Cybersecurity and Small Businesses
The record-high cyber attack earlier this month on a major IT management software company, with a ransom of US $70 million dollars, brought cybercrimes to a new height. Cybersecurity has never been a burning issue for small businesses like it is today.
There is a misconception that cybercrimes target only big fishes however, the vast majority of affected companies in the most recent attack were small businesses. We know of businesses with just a few computers that were hacked and locked by ransomware. In many ways, small businesses are often easier targets for cyber criminals as they do not often have proper protection for their digital assets. Hence, cybersecurity is a matter that small businesses cannot afford to ignore.
While small business owners might be thinking: “My budget is very tight, there is not much I can do about tightening my cybersecurity.” There are many actions small businesses can take to boost cybersecurity without breaking the bank. Let us start with simple ones:
- Enforce a password policy. As a conventional authentication approach, passwords will stay with us for a long time. Companies should make sure passwords are long and contain multiple categories of characters. They should prevent reuse of any passwords and change passwords periodically. Additionally, they should roll out a Password Management software, as hundreds of unique passwords are impossible to memorize and enable Multiple Factor Authentication (MFA) on the Password Manager to safeguard their password database.
- Set up MFA wherever applicable. Passwords can be compromised by brute force attacks or be stolen. With extra authentication factor(s) in place, such as an Authenticator App on your smartphone, the odds of passwords being compromised is much smaller.
As for MFA factors, security keys are preferred if supported by an IT system, otherwise an Authenticator App or even an unsecure SMS is still better than no MFA.
- Deploy Endpoint Security software on all computers. While built-in programs can frequently defend software, additional third party endpoint security software is recommended to protect entry points of end-user devices like laptops and desktops.
- Encrypt Hard Drive or SSD. Without encryption, the Hard Drive or solid-state drive (SSD) could be pulled out from computers for data to be accessed and exploited.
- Patch! Ensure the use of all software release patches. It is tedious to manage patches, and sometimes patches bring up more troubles, however software patching in general is necessary for computers in the workspace.
- Always backup! Backup three copies or more, using different technologies, different hardware, and different vendors. This reduces the odds of simultaneous multiple failures. Companies should test backups routinely, as backups may not necessarily work.
- Educate staff on cybersecurity. . Educate staff to create a cybersecurity consciousness. Additionally, make the IT policy clear to all staff and provide refresher training every few months.
A bit more advanced…
- Deploy a Unified Threat Management (UTM) system. UTM is an all-in-one Cybersecurity management system; it manages Firewalls, Antivirus, Anti-malware, Anti-spam, Anti-Ransomware, APT blocker, URL Filtering, etc. in one place, thus greatly simplifies the install and configuration, and cuts costs.
- Secure VPN. As Work from home becomes the new normal, one approach to safeguard remote computers is to establish VPN tunnel from the computers to firewall/UTM, disable split-tunnel. We suggest authenticating users with certificates instead of passwords and setting up a second authentication method for VPN profiles.
There are no magic pills to securing small businesses from cyber crime. Ultimately, it is diligent IT management that is the best course of action. If a company cannot protect itself on its own, talk to a local Managed IT Services Provider such as Turbo IT Solutions out of Vancouver.