Small Business Cybersecurity

Cyberattacks are one of the greatest threats to American small businesses. Almost half of small businesses faced a cybersecurity threat in the last 12 months.1 Couple this statistic with the fact that 60% of small businesses go out of business after a cybersecurity attack, and it’s easy to see it is so crucial your team understands security protocol and can mitigate risk.2 From small tasks like spotting a phishing email to protecting hardware and software, the first step to strong cybersecurity is educating yourself and your team on the fundamentals. Here’s a look at those cybersecurity basics, and some tools and tips to help you address them.

Hardware Security

Most people think about hacking being related to software, but hardware is just as vulnerable to attack. The Infosec Institute reports that hardware may be infected with malware from the moment of purchase, if infected components are used during manufacturing. “System complexity, the large number of designers and engineers involved in every project and the delocalization of production in risky countries due to low cost poses a security threat,” they shared. “A malicious individual could alter a small component in the overall system for espionage or sabotage. Such attacks can be especially devastating in security-critical industries, such as the military.”3 These types of cyber-attacks are scary but rare, and business owners who buy from reputable manufacturers and only use licensed software have little to fear.4

It’s also important to know that hardware isn’t just presenting risks: it’s also being engineered to defend against them. Microprocessors, chips, and semiconductors are being engineered to detect and prevent cyber-attacks.5 For those who need solutions now, there are tools like IronKey hard drives, portable storage devices that encrypt critical data wherever it ends up,6 or the Isla Control Center, a device which monitors all activity on your Internet connection and can isolate malware and other threats when detected.7

Software Security

The need for comprehensive software security education might not apply to every person in your company, but basics like password management best practices should be reviewed with everyone. Especially if you’re using lots of different cloud SaaS options or other software, employees might use the same password for all their logins to make it easier. But this means if a cybercriminal has the employee’s email address and that password, they can access everything. It’s essential that employees use a discrete password for each login.8

Most people think about hacking being related to software, but hardware is just as vulnerable to attack.

But depending on the number of logins, that might be a lot to remember. Consider a seasoned, secure tool that stores all online passwords automatically, like Dashlane or LastPass. Some of these offerings even change passwords as required and save the new logins without the user having to come up with a new sequence of numbers and letters. Top password trackers will sync across devices, but require multi-level authentication when a user signs in from a new device.9 10 This approach to password management is more secure and easier than keeping a written list.

The definition of a truly “secure” password is always changing. Today, experts point to length over complexity. According to The InfoSec Institute, information technology security experts, lengthy passwords increase “password entropy,” or how much uncertainty exists in trying to guess the right sequence of characters. “A lengthy list of easy-to-remember words or a passphrase could be actually more secure than a shorter list of random characters,” they said. “Problems could arise, however, if users choose words that are too related to each other or too personal; this would open the door for dictionary-based passwords tools to guess the correct sequence, even in presence of a larger amount of possible combinations.”11

bna-cybersecurity-diagram1.png

Ultimately, the most secure passwords maximize both length and complexity.12 Special characters like ampersands, exclamation points, and at symbols are still important, but only lend to the strength of the password if they’re dispersed throughout. “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters,” Lorrie Faith Cranor, FTC Chief Technologist and Carnegie Mellon computer science professor, told Wired Magazine.13 Inserting deliberate misspellings, spaces, and punctuation are other strategies for generating secure passwords.14

Human error is statistically the greatest threat to your security.

Beyond software security basics like unique passwords for each login, your IT department should regularly test your IT solutions to ensure data security. If you don’t have an IT department or are managing with a smaller IT staff, you might consider outsourcing to an agnostic software security company for your testing needs. Some common best practices for maintaining the security of your software are encrypting all stored data, using secure certificates when signing in to all websites, and regularly scanning websites and downloads for malware.15

Employee Training

An effective method of impressing the importance of strongly enforced cybersecurity policies is to bring the conversation with your employees to their front doorstep. Although it may seem superfluous, experts recommend showing your team the ways they may already be putting themselves at risk in their daily lives as a means of creating a greater sense of urgency in the conversation.16 This brings the conversation into relevance and will help get your team actively thinking about cyber security even when they’re not at the office.

