Welcome to our “Understanding Cybersecurity” series of blogs! This series is focused on providing explanations of cybersecurity terms and concepts in layman’s terms. We want to “demystify” the world of cybersecurity, one topic at a time. Our team believes that a unified cybersecurity community is the best way to defeat cybercrime. One of the main issues we run into when speaking with organizations is the lack of a common vocabulary when it comes to cybersecurity. This series should help act as a reference point for both technical and non-technical readers.
Top Cybersecurity Mistakes Made by Small Business
Small businesses are in a historically unique position. The move towards cloud services and affordable technology has enabled businesses of all sizes to utilize a similar set of tools. This leap in capabilities can provide a “mom and pop” shop with integrated marketing, billing, and tracking services via affordable devices and solutions. However, these evolutions do not come without risk.
Cybercrime has become a critical issue affecting organizations of all sizes. While available tools and services are now similar for any business size, large organizations can often leverage their expanded staff’s capabilities to gain an edge in cybersecurity. Smaller businesses and organizations can run into budgetary, staffing, and time issues when it comes to improving cybersecurity posture. This post will cover some of the top mistakes made by small businesses when it comes to cybersecurity.
1) Too Much Trust for Internal Users
Perhaps the single biggest mistake made by businesses of all sizes is the implicit trust granted to users. While it seems nearly impossible, insider threats are a huge factor in cybercrime. Organizations often give their users wide-ranging permissions without properly evaluating if they are necessary. It only takes one disgruntled employee with too many permissions to cause catastrophic damage to a business. Over-permitted user accounts can also be hijacked by attackers and cause significantly more damage.
Principle of Least Privilege: All users should be placed into appropriate roles within your tools and systems. These roles should only have access to the assets they need to properly fulfill their core job functions. Sparingly hand out administrator roles and monitor their usage heavily. By carefully controlling which accounts can perform invasive actions, organizations gain the ability to narrow down potential threat avenues.
2) Backup is Not Enough
Far too often, organizations feel that their backup solution will be adequate in the case of a cyberattack. Attackers know that business owners think this way. Ransomware commonly checks for backup locations and attempts to encrypt these alongside the standard encryption occurring on the endpoint. Recovering an entire network is more advanced than simply reverting to backup. There are no guarantees that the backups themselves do not contain malware that was simply dormant at the time the snapshot was taken.
Disaster Recovery Tip: Never assume that backups are enough. Organizations should research “Disaster Recovery as a Service” solutions to ensure that their data is backed up offsite within redundant locations. These services often include detections and controls for ransomware attacks, preventing further changes and securing the backup images. Restoration from attacks is much quicker when leveraging dedicated Disaster Recovery solutions.
3) Lacking Centrally Managed Anti-Virus and Patching
The ugly truth behind conventional endpoint management is that most organizations have no validation on the update and installation status across their assets. Devices such as laptops, desktops, and servers are also incredibly vulnerable to attacks based on their protection status. Traditional antivirus lists a plethora of advanced features but often lacks a central management portal focused on endpoint compliance. By not tracking patch status and AV across all assets, companies are leaving holes in their primary security solutions.
Assess and Remediate: A third-party or internal assessment can help discover gaps in endpoint protection and patch status. Take the time to truly evaluate your devices and check that they are as protected as you believe. There is no shame in having cybersecurity gaps – assessors exist to help discover these opportunities for improvement.
4) Unaware of Breach
One of the first questions asked in a standard Cybercriminal Incident Response engagement is the basic timeline of the malicious activity. Unfortunately, it is not uncommon to discover that the attacker has been in the network for a significantly longer time than initially believed. Small businesses often lack the tools necessary to detect suspicious activity once the attacker has made their way into a network.
Watching the Gates: All businesses benefit from the mindset that they have a standard baseline of expected activities and anomalies are inherently suspicious. For example, if your organization utilized an email service that tracks login location, time, and device then you would be able to establish a standardized baseline for normal activity. Whenever an anomalous login occurred (for instance, outside the country at 2AM local time), investigations could be performed. These rapid anomaly investigations take relatively little time and can help prevent a small incident from reaching critical mass.
5) “We are not a target”
Criminals, viruses, and all sorts of other attacks would love companies to believe that they are safe. The truth is, no one is exempt from cybercrime. In fact, attackers often target smaller organizations because they generally have a less secure network. All technology in a business is both an asset and liability – proper protections are not relegated exclusively to larger organizations.
Staying Safe: Practice proper cybersecurity hygiene, no matter the size of your organization. It only takes one rogue event to massively impact reputation and finances. Look into appropriate cybersecurity expectations for your industry and try to follow compliance guidelines where applicable.
As our technology stack evolves, new challenges will present themselves. Threats come in all shapes and sizes, but modern attackers generally follow a “path of least resistance” when it comes to achieving their goal. A small business’s cybersecurity would be considered above average if they are able to genuinely evaluate the above list and validate that these critical risks are mitigated. Cybersecurity can feel overwhelming at times, but it is vital that the community start taking threats seriously. When one company is successfully attacked, everyone loses. Take the time to evaluate your security and determine where you have gaps – the best time to become secure is now.