Small Business Cybersecurity Plan
In a 2019 study of 2,000+ small and medium sized businesses (SMBs), 66% of respondents experienced a cyberattack in the past 12 months. Over the past three years, there has been a significant increase in SMBs experiencing a data breach.
Increased attacks have led to increased costs for businesses. On average, these companies spent $1.2 million remedying data breaches. Losing an additional $1.9 million from disruptions to normal operations. These numbers are growing rapidly from year to year.
Accounting for the broader population, the FBI’s 2019 Internet Crime Report lists a $3.5 billion price tag for complaints filed to the Internet Crime Complaint Center. With these numbers, it’s no surprise cybercriminals continue to find ways to exploit small businesses for profit.
There’s a range of threats your small business cybersecurity plan has to prepare you for. The nature of the attack depends on the goal of the hacker. For example, if they’re selling private information online, they will target small businesses for:
- Medical records
- Social security numbers
- Proprietary information
- Intellectual property
Not only are your employees’ records at risk, but so are your customers’. If your client is a large, corporate company, the hacker will steal your data for a lead to the “bigger fish”.
Most often, the hacker is motivated by money. They will cause disruptions in your technology and demand a payment to restore it to working order.
Small businesses are a prime target for these attacks because they usually have very little cybersecurity to deter hackers. But before we get into defending against these threats, you should learn more about what you’re protecting against.
Download this page as an eBook PDF:
Types of Cyberattacks Threatening Small Businesses
Imagine a hacker locks you out of your entire system until you meet their demands. This was the case during the worldwide “WannaCry” ransomware attack in 2017. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. It caused sweeping shut downs for companies in manufacturing, healthcare, education, communications, and government agencies. Fedex, Honda, Nissan, and England’s National Health Service are just a few organizations confirmed to have been affected.
Ransomware is a malicious program that encrypts every file in your system. In order to reverse the encryption and regain access to your files, the victim is required to pay a sum to the attacker, hence the ‘ransom’.
A 2019 report by EMSISOFT lists disclosed ransom demands of:
- $5.3 million to decrypt 158 computers in Massachusetts
- $600,000 for a city council in Florida
- $176,000 for a school district in New York
In addition to the price of the ransom, there’s the cost of the downtime your business can’t operate. Coveware reports 15 days of downtime, on average, for a business hit by ransomware.
Ransomware attacks are most often deployed through email phishing, Remote Desktop Protocol (RDP) compromise, and software vulnerabilities.
Phishing is the practice of tricking a user to get their sensitive information. The “bait” is often an email created to look like a message from your bank, the government, or even a family member in an emergency.
Given the urgency of the message, an unsuspecting user will click a link to a fake (but convincing) website and provide information such as: username and password, credit card number, address and phone number, social security numbers, and so on. The hacker will keep records of everything they’re given and sell the data on the black market.
Wireless Network Exploits
Hackers can upload infectious files when your network security isn’t up to date. For example, you may be using an obsolete router for your business’s Wifi. If your router is using the outdated WEP wifi security protocol, an attacker can more easily gain access to your network and steal information.
Even when your router meets security standards, you’re still at risk if the network isn’t password protected. Allowing unauthenticated connections means anyone nearby, even 100 yards away, can access your network.
Ransomware can be installed when a Windows Remote Desktop Protocol is compromised. This software is designed to control one computer from another computer over a network connection. Attackers are able to steal (or illegally purchase) a company’s credentials and access these connections. Once they can control a company’s machine remotely, they can execute an attack like ransomware.
Defending Your Business From Cyber Attacks
Antivirus software is designed to stop harmful programs from getting into your system and doing damage to your data. It detects malicious files like trojans, worms, and ransomware before they can poison your PC.
Our preferred business antivirus solution is VIPRE. We’re experienced in deploying their full suite of cybersecurity tools including endpoint security, email protection, and automated patch management.
While you might be familiar with Norton or McAfee antivirus, they specialize in consumer-grade software. They do not provide the resources needed for the robust cybersecurity solution your business needs.
These programs provide basic blanket protection. In the event of an attack, they might lengthen the disruption because you depend on customer support for resolutions.
If your systems are attacked, VIPRE takes corrective action and immediately alerts our IT technicians. VIPRE is built so IT professionals can rapidly assess threats and choose the best course of action based on your business’s infrastructure.
Firewalls are a digital barrier around your network. It works by establishing rules that filter what goes in and out of your network. With these rules in place, the firewall inspects the files going through the network for their source, destination, and content. It’s able to recognize files coming from malicious sources by cross checking databases of reported harmful programs.
Firewalls give you the ability to monitor everything connected to your network and the internet. You can keep suspicious or unknown devices from connecting to your network. Likewise, you can see if a compromised app is streaming your data out to the web.
Windows includes a firewall but there are third-party options available. Your router may have a firewall built in, but you may have to activate it.
A guest network is separate from your business’s primary, internal network. It’s usually created using a virtual local area network (VLAN) which isolates it from the main network where your private data is. It sounds complex but it only takes a few clicks to set up in your router settings.
