Data breaches compromise thousands of people’s personal information, while ransomware attacks cripple businesses and organizations on a daily basis. Despite this, many small-to-medium-sized businesses still feel that due to their smaller size, they aren’t targets. The truth is, many SMBs handle the type of sensitive data which is attractive to cybercriminals. To make matters worse, many SMBs haven’t invested in the security infrastructure needed to protect themselves… something hackers count on.
The simple answer is that it's because they are easy targets. Compared to a larger enterprise, many SMBs aren’t taking some of the most basic steps to lock down their network. Hackers are aware that many SMBs don’t have access to the type of security expertise needed to put up an effective defense against their attacks.
The payoff for a cybercriminal can be significant even if they breach a small organization. Typically a smaller business will be just as willing to pay off a ransomware attack, and can have a lot of valuable personal information for the hacker to profit off of.
Not only is a data breach embarrassing to a business, but it can also bring the attention of the State Attorney whose goal is to ensure that your customers are informed of the breach. In fact, South Dakota has one of the strictest breach notification laws in the country. Running afoul of them could cost your company up to $10,000 per day, per instance, plus additional fines.
To put a finer point on it, a study from the National Cyber Security Alliance, stated that 60% of SMBs will go out of business within six months of a data breach. When you think about how devastating the cost of the breach can be to a business, it makes sense. An enterprise-level business can ride out the storm of bad publicity, fines, and potential loss of customers, while an SMB may simply not have the resources to survive.
Everything is becoming more connected, we often speak of the IoT (Internet of Things) and the IIoT (Industrial Internet of Things) as examples of how technology (data and devices) is becoming more interconnected and the risks therein. Most large businesses aren’t an island; they are connected to other businesses and vendors that provide services and support. Many of these businesses have some form of access to the data of the sponsoring company. An example could be a large hospital partnering with a laundry company, or a manufacturer partnering with a shipping and logistics vendor.
If the third-party inherently has access to sensitive data, or if they have hardware or software on the network, it opens up risk. Your defenses are only as strong as your weakest entrypoint.
If the vendor gets hacked, or a device or application on your network has a vulnerability, that is an entrypoint cybercriminals can use against you.
In a lot of cases like this, larger businesses might get breached due to a smaller third-party’s vulnerability. Back to our hospital example, the headlines are all going to be about how the hospital was breached, despite that the entrypoint was through a smaller business they partner with. The SMB’s role is withheld or underplayed. This omission reinforces the belief that only enterprise-level businesses are at risk. SMBs aren’t aware that the weak-point in the system was an SMB’s lack of appropriate security measures and so don’t engage in self-evaluation of their own security measures. However, there are steps an SMB can enact to protect themselves.
Develop a Security Policy: Your team can’t know what your security policies are if you don't have them fleshed out. Take the time to create a document that covers what your security objectives are and how your team can help it come to fruition. You aren’t alone with this either, we help businesses establish and review security policies all the time.
Train Your Team: Your team is your first line of defense and the first place a hacker would test for vulnerabilities. Teach your team to recognize social engineering tactics such as phishing attempts using email, websites or even telephone calls whose goal is to obtain credentials. This is also something that KT Connections can assist you with.
Manage User Permissions: When it comes to security, the biggest vulnerability will always be human error. The simplest way to prevent this is by reducing the number of people who have access to your critical data: the fewer people who have access, the fewer opportunities there are for it to be compromised, even if a hack should occur. Identity management can help ensure that only authorized people have access to sensitive data.
Implement Multi-Factor Authorization: Sometimes, despite your best efforts, your organization’s data security may be compromised. Multi-factor authorization adds an additional layer of protection which reduces the opportunity for compromised credentials to be utilized.
Backup Your Data: One of the biggest issues with data compromised by malware and ransomware is that once your data is held hostage, you have no choice but to either pay the ransom or allow your data to be destroyed. A viable backup and business continuity plan allows you to regain control of your data, regardless of the cause of the disaster.
Make Sure Your Technology is Current: Hackers are constantly probing for vulnerabilities to exploit. Out-of-date software and/or hardware can allow a hacker to gain access to your system. Ensure your technology is up-to-date and patch or replace at-risk technology as needed. An IT Support Service is a great resource to have in regards to supporting an SMB’s goal of being compliant. Doing quarterly or at the very least, yearly reviews with your IT provider, and auditing everything on the network is a good call, and something we encourage our clients to do.
Pay Attention to Third-Party Vendors: When breaches from enterprise-level businesses make the news, what’s often lost in the reporting is that many of these breaches occur due to hackers targeting third-party vendors. Important credentials were shared, allowing hackers to use third-party vendors as a vector to attack the enterprise-level organization’s network. That doesn’t mean you should avoid working with any third-party, but they need to be audited, and checked to see if they meet the same compliance standards you need to meet.
SMB or not, you can’t be complacent; with such a large amount of SMBs being attacked daily, the odds are that your business could become a statistic. However, if you’re prepared, a cyberattack isn’t guaranteed to be successful. In fact, if your business simply follows the 7 security tips we’ve provided, you’ve significantly increased your ability to repel a cyberattack.
Are you giving the security of information, systems, and networks the high priority itdeserve or are you assuming because you’re an SMB, you’ll be ignored? It's critical to gain insight and understand how threats penetrate your organization's security and what you can do to manage the risk. KT Connections has a wide range of services and solutions to ensure your business is secure from cyberattacks, today and six months from now. Call today to schedule a FREE IT Assessment.