As human error is statistically the greatest threat to your security, these trainings should review the gambit of common, human mistakes that lead to data breaches, from email phishing to password sharing.17 A good place to start is with yearly trainings. International security software provider ESET recently made a free cybersecurity training course publicly available, and there’s even the option to customize it to your organization. If you’re not already equipped to provide such training internally, their materials are a great resource to start with.

Third-Party Vendors

Human error accounts for the largest percentage of cybersecurity attacks.18 While training your own team can help improve this statistic on your end, what’s more difficult to account for is the training of any third-party vendor’s employees. In fact, for certain industries like the financial sector, third-party breaches are the number one cause of cybersecurity attacks and data phishing.19

bna-cybersecurity-diagram2.png

One of the best methods of prevention is to ensure you know the security practices of your third-party service providers. Assessing what access your vendors are asking for as compared to their actual needs can help you implement security protocol if necessary, or establish whether your vendor’s existing protocol will suffice.20

If you still aren't confident after this assessment, you might consider engaging your vendor in a service level agreement (SLA). An SLA allows your company to audit the vendor’s compliance with your security practices and can also cover information security, information privacy, threat and risk analysis, network and data access, and finally disclosure requirements. This added level of protection creates a legal safeguard for your bottom line.21

Why to Mind the Basics

Small businesses make up nearly half of all cybersecurity targets.22 By creating conversation and education around cybersecurity at your business, you’ll be more prepared to face attacks. Training employees on the best practices of passwords, the qualities of a suspicious email, and proper software and hardware security measures reduces the likelihood of human error. Making certain your vendors are compliant with your security practices will help extend that protection.

Vulnerability to cyberattacks is only becoming more difficult to manage as technology grows and changes. Empower your team with a knowledge of these fundamentals to ensure everyone at your small business is part of the effort to stay secure.

1 https://keepersecurity.com/2017-State-Cybersecurity-Small-Medium-Businesses-SMB.html

2 http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

3 http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/#gref

4 https://www.csoonline.com/article/2615305/malware/brand-new-hardware----now-with-malware-pre-installed-.html

5 https://www.brookings.edu/research/ensuring-hardware-cybersecurity/

6 http://www.ironkey.com/en-US/encrypted-storage-drives/

7 https://cyberinc.com/isla-technology/

8 https://www.wired.com/2016/05/password-tips-experts/

9 https://www.pcmag.com/article2/0,2817,2475964,00.asp

10 https://www.pcmag.com/article2/0,2817,2407168,00.asp

11 http://resources.infosecinstitute.com/password-security-complexity-vs-length/#gref

12 http://resources.infosecinstitute.com/password-security-complexity-vs-length/#gref

13 https://www.wired.com/2016/05/password-tips-experts/

14 http://resources.infosecinstitute.com/password-security-complexity-vs-length/#gref

15 http://www.zdnet.com/article/10-security-best-practice-guidelines-for-businesses/

16 https://www.forbes.com/sites/joannabelbey/2016/10/12/cybersecurity-and-social-media-corporate-training-best-practices/#6839caff7421

17 https://www.bitsighttech.com/blog/13-cybersecurity-training-tips-for-employees

18 https://hbr.org/2016/09/the-biggest-cybersecurity-threats-are-inside-your-company

19 https://cdn2.hubspot.net/hubfs/533449/Whitepaper_Breaches_on_Rise_1-1.pdf?utm_campaign=Third+Party+Breach+Rise+White+Paper&utm_source=hs_automation&utm_medium=email&utm_content=21340303&_hsenc=p2ANqtz-839HC2uTi7MDY6-3JFFEm4eu0gIg3BhzG9289wlS&t=1505518585689

20 https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

21 https://www.securitymagazine.com/articles/87025-steps-to-mitigating-third-party-vendor-cybersecurity-threats

22 https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html