Strong passwords are the foundation of your cyber security plan. These are the minimum parameters we recommend.
10 Character Minimum
Use a mix of letters, numbers, capitals, and symbols. That said, you don’t need it to be so complex that you can’t remember it. The number of characters is more important than the mix of characters.
For just a touch of complexity, substitute a couple of letters with numbers and symbols. For example, us an @ for an “a” or a ! for an i, or a 3 for an E to created phrase such as: @tL3astT3n!
Update Every 3-6 Months
Depending on the sensitivity of your data, you may need to update your passwords more often for security or even regulatory reasons.
No Repeating Passwords
Using a different password for each of your accounts creates layers in your security. If all your passwords are the same, one breach is actually one hundred. It only takes one domino tipping to knock down the rest.
Require Two-Factor Authentication
Two-factor authentication occurs when an application or service sends a verification code to your phone or email after you’ve entered your login credentials. Then, you simply enter the code (which is usually short, 10 characters or less) and you’re logged in.
Updating Your Operating System (OS) and Applications
An outdated, unsupported operating system makes you an easy target for cyber attacks. To protect its users, Microsoft releases regular security updates to patch the bugs hackers could exploit. They go into the software’s source code, make the necessary changes, and deliver a new version to you via download.
There will come a point when Microsofts ends support for your OS and these updates will end. In early 2020, Microsoft officially ended support for Windows 7 so users will no longer receive updates of any kind.
Furthermore, Microsoft won’t offer technical assistance or customer service if you have issues with your Windows 7 machine. Issues are more likely to arise since bugs aren’t actively addressed.
If you’re using Windows Vista or XP, upgrading to Windows 10 should be a priority.
You cannot ignore updates and delay your security. We recommend configuring applications to update automatically.
Training Your Employees
As sophisticated as cybersecurity technology is, the human factor prevents it from achieving 100% security. Your employees are one innocent click away from compromising your business’s data. It’s vital to actively train your users to spot suspicious content and report it to IT support professionals.
Employees should be trained on:
- Password Policy
- Phishing and Email Safety
- Social Engineering Tactics
- VPNs and Safe Web Browsing
- Secure File Sharing
Omnis Technologies is available for cybersecurity workshops. Our technicians can teach your employees best practices and provide examples of malicious content.
Backups for Cyberattacks and Distaster Recovery
Should all else fail and your business falls victim to a cyberattack, a data backup is the fastest way to get up and running again. Backups are crucial if you’re subject to a ransomware attack, your device suffers an irreparable failure, or your hardware is damaged in a disastrous fire or flood.
If a server becomes unrecoverable due to fire, theft, data corruption, natural disaster, or any other unforeseen event, it will cost you dearly to get back up and running. There will be the cost of trying to recover the data, the cost of getting another server up and running, and the cost associated with lost productivity.
A comprehensive backup strategy includes local storage hardware and off-site cloud storage. The scope of your solution depends on the size of your business.
Backups for Small Businesses (10 PCs or Less)
For small businesses, we recommend Google Drive or Microsoft OneDrive, at minimum. Both of these services save your files to an off-site network called ‘the cloud’ that you access over the internet.
Storing files in the cloud gives you the ability to access them on all your devices. Using the cloud, you can still access your documents from another PC if yours is out of order.
Google Drive and Microsoft OneDrive can be organized natively on your Windows PC File Explorer program. If you’re hesitant to learn a new interface, OneDrive will feel more familiar to Windows users.
If you’re concerned about security risks, Google and Microsoft use state-of-the-art encryption to protect your files from outside threats and have significantly stronger defense mechanisms in place than any small business’s data storage.
Backups for Medium-Sized Businesses (10-20+ PCs)
When your business grows to beyond 10 PCs, it’s a good idea to have an on-site backup device that can replicate your data in the cloud. We recommend CTERA Global File System. They offer Hybrid Local and Direct-to-Cloud backups.
Upgrading to a dedicated cloud vendor gives you more control and flexibility for your data. They allow employees to share files across a whole range of devices while ensuring that everything – data, metadata, encryption keys, user authentication – is driven through your own firewalls and VPNs and not a third-party provider’s.
In the event of a data loss at your office, devices like the CTERA allow us to quickly recover data on-site rather than having to wait for data to transfer from the cloud.
The cloud component is an excellent insurance policy for instances where your on-premise device has a failure, or your office encounters a complete loss.
Large Enterprise Businesses (100+ PCs)
Due to the sheer volume of files amassed in an enterprise-level business, a specialized type of hardware called Network-attached Storage (or NAS) is required. NASs are computers built specifically to store files and share them on your network. Basically, they’re large-scale flash drives you can access on multiple PCs, with permission and access restriction capabilities.
NASs can be used as a dedicated storage server or function as a backup solution for a file server. In a scenario where the NAS is the primary storage device for a business, we recommend having another backup device on-site to cover the NAS unit.
Even with a NAS or file server in place, we highly recommend an off-site component to augment the local device. In the event of a network attack, or complete loss of your office, having an off-site (commonly cloud) copy is extremely important.