If you were a hacker, would you target your small business or a large enterprise with ten times the revenue? The answer may seem obvious – clearly the larger organisation is the more attractive target, is it not? The Verizon 2017 Data Breach Investigations Report (DBIR) reveals otherwise.
In 2016, two-thirds of breached organisations had fewer than 1,000 employees. Many times, hackers target small businesses as an inroad to a larger organisation’s network or to gain access to a start-up’s cutting-edge technology.
Unfortunately, as the DBIR points out, small businesses may not have dedicated security staff and processes to mitigate cyber threats. While it is true that comprehensive cybersecurity does require access to technical expertise, there is more to it.
Effective cybersecurity is built on a foundation of best practices carried out throughout the organisation ‒ everyone must do their part. This is the message the Business Continuity Institute (BCI) is promoting for its 2017 Business Continuity Awareness Week (BCAW), which is 15th-19th May.
In honour of BCAW, below are three ways you can prepare for a security breach and encourage your employees to do their part.
Train your employees on proper digital hygiene
The first key to reducing the chances of a breach is training your employees on the basic principles of digital hygiene. Fortunately, following these principles does not require extensive technical knowledge.
Observing cybersecurity best practices can be compared to maintaining a healthy lifestyle. While you might not know the biological causes of illnesses, you do know that many can be prevented with proper diet, regular exercise and adequate sleep. Similarly, you do not have to know the mechanics of how, for example, hackers mine data, select victims for phishing emails and then infect the victims’ systems with ransomware.
You can thwart phishing attempts by simply being familiar with common characteristics of phishing emails (improper grammar, incorrect domain name in the sender’s email address, etc.) and not clicking any suspicious links.
Some basic IT security best practices include the following:
· Use complex login credentials. Passwords or passphrases should include special characters, numbers and a mix of lower- and uppercase letters.
· Store passwords securely. Passwords should not be stored in an easily accessible location, such as on a notepad on your desk or on an unsecure network drive. Instead, they should be stored in a resilient password manager with a strong passphrase.
· Where possible, employ multifactor authentication methods. Requiring a password plus a second method of authentication adds the ability to prove a user’s identity.
· Lock your computer when you step away. Leaving your computer unlocked allows any passers-by to view or edit the data and applications to which you have access.
· Beware of malicious links. To check the validity of a link without clicking on it, hover over the link with the cursor. If the destination URL is different to the supposed sender’s primary domain or does not match the URL text in the email, treat the email as a phishing attempt.
· Avoid using unsecured Wi-Fi networks. Hackers can exploit unsecured Wi-Fi networks to target devices connected to that network. If employees are authorised to work remotely, they should connect to the business network through a virtual private network (VPN).
To encourage employees to adopt the above protocol, remind them that it is not just business data that is at stake – it is their personal information as well. After all, HR files contain employees’ personal data. Then, to test your employees’ digital hygiene, have them complete this five-question IT security awareness quiz created by IT Specialists (ITS).
Hold your staff accountable
Comprehensive employee education should be complemented with clear expectations for your staff, ideally through a formal IT security policy. Consider addressing the following topics in your policy:
· Security training. Determine how often you will require employees to complete security training (quarterly, biannually, annually, etc.) and put it in writing.
· Bring-your-own-device (BYOD) policy. Because 70 per cent of employees use a personal device at work, having a BYOD policy is critical. Set parameters around accessing applications on the corporate network, using business email, connecting to Wi-Fi networks and remote wiping.
· Leavers procedure. When employees leave, it is important to ensure they do not take critical data with them or maintain access privileges to company data, applications, devices or facilities. Create a leavers procedure that has been agreed on by all departments in your organisation – particularly HR and IT.
Having formal policies and procedures in place will not only hold employees to a predefined standard but will demonstrate to your customers and other stakeholders that you have taken measures to reduce your cyber risk.
Unfortunately, even organisations with a strong security culture are susceptible to human error. In fact, the DBIR reveals that 14 per cent of breaches were caused by errors in 2016.
You must anticipate mistakes by taking a unified approach to IT security. Implement multiple layers of protection, including reputable anti-virus and anti-malware, intrusion detection systems, and data backup and recovery. If one barrier is compromised, another layer of security will give you the capability to detect any issues. Ensure you have the resources – whether internally or from a managed services provider – to monitor and address potential threats.
No one employee can singlehandedly thwart an attack and there is never a guarantee you will avoid an attack – just as maintaining a healthy lifestyle does not always prevent you from falling ill ‒ but with everyone doing their part, the risk of cybersecurity breaches will be drastically reduced.
For guidance on identifying risks and improving cybersecurity practices within your business, visit ITS’s BCAW page to download a cybersecurity awareness kit.
Paul Barber is integration manager at IT Specialists ( ITS)
Further reading on cybersecurity
Nominations are now open for the British Small Business Awards 2017, the leading event celebrating the brightest stars in the SME sector. Click here to enter, and make sure you get involved today using the hashtag #BSBAwards. Good luck!