Information Security / SMB security mistakes you cannot afford to make
SMB security mistakes you cannot afford to make
19 March 2019
Terry Hearn outlines the top security mistakes that small and medium-sized businesses cannot afford to make.
High-profile data breaches at the likes of British Airways, Facebook and T-Mobile are becoming increasingly common. The attacks are typically opportunistic in nature and are designed to inflict the most disruption possible. But while this means large companies feature more heavily in the headlines, it doesn’t mean big names are the only targets – everyone is.
The biggest difference is that while larger companies should have the capacity to survive a breach, small businesses are less likely to have the financial strength to recover. The National Cyber Security Alliance estimates that 60 percent of SMBs that are hacked go out of business within six months.
Despite these risks, it is not always possible for small companies to stay on top of security as the day-to-day of keeping a business running can dominate their limited resources. But an insufficient focus on security can lead to critical mistakes. By identifying some of the simplest errors that businesses can make over their security strategy, SMBs will be able to better prepare and minimise potentially costly errors.
Also of interest: European Union’s new Cybersecurity Act: All you need to know
The Small Business Cyber Risk Report found that 47% of SMBs in the US, UK and Europe have been breached at least once in 12 months. Many of these breaches are likely to have come from exploiting vulnerabilities that could have easily been patched.
It may sound like a simple task, but when you consider how many internet-connected devices are on the network, checking every system is updated and patched could become a long and arduous task. For this reason, updates may not always be implemented immediately, instead they may be updated every 3-6 months, perhaps on a rolling basis.
Often patches are released because a vulnerability has been identified and requires an immediate response to reduce risk. The first step hackers are likely to take after a patch is announced is to seek out those who have not updated their system, as they will still be susceptible to the attack. Leaving this threat without a patch could undermine the entire network’s security – and any security system is only as secure as its weakest link.
Also of interest: Manufacturing cyber security – the Brexit lookout
Failing to secure endpoints
With the number of internet-connected devices growing rapidly, the use of laptops, tablets and smartphones for work mean that more devices than ever are connecting to your business network. From failure to patch, to connecting to unsecured networks and using weak passwords, mobile working can bring a number of significant weaknesses to your defences.
One solution is mobile device management (MDM), a form of endpoint security tool. This will provide remote access to ensure that updates are implemented, security software is in place and that devices can be located, remotely locked or even wiped should they be misplaced or stolen.
It is vital that mobile endpoints are as secure as those in the physical office. Implementing a bring your own device (BYOD) policy can ensure that staff are clear on the expectations around accessing company data on personal devices, including the importance of adhering to best practices such as using two-factor authentication.
Also of interest: Is a zero trust approach to security really necessary?
Not restricting access permissions
In many cases it is common for members of staff to be given admin privileges or access to areas of the company’s network when it is not required. This is a dangerous move, not because of a lack of trust towards staff, but simply because the fewer devices that have permission to access the business’ most sensitive data, the safer it will be.
A user’s individual account might be breached, but if it does not have sufficient access privileges, hackers will have to find another route to access the sensitive data they are looking for.
User access should always be limited to the files and resources that each member of staff requires to complete their specific tasks. This should apply at all levels of the company, and seniority should not necessarily mean greater access permissions unless it is essential for their role. Aside from dedicated IT staff, a secure network will have very few people who have universal access to the entire network.
The same rules should be applied to contractors and former members of staff. As soon as their need to access company data is over, their access should be immediately revoked to keep the number of active accounts to a minimum.
Also of interest: Top five human errors that impact data security
The number of SMBs that suffer each day are alarming. A Hiscox survey revealed that UK SMBs face an average of 65,000 attempted attacks per day. You will already have learned this if you've been the victim of an attack in the past, but backups are crucial for minimizing data loss in the event of a breach.
Ransomware attacks, in which the victim’s data is encrypted until a release fee is paid, are incredibly threatening to a small business who may feel the only solution is giving in to the demands. But in 45% of cases, those who paid the ransom still did not see their data returned.
Thankfully there is a simple solution. By keeping full data backups, all that a SMB will have to do is restore the data from a backup and wipe the infected devices. While this is an inconvenience, it is certainly preferable to losing your data entirely, and this strategy helps as many as 72% of victims to retain their data.
Also of interest: How to train your staff so the knowledge will sink in!
Not training all members of staff
One of the most common causes of a data breach is human error. Hackers know this and that means that they will be looking to capitalize. Phishing attacks, which can bank on tricking the user into replying to an official-looking email, are still highly effective.
This is the type of threat that cannot be stopped with antivirus software. The key to data security is making sure that every single member of staff is trained on topics of cyber security and best practices. With so many personal devices being used, the responsibility for data security has become universal and is not longer just the concern of the IT department.
By providing staff with sufficient levels of training they will be able to minimize personal errors that could lead to a breach, identify risks and be confident enough to flag suspicious content.