Considering that cyberattacks occur every day and cost the global economy a staggering $350 billion+ worldwide*, you would think strategizing to avoid such assaults would be a top priority of all businesses. Incredibly, it is not. In fact, according to a recent survey of 1,377 small and midsize company CEOs** 62% said their firms don’t have an up-to-date or active cybersecurity strategy…or any strategy at all.
That’s a significant problem, given the crippling damage that can occur – the National Cyber Security Alliance recently reported that 60% of small and midsized businesses that get hacked are out of business within six months.
If you’re running a small or midsize business (SMB) you are, plain and simple, at high risk. In fact, the majority of all cyberattacks happen to SMBs. Why? because SMBs tend to:
- Lack sufficient security measures and trained personnel
- Hold data that’s valuable to hackers (e.g., credit card numbers, protected health information)
- Neglect to use an offsite source or third-party service to back up their files or data, making them vulnerable to ransomware
- Connect to the supply chain of a larger company, and can be leveraged to break in
In 2013, hackers were able to breach Target via a link in their supply chain: a small HVAC company based in Sharpsburg, Pennsylvania. This single event is in large part why many SMBs receive Information Security Questionnaires from their clients today. This is an effort by your clients to ascertain the strength of your information security program and mitigate risk.
SMBs also are prime targets for ransomware, which encrypts company data until a ransom is paid. Why? Unlike many large companies, SMBs often neglect to use an offsite source or third-party service to back up their files or data. In the event of an attack, they almost always need to pay the ransom to decrypt their files.
In addition, the use of social engineering for the propagation of malware is a persistent issue. The success rates and frequency of these types of attacks continues to grow. Social engineering and impostor detection should be included in any comprehensive user awareness training package. It also is important to realize that as great as security awareness training is, it can’t be used in isolation. Even with the best training in the world, your organization will succumb to social engineering tactics if you don’t stem the flow of incoming attacks.
Sensible security measures include controls such as a sophisticated spam filter, which should prevent the majority of simple phishing emails from finding their way into your users’ inboxes. Other measures might include email and attachment scanning, segmented network architecture, and an endpoint security system.
Consider the following steps to start building a cybersecurity strategy that keeps hackers out of your business.
1. Select an information security standard
Before a fortress can be built, the structure must be laid out in blueprints by an architect. You need a detailed plan to properly build your security program. ISO 27001 is an ideal choice due to its flexible, pragmatic approach and global recognition and acceptance.
2. Inventory your assets, determine their value and prioritize those most critical
Identify the key assets in your company, whether those are databases, customer data, employee records, or intellectual property and determine their value and who is responsible for them.
3. Determine your company’s current cybersecurity risk surface
Perform a comprehensive risk assessment of the assets to understand the threats, vulnerabilities, likelihood of occurrence and impact if the threats were realized. Work to reduce the risk to a level the organization is comfortable with.
Here are some other best-practice considerations:
- Remain vigilant; keep up to date on the evolving nature of threats, join a threat-sharing organization (like Infragard)
- Patch your systems: many recent attacks took advantage of vulnerabilities for which a CVE had already been published
- Reduce your attack surface: harden the infrastructure, remove unneeded services and programs, close unused or risky ports
- Employ strong antivirus, email and web filtering
- Limit administrative rights
- Segment the network to limit propagation
- Educate and train your employees; regularly test their awareness
The best defense is a good offense. Make it a priority to protect your data for the benefit of your employees, your customers and the long-term health of your business.
*According to the National Center for the Middle Market (NCMM) at The Ohio State University Fisher College of Business.
**Cisco and the National Center for the Middle Market.