklist just a short time ago. But don’t be overwhelmed, making sure that your passwords are strong and your employees understand the need to follow your security policies is a good starting point.
by André Lameiras, ESET