One security advantage small and medium-sized businesses had for years was simply being small.
Given a low profile, most SMBs could fly under the radar when it came to information security, hoping they were obscure enough not to catch anyone’s attention. That advantage is gone.
Today, hackers are pounding hard on small businesses — where, according to the Ponemon Institute, 35 percent of SMBs say no single function determines IT security priorities.
With the new year just around the corner, what follows are five urgent threats that need to move to the front of your must-do list. Get your team started now, and keep these as 2017 security priorities. They’re items that you will want to periodically review — with your tech staff and users — throughout the year.
If your IT team focuses on these first among its security tasks, that will reduce the odds of your business becoming an easy mark.
1. Phishing Attacks Are the Top Threat to Tackle, Bar None
Unfortunately, there’s no 100 percent solution for blocking phishing attacks, and hackers are always coming up with new strategies — not just email, but social networks, text messages, websites (infected with malware), and employees (targeted on open wireless networks).
Phishing attacks target the human element: The goal is to collect credentials that can be leveraged to gain further access and penetration into a system, and then to insert malware.
For an SMB, the best way to forestall phishing attacks is by educating staff. A monthly 30-minute seminar, with some examples of clever phishing messages, will go a long way toward helping people understand the threat, the likely ways they will be approached and why reporting even the hint of an attack is critical.
Next, compare real and fake messages from your vendors (transport, banking, e-commerce and insurance businesses are the biggest targets). Share these examples liberally to hammer the point home.
Online, the IT team can find plenty of anti-phishing training materials. Emphasize four points for the greatest impact:
- How to identify suspect communications
- Never clicking on a link from someone unknown (or when known, passing the email by IT first if there’s even a hint of suspicion)
- Knowing to look for the “https:” to confirm encrypted websites
- Never bypassing digital certificate warnings or pop-ups
2. Passwords Need Protection Too
Hackers using phishing attacks look for passwords, but passwords can leak out in many other ways: reuse on other sites, capture through malware, and even brute-force guesses if the passwords are weak.
The surest fix is to remove passwords from the equation. Getting rid of passwords through two-factor authentication isn’t simple but has become a lot less expensive and less complicated in the past few years. There are definitely solutions that small businesses can afford.
If you can’t take the leap to two-factor authentication, spend the time instead on defining a better password policy and aggressively weeding out unused accounts, especially service accounts you’re not entirely sure you need.
Frequent password changes waste everyone’s time, but making passwords longer reduces the attack surface and discourages password reuse.
Third parties with access to an organization’s network are a particular problem that needs to be addressed. They hate to change passwords, often have more access than they need and focus on getting the job done fast, not on keeping systems secure. Therefore, the IT team must pay close attention to third parties with network credentials and hold them to a higher, not lower, standard of care.
3. Malware Is Everywhere, So Hunt It Relentlessly
Even the safest surfer in an organization will likely come into contact with some malware eventually, as attackers go after reputable websites. Although an IT team might feel it can’t handle upgrading to the latest Microsoft Windows operating system or Office, being an early (not necessarily bleeding-edge) adopter is the primary way to gain systemic protection against current and future threats. (And, Mac OS users, this means you too; see the sidebar below.)
Patching is essential and one of the simplest ways to gain protection. But it’s necessary that a business start with the latest OS, browser and productivity suite to gain that edge against a constant stream of new attacks. There will always be staff members who insist that they can’t survive without this or that OS or program, but they can. The risks are too high to indulge personal preferences.
4. Make Yourself Secure Against Ransomware
As attackers aim to monetize their talents, ransomware has run rampant through businesses of all sizes. But the thing about these attacks is that they rely on bad IT practices to work: people storing sensitive documents on their local PCs, backups that aren’t done properly and easily sniffed passwords.
Start with user education about how and where to store data (where it will get backed up frequently). Next, ensure that the backups capture everything. Then, run backups frequently — every 24 hours minimum.
Consider IT investments in this area, such as in new disk-to-disk systems that allow incremental backups every few hours throughout the day. That’s all the insurance needed to tell the next ransomware demander to take a virtual hike.
5. Think Before You Migrate to the Cloud
Pushing some apps to the cloud is part of most organizations’ IT strategies. But, a cloud move doesn’t alleviate the need for security best practices. Security must be a fundamental part of any cloud vendor selection and migration plan.
Obviously, picking cloud partners with established security credentials is step one, but almost as important is ensuring a proper integration between the business’ systems and those of the cloud provider.
Having a bulletproof network onsite won’t help you if the administrator password to the cloud application never gets changed — and the provider never alerts the business if it’s been misused.
Take the time to link all systems using directory protocols, such as LDAP or Active Directory Federation Services. That puts the company IT team back in control and ensures enforcement of password policies, accuracy of group memberships and prompt deactivation of users everywhere when necessary