A recent IBM report puts the average cost of a cyber-attack for an SMB at approximately $2.64 million. A single security compromise event can be devastating, often fatal, for a lot of these companies.
Below, we take a look at the top mistakes SMBs are making when it comes to security.
Don’t Think Hackers Have Bigger Fish To Fry
A lot of SMBs assume that they are too small to be of interest to hackers. This is a false and dangerous assumption. Most of a hacker’s effort is in the upfront design of the threat, which once completed, can be unleashed by automated routines running 24/7/365 that scour the web for prone devices. If your office has Internet, then it is a target. Hackers are also aware that smaller businesses have fewer resources to spend on security. So, SMBs are targeted more often. Not only that, but the rate of successful compromises is much higher in SMBs than in larger companies.
No Multifactor Authentication
A cornerstone to preventing cyber-attacks is implementing multifactor authentication (MFA). Creating a process of secure login access that combines
- something a user knows e.g. a password
- something a user has e.g. your smartphone, security ID badge, hardware token.
MFA should not only be in place for email access but for all cloud services. All remote access to your office network should also use MFA. With more and more employees working remotely from different locations, using different devices, MFA is more critical than it has ever been before.
Attempting To Do Everything In House
Employees in SMBs tend to wear many hats which causes some job responsibilities to overlap. A salesperson may handle accounting, a designer might help with marketing, and a tech-savvy executive might handle IT. However, the complicated and ever-changing landscape of Cybersecurity needs dedicated focus from an expert(s) with lots of relevant experience. Because the cost of failure in IT security is so high, SMBs need to look to Managed Service Providers (MSPs) to mitigate this cost.
Ignoring Endpoint Security
In the past network security was mainly focused on your network perimeter, your firewall. Nowadays, cyber-attacks focus on the endpoints and the users of these devices. Hackers don’t hack firewalls anymore, they hack your employees, getting them to open that phishing email or click on that web link. Over 75% of today’s security breaches in SMBs happen on the endpoints. Anti-virus software is not enough. SMBs need an Endpoint Detect And Response (EDR), or an Extended Detect And Response (XDR), solution running on all their endpoints that are pro-actively monitoring for, and automatically killing/suspending, any malicious processes as soon as they appear. Not having endpoint protection can create a huge, unnecessary risk.
Not Installing Software Updates
Change or die. That ‘updates available for install’ message that your employees have been ignoring or cancelling because they don’t want to reboot their machine or deal with new OS changes could be the death of you. Software companies dislike having to issue updates just as much as companies dislike installing them, but they have to. Why? Because all security updates are driven by active real-world security threats to the software and, by extension, to your company. Installing all security software updates promptly or, better still, having a system that does it automatically for you is essential to protecting your business.
Your data is your lifeblood. Make sure you protect it adequately. This means a reliable, robust, and inclusive backup process. Local backups should be combined with remote hardware and/or cloud backup for comprehensive disaster recovery. Data that is changing daily will need more incremental backups than data that changes less frequently. Fully machine ISO image backups can be combined with network shared folder backups, make sure you know which combination is the most efficient and cost-effective for you. Data usage and its network location can change, a backup system that is not tracking these changes can give a false sense of security which may be even worse than having no backup at all. Regular backup audits and recovery simulations are critical to maintaining a healthy backup system. Finally, for cloud file-sharing services, do not assume your files are being backed up properly by default. A third-party backup system is needed more often than not.
Trusting The Cloud
The idea that the cloud is by default more secure than your office network is a fallacy. Like most technologies, cloud services are only as secure as you configure them to be. Enabling MFA, as we mentioned earlier, across all cloud services is a must. Restricting cloud access to specific internet addresses, like your office IP or certain remote location IPs, can also help cloud security. Configuring effective spam blocking policies in your cloud email service can block phishing/ransomware emails from getting into your employee’s inboxes. Make sure you configure or hire someone to configure, your cloud security in a way that best protects the data you store there. Do not assume the cloud security defaults are enough.
Brute force password attacks are the #1-way cyber criminals spread ransomware today. A single ransomware attack can cost you millions. Creating effective password policies is the only way to combat these attacks. Recommended password policies are changing, for example, focusing on increasing password length can be more secure than prioritizing the use of symbols, a 16-character passphrase made up of letters and spaces can be much more secure that an 8-character phrase combining letters, numbers and symbols which may also be more difficult to remember. Do your research and define the best password policy for your company. And enforce it religiously.
Security should be a high priority for your business, no matter your company size or sector. InfoNetworks, and their highly skilled security team, can help assess, deliver, and 24/7/365 maintain/audit, all of your security needs.