Business owners have a lot on their minds right now. That makes it easy to ignore the seemingly invisible cybersecurity threats that lurk in the shadows. It’s hard to put a realistic persona to these threats (the mysterious hacker in the dark hoodie concealed by shadows only goes so far) but the risks of not protecting your business from cyberthreats is very real.
We don’t think it’s your fault, either. As a business owner, you have a lot on your plate. You’ve got paychecks to hand out, customers to please, and a list of responsibilities that’s longer than your arm. Defending your business against cyberattacks just feels so… distant. It feels like it should be someone else’s problem.
We get it, and a lot of other business owners have felt that way over the years. It feels like yesterday when insisting that all businesses deploy some level of antivirus was a massive hurdle. It took a lot of time for that process to sink in. Looking back, we chalk it up to excuses like “it was just another expense” and “my business doesn’t need it, we don’t have anything to lose.”
Obviously, and thankfully, the general consensus has changed.
We’re at another stage of this though, and the issue is even more serious than computer viruses.
We see headlines talking about major nationwide or even worldwide corporations, even adept tech companies, getting hacked. It establishes this separation between us vs. them. If you are a smaller business here in Rapid City, surely you aren’t on the radar of these cybercriminals who are causing all these problems for these big entities… right?
The truth is, smaller businesses are facing an unprecedented level of cyberattacks and if you're not prepared, there is a chance you won’t be in business six months from now. Symantec recently published a study stating that 36 percent of targeted cyber attacks were targeting businesses with fewer than 250 employees. Most small businesses—83 percent according to the National Cyber Security Alliance—have no official cybersecurity plan. On top of that, smaller businesses usually have the weakest defenses with older, unmanaged network equipment and fewer internal processes to ensure that data is protected.
The threat is real, and the repercussions are worse. Depending on your industry, there could be major fines and penalties for simply not securing your customers’ data. South Dakota has its own data breach notification law (S.B. 62) that requires an information holder to report any South Dakota residents of any breach of security involving their personal information.
The technology world moves rapidly, but often in subtle ways. Sometimes new technologies don’t appear all that different. It’s more about smaller, incremental improvements to how data is stored, processed, and delivered. I won’t get too deep into the technical stuff, but essentially, technology has changed rapidly over the last decade, and so has the ability to use technology maliciously.
I’d even posit that for every innovation, someone figures out a few ways to use it to exploit others.
Cybercriminals are clever problem solvers, and will look for the easiest solution that takes the smallest effort to get the biggest payout. For example, it’s not uncommon for a business to have some protections in place. Usually that involves antivirus, some sort of firewall, and some internal network policies.
Keep in mind, these are all just a start for good cybersecurity protection. I wouldn’t even feel comfortable to say that these are the bare minimum, since there’s still a lot to worry about.
And that’s pretty much the point!
Most businesses will set up some base-level security to stop the loud, annoying, everyday threats, and leave it at that. Even worse, sometimes they will ignore their security for years, haphazardly running updates (or worse still, not running updates).
This is extremely risky. First of all, the set-it-and-forget-it model doesn’t work for security. As I mentioned, things change fast, and any security hardware and software will need to be patched and updated regularly. Sometimes updates require new features and settings that will need to be reviewed as they come out. Secondly, more and more threats can evade even the highest-end security hardware and software. Finally, if you are still using Windows 7, it's just a matter of time before you will be hacked, so it’s time to upgrade from Windows 7. This leads us into our next misconception.
I guess this is a bit of a stretch for a common misconception, because most business owners just don’t think about their end users when it comes to security. Another way to word this would be “I have the security in place so I don’t need to worry about my people.”
Remember earlier, when I mentioned that cybercriminals will look for the easiest solution that takes the smallest effort to get the biggest payout?
For many businesses that have decent IT security in place, it might prove easier for a bad actor to take a less technical approach. Instead of relying on technical vulnerabilities, brute force attacks, or botnets, they’ll depend on one of your employees to screw up.
There are a lot of vectors that a cybercriminal could use for this. The most common by a large margin would be via phishing attacks. Phishing has been a huge problem for both businesses and residential users alike, but businesses have a huge disadvantage here, because hackers have a bunch of tricks to get what they want.
They can spoof emails to make them look like they came from within the organization, from HR, a manager, or a CEO. They can spoof emails to look like an important document from a customer or an invoice from a vendor. They can make an email look urgent enough that an employee might not question its legitimacy. Here are three tips to spot phishing attempts.
Beyond email-based threats, cybercriminals could simply interface directly with your staff over SMS, social media, or via phone calls. It’s not as common, but it has been done. On top of that, users with poor security hygiene, even in their personal lives, can affect your business. If they are using the same passwords across their personal accounts, they are liking doing the same at work, and that means if one account gets compromised, they all are. One step you can take to help your team develop better password habits is to offer to audit their passwords.
Establishing strict network policies can help a lot, but ultimately, it’s down to educating and training employees, and testing the systems you have in place regularly.
As we said, cybersecurity isn’t a set-it-and-forget-it problem, but it is a problem that we all need to be prepared for. It takes consistency and diligence.
There is a lot that KT Connections can do to help. We offer a variety of security services to help ensure your data remains protected. We have security solutions to keep your employees from accessing unsafe or inappropriate online content For example, our web filtering and firewall services to our all-inclusive Unified Threat Management solution, is designed to protect your business from cyberthreats. To take your first steps, give us a call at 605-341-3873.