That tends to perpetuate the idea that cyber attacks are only aimed at big enterprises with lots of potential targets. For small and medium-sized businesses (SMBs), believing that to be true is a big mistake. Companies of all sizes and in every industry are vulnerable to cybersecurity threats, and they face many of the same risks as larger enterprises.
In fact, smaller companies might be even more at risk because many of them lack the necessary resources to effectively defend themselves.
Even the smallest organizations can possess valuable data such as trade secrets, customer transaction records, and intellectual property, and that data can be a potential target for cybercriminals and other bad actors. Some niche companies, particularly those working on innovative new technologies, might own precisely the type of information hackers are looking to steal.
It’s not just about data loss, though. Another risk is losing access to systems, networks, and data as a result of an attack. Such downtime, even for a few hours, can have a significant impact on a company. That’s especially true if the company does most of its business online.
In general, SMBs are subject to the same kinds of security threats that larger businesses face. They are also vulnerable to data loss from insufficient backups. And the potential damage extends beyond security and systems availability issues. Many SMBs need to be compliant with a number of data privacy regulations, and failure to do so can result in steep fines.
This white paper examines some of the key risks small and mid-sized businesses face today and why they need to address them. It also presents best practices for bolstering security and recovery capabilities.
“Even the smallest organizations can possess valuable data: trade secrets, customer transaction records, intellectual property…that data is a potential target for cyber- criminals and other bad actors.”
The Fallacy of Immunity
A lot of SMBs see themselves as flying under the radar as far as security threats are concerned. They view hacker attacks and other cyber-criminal activities as being designed for large enterprises that have enormous IT infrastructures, numerous entry points, and a treasure trove of valuable data to steal.
The fact is, that’s simply not the case. Small and mid-sized businesses have lots of data resources that attackers would like to get their hands-on, and they are aggressively going after these companies. No organization is too small to be a target.
A 2018 study by research firm The Ponemon Institute showed that small businesses increasingly face the same cybersecurity risks as larger ones, but only a minority rate their ability to mitigate threats, vulnerabilities, and attacks as “highly effective.”
The institute surveyed about 1,000 IT and IT security practitioners from companies in the United States and United Kingdom with headcounts ranging from 100 to 1,000, and found that 67% said they had experienced a cyber attack in the previous 12 months.
Despite this, nearly half of the respondents (47%) said they have no understanding of how to protect their companies against cyber attacks.
The Biggest Security Threats
SMBs are subject to the same security threats as their larger counterparts. Here is a brief summary of some of the most prominent types:
- Viruses and other malware. This is software designed to cause damage to networks, servers, desktop computers, mobile devices, and other client systems. The damage is inflicted once malware is introduced into a target’s environment. Common types of malware include viruses, worms, Trojan horses, spyware, and adware, and each can do significant damage to SMBs.
- Ransomware. This is a type of malware that deserves its own description because it has become so insidious. Ransomware might threaten to expose a victim company’s data, shut down systems, or block access to them, or encrypt files unless the company pays a ransom using Bitcoin or other difficult-to-trace cryptocurrencies. Ransomware attacks, which are aimed at all types of companies, are generally carried out via a Trojan disguised as a legitimate file downloaded by a user.
- Phishing. Using phishing tactics, attackers try to gain access to sensitive data such as credit card numbers, social security numbers, usernames, passwords, and other information. They do this by disguising themselves as trustworthy entities, often through emails or instant messages sent to employees in a company. Oftentimes users are instructed to enter personal information at a fake Web site that appears legitimate. Variants include spear phishing, which are attacks aimed at specific individuals or organizations; and whaling, which are spear-phishing attacks directed toward senior executives and other high-profile targets.
- Distributed denial-of-service (DDoS). These types of attacks can be among the most damaging because they can shut down vital servers. DoS typically involves an attacker overloading a target system with requests, rendering it unavailable to users. With DDoS, the incoming traffic flooding systems originate from multiple sources, making it far more difficult to stop.
- Botnets. These are any number of Internet-connected devices, each running one or more bots, which can be used to perform DDoS attacks, steal data, and allows attackers to access the devices and their connections. Attackers can control botnets using command and control software. Many recent botnets rely on existing peer-to-peer networks to communicate.
- Advanced persistent threat (APT). With an APT, an attacker quietly gains unauthorized access to a company’s network and remains undetected for an extended period. The goal might be to steal data, cause damage, disrupt systems or perform some other malicious act. Typically attackers have access to intelligence-gathering techniques and prioritize a specific task, such as data theft.
- Drive-by downloads. These incidents can happen when users visit Web sites or open email attachments and unknowingly download malware or other unwanted software. In some cases, malicious content on a site might be able to exploit vulnerabilities in a user’s browser to run malicious code.
