It is not a matter of if you will be attacked, but when you will suffer a cyber attack, and if you will be able to prevent it and/or recover from it.
According to a study at the University of Maryland, hackers attack every 39 seconds. Considering the recent attacks happening around the globe, it’s no secret that attackers are more persistent, have more expertise, and more resources than ever before. Warnings near the end of 2017 told us that we could expect cyber-attacks to cause $5 billion worth of damages, equating to a fifteen-fold increase over just two years ago. Cybercrime damage is expected to hit $6 trillion annually by 2021, with cybersecurity spending increases of $1 trillion over the next four years.
Cyber Attacks Target Small Businesses
Why are small businesses caught off guard? Because often they think, “We are a small business. Hackers only go after big businesses who can pay big dollars.” Not true!
The truth is that hackers don’t discriminate when it comes to their targets. They simply go after the easiest, most unsuspecting targets. Big businesses invest in expensive firewalls with professionally monitored intrusion protected systems. When they are attacked, they have both the IT expertise and manpower on board to find, prevent and/or mitigate attacks.
Not so with small business. Sixty-one percent of SMBs have experienced a cyber-attack in the past 12 months and 54% of those breaches involved customer and employee data.
So what? Now what?
Cyber-attacks can compromise an organization, no matter the size, at any given time. Traditional lines of defense such as firewalls and endpoint anti-virus won’t cut it against intelligent malware attacks. Advanced security measures today must go beyond traditional defenses. Many small companies follow the same basic design for their security needs – a pair of firewalls, arranged to create a DMZ, set around the perimeter of the organization. While this configuration can withstand casual attacks, dedicated ransomware and phishing attempts could circumvent these types of security measures entirely for two specific reasons:
- People are involved. People can be tricked and be fooled into giving up passwords or (accidentally) taking some action that proves to be harmful to the security of your data.
- Irregular hacking patterns often go unnoticed. Security of your data is a 2-fold process of software and human monitoring that can detect and remediate advanced attacks.
In this blog, we will lay out what a layered security approach looks like specifically for small business, and what steps to take to ensure your employees are a part of the security solution and not a part of a security hack. Read on, this is a blog small business can not afford to miss.
Why Good People Get Tricked
Many security hacks and breaches are in fact non-technical. Phishing is often the result of fooling a well-intentioned employee into clicking on a link, providing information, resetting a password or even sending money from a source that they 'think' they know. A well-intentioned employee can be tricked into providing vital information without knowing that they are actually giving access to cybercriminals. Criminals use phishing tactics because it is usually easier to exploit your natural inclination to trust that it is to discover ways to hack into a well-protected system.
If you are in business and use email to do your job, chances are you receive phishing requests like the one shown in the next example. We had an employee who received an email from (what looked like) the Microsoft 365 team, asking her to confirm her account.
After extensive security employee awareness training and further investigation of this link, you will see that the link redirected to a non-Microsoft site that would have likely added malware to the network, or attempted to access sensitive network files.
Employee Awareness & Security Training
Getting employees on-board with security prevention is the first and best way to protect your data. Here are some basic steps we recommend you consider:
- Employee security awareness and training can help non-technical employees identify and flag unusual requests for password changes and link verification for additional due diligence.
- Establishing policies and procedures for password changes and data sharing (especially over the phone) to help your team spot the most common types of employee-targeted cyber attacks.
- Requests for "additional information" verification links for things like invoices, client/employee information, passwords, accounts and/or money transfers should always follow a double-authentication process to ensure these types of procedures are documented and verified.
Creating a culture of security awareness starts with training each and every employee to recognize the importance of security by being able to identify the signs of an impending threat.
Monitoring for Threats, Patterns & Irregularities
Once you’ve created a culture of security awareness, the next step is to take proactive and preventive measures to secure your network. And while firewalls, anti-virus, and anti-malware software are basics in security protection, they don’t have the ability to proactively monitor, detect and decide how to remediate or recover stolen data or infected systems.
Here’s why it matters: Modern malware can hide deep in your computer without raising red flags. It will just quietly go about its business. And in fact, there are even “sneaky” viruses that will remove other viruses, so you don't get suspicious! Just because a virus isn't disruptive doesn't mean it isn't dangerous. It could be snagging your passwords, sensitive files or other vital information. And while endpoint detection and malware protection are table stakes for any businesses wanting to protect their business and customer data, monitored antivirus by a Managed IT expert is the only way to stay ahead of attacks.
They are able to monitor the network for irregularities that the non-expert would not have reason to suspect. Examples of this might include:
- The ability to detect geographical login changes and patterns that might mean your system is being probed or accessed by a remote attacker.
- Detect multiple logins to an account within a short period of time from different IPs locations (that are probably not being made by your staff).
- Check event logs for warnings and errors to identify system failures that show your server is under attack or your server is about to fail.
These types of reasons (and many more) lend themselves to the need for double-layer security expertise that a small business can typically not employee from within. IT experts have the ability to know which alerts to pay close attention to and how to spot unusual patterns. Continuous around the clock monitoring and “spot checking” by an outside expert provides the “eyes and ears” on the network that both prevent data breaches but also ensure you that your system is working at peak performance.
Small businesses need the same amount of help and protection against security threat as that of a medium or larger sized organization.
Final Take Away
- No business is above attack. Small businesses are ideal targets for expert hackers who are looking to steal records and/or hold your data for ransom.
- Employees can be tricked. Being hacked or having your data held for ransom can cost you dearly. Creating a culture of security awareness is your first and most important defense against further attacks.
- Firewalls and anti-virus protection are only the beginning of the story. Proactive prevention of your network data and operations should be monitored and maintained by IT experts who can detect when you are being attacked and help you remediate and recover quickly. Managed IT is as simple as working with an outside IT expert.
Small Business Security Best Practice
The long and short of the story is this: you need technology to innovate and be productive. Small businesses need it, even more, to “do more with less.” Technology has to be to be maintained for it to work the way you want it to work. Technology is constantly evolving and keeping up with hardware changes, software updates, patches and security protection can be a full-time job. Getting a handle on soaring IT costs can impact how you leverage that technology to be productive, service your clients and complete with other bigger businesses who can afford what a small business cannot. Managed IT is the means by which a small business pays a flat, monthly price for all IT services, upgrades, security, monitoring, and equipment updates. What has costs other businesses thousands to maintain is available to small business under a “managed IT” plan.
We’re not here to sell you anything. We are happy to talk you through your options.
Start a conversation on how we might be able to help you consolidate all IT costs, secure your data, train your team and monitor your network and data around the clock.