top of page
Writer's pictureJordan Chadwick

Cybersecurity 101 for Small Businesses

Updated: Sep 6, 2023

"Even very small businesses (10 employees or less) should take precautions to avoid becoming a target." - Verizon DBIR 2022

Introduction

In today's threat landscape, there are more dangers for small to medium businesses than ever before. According to Verizon's 2021 Data Breach Investigation Report (DBIR), 28% of data breaches involved small businesses (less than 1,000 employees). The 2022 Verizon DBIR concluded "that even very small businesses (10 employees or less) should take precautions to avoid becoming a target."


Ransomware operators will attack any organization regardless of the size, and many small businesses are tempting targets due to a lack of cybersecurity controls. It's the classic case of hunting versus farming. Cybercriminals can spend their time trying to attack large organizations which most often have large cybersecurity budgets (hunting), or they can spread their nets wide and go after many small organizations that most likely do not have mature cybersecurity programs in-place (farming).


Cybersecurity Breach Impact

The average cost of a data breach for businesses with fewer than 500 employees is $2.98 million according to IBM and the Ponemon Institute. Costs of a data breach will vary widely by organization and the type of data compromised, but all small business that are the victim of a cyber attack will feel some financial pain. In addition to this financial hit, the reputation of a small organization can suffer greatly as the result of a breach of customer information. Lastly, a compromise of confidential information might lead to legal or regulatory repercussions for the affected organization.


The average cost of a data breach for businesses with fewer than 500 employees is $2.98 million

Cybersecurity Concerns for Small Businesses


Phishing

Phishing is the use of scam emails to entice a recipient to take some action that will benefit a cybercriminal. Typical phishing attacks try to get victims to reveal credentials or click links that might result in the delivery of malware to their computer.


Protections against phishing include:

  • User awareness training, including phishing simulation

  • Spam filtering

  • Email link reputation checking

  • DNS filtering


Ransomware attacks

Ransomware is a type of malware which prevents authorized access to systems and data in order to obtain a ransom payment from a victim. Encryption is most often used as the method for preventing access. Ransomware has become the cybercriminal's bread-and-butter method of obtaining money from their victims.


Protections against ransomware include:

  • System and data backups.

  • Additional protection of system and data backups - either by hosting with a third-party vendor or creating a separate set of credentials used to authenticate to the backup software or system.

  • Behavior-based anti-malware software such as Endpoint Detection and Response (EDR) software.

  • Strong perimeter security controls, especially for outbound (to the Internet) traffic.


Weak passwords and password reuse

People often choose weak passwords because they are easier to remember. They also reuse passwords across sites to reduce the number of passwords they have to remember. Cybercriminals understand this and sweep the Internet looking for weak passwords and password reuse.


Password reuse is a danger when people use the same credentials for multiple sites and one of those sites is breached. Attackers, after obtaining the breached credentials, will perform a "password stuffing" attack, trying to find other sites where the credentials might have been used.


Protections against weak passwords and password reuse include:

  • Multi-factor authentication (MFA)

  • User awareness training

  • Password breach monitoring services like Have I Been Pwned

  • Password length requirements (12 characters minimum is recommended)

  • Require and encourage employees to use password managers, which will make remembering passwords for individual sites unnecessary


Insider threats

Every now and then, a bad seed will make its way into an organization. According to the 2022 Verizon DBIR report, 18% of data breaches had some involvement from an internal resource - either employee or contractor.


Protections against insider threats include:

  • Maintain inventories of critical assets and data so you know what to protect

  • Monitor user behavior when accessing critical assets and data

    • Use of a Security Information and Event Management (SIEM) solution will help achieve this goal

  • Data loss prevention (DLP) solutions


Third-party breaches

Integrating systems or connecting internal networks with third-parties can lead to cyber security incidents. The Verizon DBIR in 2022 identified partner organizations as a contributing factor in 39% of data breaches.


Protections against third-party partners include:

  • See the list of insider threat protections

  • Network segmentation - only allow vendors and third-parties to connect to specific network segments

  • Work only with trusted and vetted organizations, ensure a minimum level of cybersecurity maturity for trusted third-parties

  • Proactively monitor vendors and trusted third-parties to ensure compliance with industry-relevant cybersecurity standards


Outdated software and hardware

Small companies oftentimes struggle to keep up with operating system patches, application patches, and hardware refresh cycles. Utilizing a trusted managed technology provider can provide proactive, experienced monitoring and advice for less than the cost of an FTE dedicated to IT.


Protections against outdated software and hardware:

  • Keep inventory lists of systems and software, ensure all systems are patched on a regular basis

  • Proactively replace hardware systems that are no longer supported by the manufacturer

  • Utilize a managed technology provider (MTP or MSP) to help shoulder the burden of proactive system management


Lack of employee training and awareness

Employees can often be the last and only line of defense against cybercriminals. Many cyberattacks start with phishing or social engineering, so enforcing good habits with employees should be given as much due care as maintaining your perimeter defense.


Protections against lack of employee training and awareness:

  • Regular cybersecurity awareness training

  • Phishing simulations

  • Creating a culture of cybersecurity

  • Use the carrot instead of the stick as much as possible


Lack of proper backup and recovery plan

One of the best protections against ransomware is an effective backup and recovery plan. Organizations that plan ahead - that use regular backups, verify those backups actually work, and have a plan of what to do in an emergency - are able to recover much faster than those organizations that are running around like the proverbial chicken without a head.


Protections against lack of proper backup and recovery plan:

  • Understand the critical assets and data in the environment

  • Have a plan to backup data to a system that is at least as well protected as the original data

    • Utilize file-level encryption

    • Multi-factor authentication

    • Consider using a separate authentication mechanism than the one used to access the original data

  • Regularly test backups to ensure they can be recovered from

  • Create a plan with detailed procedures for recovering data


Conclusion

To recap, the top cybersecurity concerns for small businesses are:

  • Phishing

  • Ransomware

  • Weak passwords

  • Insider threats

  • Third-party breaches

  • Outdated software and hardware

  • Lack of employee training and awareness

  • Lack of proper backup and recovery plan

This guide provides recommendations and controls to address each of these concerns. These controls should be implemented according to industry best practices, otherwise their efficacy may suffer.


Small businesses must evolve to take cybersecurity seriously if they care about protecting their business. The rise of ransomware as a "business model" for cybercriminals has made all businesses a target. Contact us to find out more.



Comments


Commenting has been turned off.
bottom of page