"Even very small businesses (10 employees or less) should take precautions to avoid becoming a target." - Verizon DBIR 2022
Introduction
In today's threat landscape, there are more dangers for small to medium businesses than ever before. According to Verizon's 2021 Data Breach Investigation Report (DBIR), 28% of data breaches involved small businesses (less than 1,000 employees). The 2022 Verizon DBIR concluded "that even very small businesses (10 employees or less) should take precautions to avoid becoming a target."
Ransomware operators will attack any organization regardless of the size, and many small businesses are tempting targets due to a lack of cybersecurity controls. It's the classic case of hunting versus farming. Cybercriminals can spend their time trying to attack large organizations which most often have large cybersecurity budgets (hunting), or they can spread their nets wide and go after many small organizations that most likely do not have mature cybersecurity programs in-place (farming).
Cybersecurity Breach Impact
The average cost of a data breach for businesses with fewer than 500 employees is $2.98 million according to IBM and the Ponemon Institute. Costs of a data breach will vary widely by organization and the type of data compromised, but all small business that are the victim of a cyber attack will feel some financial pain. In addition to this financial hit, the reputation of a small organization can suffer greatly as the result of a breach of customer information. Lastly, a compromise of confidential information might lead to legal or regulatory repercussions for the affected organization.
The average cost of a data breach for businesses with fewer than 500 employees is $2.98 million
Cybersecurity Concerns for Small Businesses
Phishing
Phishing is the use of scam emails to entice a recipient to take some action that will benefit a cybercriminal. Typical phishing attacks try to get victims to reveal credentials or click links that might result in the delivery of malware to their computer.
Protections against phishing include:
User awareness training, including phishing simulation
Spam filtering
Email link reputation checking
DNS filtering
Ransomware attacks
Ransomware is a type of malware which prevents authorized access to systems and data in order to obtain a ransom payment from a victim. Encryption is most often used as the method for preventing access. Ransomware has become the cybercriminal's bread-and-butter method of obtaining money from their victims.
Protections against ransomware include:
System and data backups.
Additional protection of system and data backups - either by hosting with a third-party vendor or creating a separate set of credentials used to authenticate to the backup software or system.
Behavior-based anti-malware software such as Endpoint Detection and Response (EDR) software.
Strong perimeter security controls, especially for outbound (to the Internet) traffic.
Weak passwords and password reuse
People often choose weak passwords because they are easier to remember. They also reuse passwords across sites to reduce the number of passwords they have to remember. Cybercriminals understand this and sweep the Internet looking for weak passwords and password reuse.
Password reuse is a danger when people use the same credentials for multiple sites and one of those sites is breached. Attackers, after obtaining the breached credentials, will perform a "password stuffing" attack, trying to find other sites where the credentials might have been used.
Protections against weak passwords and password reuse include:
Multi-factor authentication (MFA)
User awareness training
Password breach monitoring services like Have I Been Pwned
Password length requirements (12 characters minimum is recommended)
Require and encourage employees to use password managers, which will make remembering passwords for individual sites unnecessary
Insider threats
Every now and then, a bad seed will make its way into an organization. According to the 2022 Verizon DBIR report, 18% of data breaches had some involvement from an internal resource - either employee or contractor.
Protections against insider threats include:
Maintain inventories of critical assets and data so you know what to protect
Monitor user behavior when accessing critical assets and data
Use of a Security Information and Event Management (SIEM) solution will help achieve this goal
Data loss prevention (DLP) solutions
Third-party breaches
Integrating systems or connecting internal networks with third-parties can lead to cyber security incidents. The Verizon DBIR in 2022 identified partner organizations as a contributing factor in 39% of data breaches.
Protections against third-party partners include:
See the list of insider threat protections
Network segmentation - only allow vendors and third-parties to connect to specific network segments
Work only with trusted and vetted organizations, ensure a minimum level of cybersecurity maturity for trusted third-parties
Proactively monitor vendors and trusted third-parties to ensure compliance with industry-relevant cybersecurity standards
Outdated software and hardware
Small companies oftentimes struggle to keep up with operating system patches, application patches, and hardware refresh cycles. Utilizing a trusted managed technology provider can provide proactive, experienced monitoring and advice for less than the cost of an FTE dedicated to IT.
Protections against outdated software and hardware:
Keep inventory lists of systems and software, ensure all systems are patched on a regular basis
Proactively replace hardware systems that are no longer supported by the manufacturer
Utilize a managed technology provider (MTP or MSP) to help shoulder the burden of proactive system management
Lack of employee training and awareness
Employees can often be the last and only line of defense against cybercriminals. Many cyberattacks start with phishing or social engineering, so enforcing good habits with employees should be given as much due care as maintaining your perimeter defense.
Protections against lack of employee training and awareness:
Regular cybersecurity awareness training
Phishing simulations
Creating a culture of cybersecurity
Use the carrot instead of the stick as much as possible
Lack of proper backup and recovery plan
One of the best protections against ransomware is an effective backup and recovery plan. Organizations that plan ahead - that use regular backups, verify those backups actually work, and have a plan of what to do in an emergency - are able to recover much faster than those organizations that are running around like the proverbial chicken without a head.
Protections against lack of proper backup and recovery plan:
Understand the critical assets and data in the environment
Have a plan to backup data to a system that is at least as well protected as the original data
Utilize file-level encryption
Multi-factor authentication
Consider using a separate authentication mechanism than the one used to access the original data
Regularly test backups to ensure they can be recovered from
Create a plan with detailed procedures for recovering data
Conclusion
To recap, the top cybersecurity concerns for small businesses are:
Phishing
Ransomware
Weak passwords
Insider threats
Third-party breaches
Outdated software and hardware
Lack of employee training and awareness
Lack of proper backup and recovery plan
This guide provides recommendations and controls to address each of these concerns. These controls should be implemented according to industry best practices, otherwise their efficacy may suffer.
Small businesses must evolve to take cybersecurity seriously if they care about protecting their business. The rise of ransomware as a "business model" for cybercriminals has made all businesses a target. Contact us to find out more.
Comments