- Insider threats. Any malicious threat that comes from employees, former employees, contractors, or others working within a company is an insider threat. These people generally leverage inside information about security tools and systems to inflict damage or steal or delete data. These types of threats can come from malicious insiders, negligence, or external parties who gain access credentials without authorization.
In addition to these threats, SMBs are vulnerable to data loss from insufficient backups. If data is not backed up adequately and there’s an attack or other incident that renders data unavailable, users can be without access to the information or it might be lost or damaged permanently.
Finally, many SMBs need to be compliant with a variety of regulations that pertain to data privacy. Failure to safeguard systems and data effectively can lead to fines.
The number of data protection regulations is on the rise, adding to the complexity of the compliance challenge.
Unlike a lot of larger enterprises, SMBs have limited resources for protecting their networks, systems, applications, and data. Many lack a formal cybersecurity program or an executive dedicated to security. Given the ongoing shortage of security professionals, acquiring the needed skills is a big challenge.
Best Practices for Strong Security and Backup
What are the most important things small and mid-sized businesses can do to protect their networks, systems, and data from cybersecurity issues and/or data loss? Here are some key best practices.
Deploy the solutions needed to protect and backup data.
- SMBs need to be willing to invest in tools that can boost security and reduce risks. This includes platforms that automatically and continually monitor files across internal systems and the cloud.
- A small business backup and recovery solution should be designed to rapidly recover lost, deleted, and ransomed files. Administrators should be able to retrieve actual file contents so they can determine whether a file contains sensitive data during investigations; recover prior file versions and deleted files, and provide self-service so users can recover from everyday data loss events.
Practice good security maintenance.
- Cybersecurity is not a “set-it-and-forget-it” proposition. New threats and vulnerabilities are constantly emerging. Companies need to regularly update and patch operating systems and other software resources, and instruct users to change passwords on a regular basis.
- They also must maintain and update security tools such as firewalls, intrusion detection systems, and anti-virus software as needed. Good security maintenance also includes conducting periodic and comprehensive risk assessments, taking into account any situations that might have changed since the last assessment, such as the addition of new cloud services.
- One good way to stay on top of the latest threats and vulnerabilities is by subscribing to threat intelligence services and following experts on social media.
Establish and enforce security policies and procedures.
- Security is also not just about tools and services; management needs to create and enforce policies to ensure that employees, contractors, and partners are practicing good security hygiene.
- The policies should cover areas such as the need to create strong passwords and revise them on a regular basis; how, where and by whom sensitive data such as customer information and trade secrets can be used; when to remove sensitive data files from systems; the proper and safe use of mobile devices; how and when to use data encryption; and how social media and other online sites should be used.
- In addition, security policies should cover what steps IT staff, managers, and employees who are leaving the company should and should not do to ensure strong security and data protection. They should also provide detailed instructions on what should be done in the event of a cyber-attack or data breach.
Provide employee education and training.
- One of the most important things executives at SMBs need to do when it comes to cybersecurity is educating their employees—and themselves—about the potential risks and how to go about mitigating them.
- They should provide mandatory training programs for all new employees and refresher courses for the existing workforce. Among possible topics to cover are how to avoid phishing and spear-phishing scams, how to practice good password usage and management, how to spot potentially harmful links and downloads, best practices when using public wi-fi, the proper use of mobile devices in the workplace, and social media behavior.
- Many insider threats due to user negligence can be avoided with proper training and retraining. Senior executives can set a good example by promoting their importance to the organization and participating in these training programs themselves.
Evaluate the security posture of external partners.
- Today’s business environment is more complex than ever, with companies typically engaging multiple suppliers, service providers, equipment vendors, consultants, and others. Ensuring that those outside entities are working in a secure manner is vital to the overall security of the company.
- SMBs should not be afraid to inquire about the steps partners are taking to ensure strong security and data backup.
Hire outside experts for help.
- Many SMBs simply don’t have the internal resources or budgets to create and maintain a robust cybersecurity program. Even many larger companies struggle to do this. That’s why it’s a good idea to consider bringing in expert help from outside.
- Managed security services providers (MSSPs), consultants, “ethical hackers,” and others can provide help such as suggesting affordable tools, deploying products, updating them, and performing penetration tests to evaluate the strength of products such as firewalls.
“Security is not just about tools and services; management needs to create and enforce policies to ensure that everyone is practicing good security hygiene.”
To get a sense of how important data protection has become, consider that a growing number of boards of directors and C-suite executives are now weighing in on security issues. Furthermore, companies, in general, are investing more in security tools and services.
SMBs can’t afford to operate with lax security. In addition to data loss and systems downtime, they can experience a decline in brand reputation, a loss of customers, a rise in legal fees and regulatory fines, and other negative impacts.
For those companies that have not developed a strong security strategy and infrastructure, the time is now.