Cyber criminals look for the easiest score with the most reward and they are increasingly focusing on small and medium businesses (SMBs). Given April 30 – May 6, 2017 is the US National Small Business Week we offer some basic advice on the cyber security risks that small businesses may face. After canvassing some of our partners and advisors, we summarize the top cyber threats placing SMBs at risk as follows:
- Stolen identity credentials
- Phishing attacks
- Lost devices with sensitive information
- Trusted insiders threat
We will review each of these and what “cyber defenses” you can use to lessen these risks and not be too easy of a target.
Stolen identity credentials, such as usernames and their corresponding passwords, give an attacker access to a businesses’ computers, networks and data, including their cloud services. With a username and password, the attacker can now access company information at their leisure, causing mischief and mayhem. This affects the entire business because identity credentials are the foundation for trust and access to most business and IT systems. You best defense here is to accept and use the two-factor authentication (such as entering a code from a text message) and device registration process that most cloud and business applications provide today. This makes stealing credentials much harder and it increases your personal and business cyber security stance.
Phishing attacks attempt to lure users into opening malicious documents or accessing toxic websites that can then infect the company with malware or ransomware. Well-crafted phishing attacks that appear to come from a trusted company insider or business partner (like a bank) are especially difficult to detect. Some phishing attacks focus on less secure personal devices and then hop or spread to sensitive company networks. There is no single fool-proof way to avoid phishing attacks. Your best defense against them starts with educating your users, with information such as 10 Ways To Avoid Phishing Scams. Because most users do not practice the same level of cyber security hygiene at home, personal devices should not be allowed by default on sensitive company networks.
Lost devices such as losing a laptop, tablet or smart phone is unfortunately a consequence of our new digital lives. It does not matter if the device was stolen or inadvertently left behind; the device is still lost. For any device that has sensitive information, that information really should be encrypted on the device, with the strongest PIN/password/passcode that you can set. The good news is that encryption is now done by default on the iPhone® and Android phones. Encrypted data stored on your device will hopefully turn a security event into a lesser device replacement event. You should also make sure your company laptops uses encryption and make sure your data backups are encrypted also.
Trusted insiders threat, or misbehaving insiders, is not specific to cyber security - it has been a security issue long before business became dependent on computers. If the CIA is vulnerable to an insider stealing information, so are all we all. Trusted insiders and business partners miss-behaving, either on their own or after being coerced by an adversary (as is commonly seen on TV shows) are difficult to detect. They may be identified by observing their behaviors either manually or with network monitoring and analytics tools. This is an evolving and complex area for large corporations, let alone small businesses, to deal with.
Once these basic measures are in place, your business is harder to attack and breach, so the cyber criminals may go elsewhere. To learn more about how to defend your business, you can read the following article: Cyber Security in the Age of an Assumed Breach.