In light of the uptick in breaches at small and medium-sized businesses (SMB), I wanted to briefly review the cyberthreat landscape and offer some cybersecurity best practices organizations can implement to better position their businesses against the bad guys.
For years it’s been predicted that cybercriminals would eventually turn their attention to higher volume, smaller targets, namely SMBs. The number of reported breaches among SMBs is up 57%, and the number of exposed records is up 29% (source.) These numbers stress that the threat is very real.
With cybercriminals actively targeting millions of businesses, it’s wise to assume one of them is yours.
We see SMBs targeted every day and can attest that clients who follow recommended security best practices are materially better positioned to prevent and respond to today's threats. User behavior remains the most important link in the cybersecurity chain, so we continue our “creating a culture of security” drumbeat as the foundation of any good security strategy. At the same time, users demand and require the ability to work seamlessly on multiple devices (many of them not company-issued) while traversing public and private clouds. The good news is that you already know how to drive this change, because, as with any change in business, creating a culture of security is ultimately a change management exercise, requiring vision and leadership. Since you’ve already got the leadership part nailed, here is some practical guidance on the vision in the form of 10 best practices to follow.
1. Enable Multi-Factor Authentication,
2. Implement Security Awareness Training,
3. Conduct a Cybersecurity Risk Assessment,
4. Employ a Device Management Policy,
5. Know the Realities of Your Backups,
6. Test your Business Continuity Plan,
7. Create Effective Cybersecurity Policies,
8. Build a Vendor Management Program,
9. Obtain Cyber Insurance, and
10. Develop an Incident Response Plan.
1. Enable Multi-Factor Authentication.
Level of Difficulty: LOW | Cost: LOW
The most recent Verizon Data Breach Investigations Report stated 81% of hacking-related breaches are due to compromised, reused, or weak passwords. Multi-Factor Authentication, or MFA, has become a vital cybersecurity tool in preventing data breaches due to compromised credentials (username and password). MFA supplements your password requirements, offering multiple layers of identity verification. An example of MFA is requiring a device you hold, such as a smartphone or hardware token to receive a one-time code, in addition to something you know, such as your login credentials.
MFA is proven to prevent some of the most common and successful cyberattacks. Read the Multi-Factor Authentication Guide to learn how MFA protects your business and its critical data.
If you do nothing else on this list, enable MFA.2. Implement Security Awareness Training.
Level of Difficulty: LOW | Cost: LOW
Can you spot a phishing email when you see it? What do you do when you get an unexpected .pdf attachment from someone you don't know? Have you thought about how Mike in Accounting or Judy in Sales should handle these emails? The Verizon Data Breach Investigations Report found that 1 out of every 14 users fell for a phishing attempt. Given the sophistication of business email compromise (BEC) these days, it's no wonder untrained users are often tricked into doing something they otherwise would not normally do. With Security Awareness Training, you and your staff will stay on top of the latest cybercriminal tactics, so you can avoid them accessing your network, fraudulently transferring funds, and a data breach.
3. Conduct a Cybersecurity Risk Assessment.
Level of Difficulty: LOW | Cost: MEDIUM
“IS MY BUSINESS SECURE? HOW SECURE ARE WE?” are two questions we hear again and again. To know if your business is secure is to know your risks. A cybersecurity risk assessment of your defenses will tell you whether the current processes and policies you have in place are effective. A professional assessment will also provide you with recommendations to protect your business moving forward. Although I have identified this best practice as a medium expense, the knowledge and information you gain from a cybersecurity risk assessment are PRICELESS.
4. Employ a Device Management Solution.
Level of Difficulty: MEDIUM | Cost: LOW
Device Management is how you extend the security policies you have defined to devices that are most often outside your office and used off your secure network. This can be as simple as having the ability to wipe the corporate data off of a device, to applying multiple layers of tests before letting a device connect to your network. There is a good chance you have been accessing corporate email from your smartphone for years, but you should not assume this is as secure as it would be with a device management solution.
5. Know the Realities of your Backups.
Level of Difficulty: DEPENDS | Cost: DEPENDS
Backup is no longer just about recovery after an accidental file is deleted or restoring data if your building burns down. Backup is now the best and fastest way to recover from ransomware and other cyber incidents. How much do you know about your backup and, more importantly, your recovery? Is it protected from ransomware? How fast can you recover? How short of a time period does data go back to in the case of a recovery? Your answers to these questions will determine what the right form of data protection(s) is for your business, the cost to implement and maintain, and what to expect should an incident occur.
6. Test Your Business Continuity Plan.
Level of Difficulty: DEPENDS | Cost: DEPENDS
From the coronavirus (COVID-19) to the Colonial Pipeline hack, to a data breach, to losing your internet connection, business disruptions come in all shapes and sizes. When disruption happens, your Business Continuity Plan (BCP) will help you to access business processes, data, and apps that are critical to keeping business operations going. Your plan shouldn’t be a document you dust off only in a time of need. Take time each year to think of your worst-case scenario and see if your BCP can help you sustain during a disaster. Testing can be as simple as acting out a table-top disaster scenario to a full-scale site-to-site failover exercise.
7. Create Effective Cybersecurity Policies.
Level of Difficulty: LOW | Cost: LOW
Security policies inform your staff on how to protect information and set the stage for defining what cybersecurity solutions you need to have in place. Without these policies specifying behavior and cybersecurity controls, we’re relying on our users to ‘make the right choice’; this can be a risky proposition. These documents become critical in the event of a security audit or even an RFP response to win new business. If you don’t have someone on staff to build the proper set of policies, it’s worth finding an expert who can help you.
8. Build a Vendor Management Program.
Level of Difficulty: MEDIUM | Cost: LOW
In the internet age, we have all become far more dependent on our business partners and vendors. Vendor Management has become even more critical in determining whom we can trust our businesses with. If you are in a regulated industry, the regulatory framework you adhere to likely requires you to assess and address vendor risk. Create a vendor management program to evaluate your vendor's business operations, financials, and security practices. This information helps you ascertain if they are a good fit for your business and assess any potential risks they may bring. As business changes at the speed of light, request and revisit these their documentation on an annual basis.
9. Obtain Cyber Insurance.
Level of Difficulty: LOW | Cost: MEDIUM
Cyber Insurance is a way to transfer your financial risk should a breach or significant security incident occur and it’s very important that you understand what’s covered and what’s not. First-party coverage is for items that directly happened to you, while third-party will cover expenses related to a breach that happened to your client. After that, what level of legal counsel, public relations, forensics, and restoration services are included? Will they pay the ransomware fee? Here is where we see the biggest gap in cyber insurance—while it may pay for much of the work to recover and get back to business, who is doing that work? You will typically need a partner with deep technical skills to do this in a secure and proficient manner.
10. Develop an Incident Response Plan.
Level of Difficulty: LOW | Cost: LOW
An Incident Response Plan (IRP) is a document or series of documents intended to guide you in the event of an emergency. This document is critical in the event of a cybersecurity attack or any other business continuity event for that matter. If you don’t have someone on staff to build one of these, it’s worth finding an experienced cybersecurity partner who can help you. In addition to having the IRP, you need to test it annually with a table-top exercise.
Keeping your business secure is critical to success. Employing these cybersecurity best practices will go a long way in protecting your organization and its critical data.
Matt McGrath | President & CEO
Systems Engineering