Cybercriminals are lots of things: reprehensible thugs, shameful crooks, deplorable miscreants – the list goes on. However, they are also patient, persistent, and adaptable.
The world's cybercriminals don't discriminate, either. It doesn't matter what your business does, how big it is, or the industry you operate in, your SMB faces significant – and growing – cybersecurity risks.
That's the bad news. The good news is there are things you can do about these that will protect your company in 2022 and beyond. Eight of the most important are below.
1. Compromise Convenience for Security
Technology has probably brought multiple benefits to your business. One of those benefits is likely to be convenience. For example, it is now much easier for you to get the accurate, real-time information you need to make decisions. Communication is also easier, and your team can operate effectively wherever they are in the world.
By beefing up security in your organization, your systems and data will become a little bit less convenient to navigate and access. However, these are justifiable compromises to protect your SMB from a cyberattack.
Importantly, this acceptance of a little bit less convenience in favor of improved cybersecurity should come from the top of the organization, i.e., you and other c-suite executives. Everyone has a role to play in cybersecurity.
2. Implement Multi-Factor Authentication
Multi-factor authentication (MFA) is typically an easy and inexpensive security measure to put in place. It involves users identifying themselves with more than just a password when accessing your systems. In most cases, they will need a username, password, and another form of authentication.
This is a good example of a slight inconvenience that will make a big impact on cybersecurity, so it is important MFA is applied across the entire organization.
That said, one way you can improve the user experience is to implement MFA and single sign-on (SSO). With SSO, you use one login to access multiple applications.
3. Shift from Internal to Externally Managed Cybersecurity
Your technical resources are focused on managing your IT infrastructure, protecting your digital assets, and ensuring you have the performance and capabilities you need today and in the future. Cybersecurity is too big and complex to add to this mix.
Some organizations try to deal with this reality by signing up multiple vendors to deal with different aspects of cybersecurity. This results in a disjointed effort, where lines of responsibility are blurred, and important elements are missed.
The best approach is to outsource cybersecurity to an experienced MSP. Your MSP will take a holistic and proactive approach to protecting your systems and data. This includes using their expertise and knowledge of the threat landscape, in addition to automated tools to maximize protection for your company.
Other key areas where an MSP can make a real and immediate difference in cybersecurity include vulnerability identification and management, and DNS security.
4. Train Everyone on How to Protect Your Organization from Cybersecurity Threats
Imagine this scenario: you receive a call from your boss. It’s the CEO of your company or maybe a VP or president of your parent company. You recognize them instantly when they get on the phone. They then ask you to send a couple of hundred grand to pay a supplier. It's a bit of a strange request, but the person on the other end of the phone is running the company… aren't they?
This is the situation encountered recently by the CEO of a UK energy company. He thought the phone call he received was from the boss of his parent company, so he sent the money.
Only it wasn't his boss. Instead, cyber attackers had used AI technology to fake the voice of his boss, tricking the UK CEO into sending the money.
This story demonstrates the sophistication of many modern cyberattacks, but it also lays bare the fallibility of humans.
The fact is the list of cybersecurity risks that can be attributed to human error is long – really long. Here are some examples:
- Mis-delivery, i.e., mistakenly sending information to the wrong recipient, from confidential company data to individual contact information.
- Re-using the same password for multiple services, particularly if an employee uses the same password for both work and non-work accounts.
- Not protecting passwords or sharing them with others deliberately.
- Using passwords that are easy to guess.
- Failing to install security patches, although this is sometimes a procedural failure rather than human error.
- Using unauthorized software, especially on mobile devices.
- Opening email links without checking if they are phishing attacks.
Human error accounts for a significant proportion of cybersecurity breaches. According to some research, as much as 85 percent of data breaches are the result of human error.
We'll level with you – mitigating against this can be frustrating. It needs to be done on two fronts:
- Reducing opportunities for error – the two points above will help with this, i.e., outsourcing cybersecurity and implementing company and system-wide MFA.
- Helping staff avoid errors – by providing regular cybersecurity training to enhance awareness and skills.
5. Focus on Endpoint Security
Centralized protection of your network is a key component of cybersecurity, but it is only part of the picture. Endpoint security is essential too.
Endpoint is a bit of cybersecurity jargon that includes end-user devices such as phones and laptops. It can also include other devices outside your network, but which are connected to it, or can connect to it. An example would be a fleet management system installed in your company's vehicles.
These devices create a security risk on their own, but how they are used can also increase your company's risk level. For example, an employee connecting to a public Wi-Fi network, such as in a coffee shop, while working on the go.
The use and number of devices outside centralized networks was increasing before Covid-19, but the pandemic has accelerated this change, facilitated by new technologies and the growing push for digital transformation. These endpoints need to be secured, and device management policies should be put in place.
6. Optimize Access Control
Today's access control systems are highly sophisticated, giving you a granular level of control over who can access what and where. The key point is how you use these access control tools.
The best approach is to only give your employees access to the systems and data they need.
Implementing a strict access control policy will help to protect your organization in a number of ways, including mitigating the potential of harm from deliberate attacks by employees and others with legitimate access to your systems and data.
7. Optimize Your Backup Processes and Policies
According to research by IBM, ransomware is the most common type of cyberattack. The next logical step once you know this fact is to find out what you can do to help prevent your company from being impacted by a ransomware hit. The above points on this list will help, but the number one recommendation is about backups.
According to the Cybersecurity & Infrastructure Security Agency (CISA), maintaining backups is the main ransomware protection you should implement (backups help protect you against other threats too).
However, there are backups and there are backups, so simply running a backup is not enough. Instead, you need to make sure your company is following some essential best practices:
- Backups should be stored offline so attackers can't search for and delete them
- Backups should be encrypted
- Backups should be taken regularly to ensure the most up to date information is included
- Regularly test your process for restoring backups to ensure it works and to optimize it
The final point is to invest in cyber insurance to reduce your risk profile, minimize financial losses, and help you quickly recover from an attack. Remember, though, cyber insurance should be viewed as worst-case scenario protection, as preventing cyberattacks is always the best option.
Cybersecurity is a huge area, so you need the best advice, expertise, technology solutions, and training. At Amoeba Networks, we provide all this and more. Contact us today to discuss your approach to cybersecurity and how we can help increase your level of protection.