Your small business: target for a breach? No…

Maybe you think that as a small business, your risk of a data breach is low because larger companies are bigger targets and therefore more desirable to cybercriminals. Think again! According to the Verizon 2019 Data Breach Investigations Report:

• 43% of breaches were aimed at small businesses
• 34% involved internal actors
• 39% were orchestrated by organized criminal groups
• 71% were financially motivated
• 32% involved phishing
• 29% involved stolen credentials
• 56% took months or longer to discover

Wow! Every one of those points are of concern for even the smallest operations. The report goes on to show that email accounted for 94% of the deliveries whether they be phishing or malware. Of file types, Office files accounted for 45%. Those statistics are alarming to say the least! Many small businesses still use free email accounts for business email, but most free email accounts have rudimentary spam and malware detection at best. Additionally, those free accounts are typically accessed on mobile devices and in web browsers which don’t always reveal the details which would clearly identify them as suspicious. Maybe it’s time to graduate to better email solutions.

Why are small businesses such a lucrative target for data theft? The Ponemon Institute published an interesting report. Their survey pool was of companies with less than 100 and up to 1000 employees. Of more 1,045 individuals surveyed, 67% cited their companies having experienced a cyber-attack, and 58% experienced a data breach. More than half on both counts! Yet, out of these companies only 11% were very confident in their ability to effectively mitigate threats, vulnerabilities and attacks.

The numbers may seem daunting and small businesses typically argue that they do not have the budgets of larger corporations to employ security teams, but there are a number of solutions within reach for every business. Cybersecurity is a layered defense incorporating a mindset, habits, strategic implementations and general awareness. Most small businesses hold Personally Identifiable Information (PII). It may be on your employees, customers or vendors. How is that information managed and who has access to it? Cybercriminals use this kind of information for identity theft and other fraud. Disgruntled or dishonest employees may attempt to do the same or sell it outright. Other company info is vulnerable to employee misuse such as contact lists, credentials and intellectual property. Accidental exposures occur out of ignorance or lack of awareness of company policy. Do you have a written policy and is everyone in the company aware of it?

Basic steps every business can (should) take:

• Install software and hardware security updates regularly
• Use recommended malware protection on all devices with access to company info
• Use business-class firewall services
• Isolate unmanaged and unprotected devices from your business network
• Secure physical access to systems and information
• Utilize a backup solution that protects against ransomware
• Use strong, unique passwords or phrases and change them with regularity
• Use multi-factor authentication where possible
• Limit access to systems and information to those that need to know
• Limit retained information
• Employ encryption and remote tracking/wipe capability especially on mobile devices

Who has time for all of this? After a breach or other disaster, 60% of small businesses close within six months. In the case of data breaches; legal services, forensics, recovery, breach notification services, identity monitoring services, loss of business due to downed systems or loss of customer confidence all hit the business bottom line. Cyber insurance can help cover some of that, but preparedness and prevention are the best insurance. How much would a breach cost you? Cyber insurance is not always included in your business coverage. Check your policy and contact us if you need assistance.

Additional steps within reach for every business

• Implement Umbrella DNS protection to prevent access to or communication with roque sites
• Utilize business-class spam filtering and compliant email archival
• Establish, document and enforce policies for data management and access that also address employee hires and departure procedures
• Regularly train employees on security issues to keep them mindful and less likely to fall victim to socially engineered attacks
• Regularly perform a Security Risk Assessment

We offer free unlimited security training which is self-driven and advise everyone to take advantage of it. Subscribing allows managers to track employee progress and create security policies from customizable templates. All enrolled employees receive weekly two-minute trainings and get monthly phishing tests. The phishing tests automatically take a user to the appropriate training if they fall for the bait! Employee test scores and policy acknowledgements are available in a private portal. Reports can be downloaded and printed for compliance documentation. Additional documentation can be uploaded and security assessments performed and logged providing evidence of your due diligence to protect sensitive data to your customers, vendors and insurers. Dark Web Breach Assessments expose compromised employee data. It’s common for employees to use the same passwords or variations across accounts, so a breach of one account likely exposes more!

With employee turnover, there are so many details to manage and security policies are frequently overlooked in a small business. The security policy templates can be implemented in addition to or as part of your employee handbook. They include best recommended, but fully customizable, policies with sign-off pages for employee acknowledgement. The policies can be accessed either from the portal or saved on your local network. Regarding employee onboarding, there are pages to record accounts set up for each person, areas they may be granted access to, passes, keys and equipment given to them, etc. It may seem that in a small office that the owner or manager would remember everything, but what happens if someone else needs to step in for some reason? When a data breach happens, one of the key factors in any fines and judgements is “due diligence” of the breached entity. While prosecutors may not expect a small business to have a full-time security team, it would be expected that basic principles are being followed and documentation of your policies and procedures would illustrate your commitment to protecting those whose data you hold.

It is common with employee departures—whether on good terms or not—that email accounts get left active and unmonitored, network and other accounts remain active, shared account credentials never get changed and equipment (with company data or access to it) gets forgotten and not collected back by the company. It doesn’t take much imagination to see how all of this could lead to really bad consequences. Having check lists not only for employee starts, but also for their exits can cover you against a lot of loose ends leaving your company and its data very exposed. Best recommended practice for employee exits is to disable their accounts and logout of active sessions immediately on termination. Put another person in the company in charge of going through those accounts and the former employee’s files not publicly shared within the company to relocate them where they can be accessed by appropriate parties and setting retention periods, if any, for the rest. (Retention periods? Do you know what yours are?) Shared account credentials should be changed to prevent further access by the former employee. Parking passes and keys should be returned, access codes should all be revoked. Don’t forget to change voicemail passcodes! Laptops, tablets and phones if issued through the company should be returned. If devices are employee owned or the employee will be taking them, all company data, VPN software, accounts and services should be removed from them. A check list would make this easier, and we have tools for these express purposes.

Research has shown that late winter into spring is when employees look for better options, and companies are looking to fill new vacancies as well as any new positions before prospects slow their searches around summer vacation. Wouldn’t now be a good time to get those security policies set? Contact us for help doing just that!