The need for small business owners to work within a budget contributes to their challenge to be cyber-safe. Due to budget constraints, they are frequently tasked with making decisions in areas where they may lack knowledge. Being the best plumber, consultant, or dentist in the world does not always imply that you have the skills to navigate shark-infested cyber waters. This handbook offers tips and tactics for protecting small businesses from the ever-growing list of cyber dangers. It contains suggestions for estimating risk, comprehending threats, closing vulnerabilities, and putting mitigation measures in place. There is also a list of useful resources.
Cybersecurity Guide for Small Business
Attractive Targets
Small company owners have a target on their backs in the form of a metaphorical target. That is, at least, how cyber-threat actors may see it. Cyber attacks are an increasing threat to small businesses, which are an important element of the US economy. Small businesses are a tempting target for cybercriminals because they contain valuable information and frequently lack the security infrastructure of larger corporations. Assaulting a small business might sometimes yield fewer rewards than attacking a larger corporation. Small firms, on the other hand, can be seen as “easy pickings” by bad actors due to a lack of security procedures. A small firm, on the other hand, is sometimes considered as a vital component of a bigger enterprise’s assault vector. Small company vendors are used by large corporations of all kinds. The Small Business Administration (SBA) encourages large corporations to use small business suppliers. Attacking a large company through small business partners has shown to be a successful technique for cybercriminals.
How to Evaluate Cyber Risk
A small business owner must have a comprehensive view of their cyber risk before making any informed decisions about enhancing their cybersecurity posture. Understanding this risk will help you adopt security policies, make process adjustments, and justify security expenditures. Any security decision made without a thorough awareness of risk is only a stab in the dark, hoping to strike the target. While risk can be defined in a variety of ways, each one necessitates an awareness of threats, vulnerabilities, and criticality or effect. Risk = Threat x Vulnerability x Impact is the basic formula. Each of the three criteria is discussed in further depth further below. The small business owner will be able to make informed judgments rather than emotional or fear-based ones by determining the product, risk. Although risk is depicted as a mathematical formula, it is a mental construct rather than a number. Consider the case of a small business owner who wants to analyse the risk of hackers attempting to plant ransomware (a likely threat) on a system containing critical data. If the network is extremely vulnerable (for example, because it lacks a firewall and antivirus software) and this system is vital (a loss would have a severe impact on the company’s capacity to operate), the risk is high. However, if the small business has effective perimeter defences, their susceptibility is low, and their risk is medium, even if the system is still vital. Security manufacturers saturate the market with often contradictory statements on how to stay safe online or secure critical data. To be fair, the credible suppliers’ statements aren’t always correct, but their solutions aren’t necessarily appropriate for small enterprises.
Cyber Threats to Small Businesses
Social engineering and malware are the two most typical sorts of risks to small enterprises. While social engineering attacks are frequently carried out without the use of malware, malware attacks nearly always contain a social engineering component. Social engineering is included in about 97 percent of cyber threats. The use of deception to influence individuals into divulging personal information, clicking a link and downloading a file, or visiting a malicious web page is known as social engineering. This is frequently conducted through email phishing, but it can also be conducted by phone or text message deceit. The most typical goal of social engineering campaigns is to gain the login credentials for a victim’s account. Still, it could entice the victim to click on a link or go to a website where the hacker can instal ransomware or other malware. Mitigation measures will be discussed later in this guide, but now is an opportune opportunity to note that the most successful cybersecurity mitigation methods that small businesses may implement are related to their own knowledge and behaviour, as well as that of their staff.
Malware Threats
Malware (malicious software) is a catch-all phrase for software that is intentionally meant to harm a computer, server, client, or computer network. Viruses and ransomware are examples of malware. The goal of a social engineering assault could be to persuade someone at a small firm to unintentionally download malware. Viruses are harmful programmes that are designed to propagate from one computer to another (and other connected devices). Viruses are created to allow hackers access to a victim’s computer system. Because of their propensity to move from one machine to another, they’re a favourite of criminal actors that want to target a small business because of a larger target. Ransomware is a sort of virus that prevents a victim from accessing their computer or encrypts data until a ransom is paid. Ransomware is frequently spread via a malicious link in a phishing email and takes advantage of software flaws that haven’t been patched. Even after the ransom is paid, the data or system is frequently not released. Small firms are frequently overly reliant on essential data. A tiny business could be crippled if this data is lost. Hackers take advantage of this flaw by employing ransomware to extort money.
Email Threats
Phishing is a type of social engineering attack that infects a machine with malware or collects sensitive information by using email or a malicious website. Phishing emails look to be sent from a reputable company or a well-known individual. Users are frequently enticed to click on a link or open an attachment containing dangerous malware in these emails. The computer may become infected with malware after the code is executed. Many small businesses benefit from the cost savings offered by cloud-based email systems. These low-cost email services are suitable for small businesses that don’t require a full-featured email service. Cybercriminals are targeting firms that utilise popular cloud-based email services to execute Business Email Compromise (BEC) schemes, according to the FBI. The frauds are carried out using specially crafted phishing kits that imitate cloud-based email services in order to breach business email accounts and request or misdirect cash transfers. The Internet Crime Complaint Center (IC3) received complaints totaling more than $2.1 billion in actual damages from BEC schemes using two prominent cloud-based email providers between January 2014 and October 2019. While most cloud-based email systems contain security protections to assist prevent BEC, many of these protections must be installed and enabled manually. By utilising the complete range of available precautions, users can better defend themselves from BEC.
Video-Teleconferencing Threats
As a result of the COVID-19 situation, many individuals are turning to video-teleconferencing (VTC) platforms to keep connected, allegations of VTC hijacking (also known as “Zoom-bombing”) are surfacing around the country. Multiple reports have been made to the FBI of conferences being disrupted by pornographic and/or hate pictures, as well as threatening language. While the current COVID-19 pandemic has compelled many organisations and individuals to use video-teleconferencing as their principal communication medium, small firms have long used similar capabilities to support virtual offices and distant workers.
Common Cyber Vulnerabilities
A vulnerability is a flaw in a computer system or device that can be exploited by an attacker to gain unauthorised access to it or perform unauthorised actions on it. Attackers can use vulnerabilities to execute code, get access to memory, instal malware, and exfiltrate, destroy, or change sensitive data. These flaws are interconnected, and in most cyberattacks, two or more will be exploited.
Behavioral vulnerabilities
As previously indicated, social engineering is used in 97 percent of cyber threats. While not all human-caused vulnerabilities are due to social engineering, this statistic emphasises that human behaviour is the most important component in cybersecurity. The following are examples of behavioural vulnerabilities (weaknesses):
Using passwords incorrectly Clicking on phishing emails’ harmful links Browsing to potentially dangerous websites Malicious files are downloaded Failure to take the necessary precautions to preserve sensitive data Keeping systems up to date and patched is a big no-no.
Despite the fact that industry experts have written extensively about end-user sensitivity to social engineering, it remains a serious challenge that businesses face. The top threat activity in breaches, according to the 2019 Verizon DBIR, is end-user error. Many firms discover that targeted social engineering, most typically phishing, is the first point of attack.
Sensitive Data Vulnerabilities
PII and other valuable data should be maintained in an encrypted format, according to security experts. While this precaution is beneficial, it does not guarantee that data is always protected. There are a few more safeguards to take into account. Data must be safeguarded in transit as well as in storage. When transmitting encrypted data, the receiver must be able to decrypt the information. This requirement comes with its own set of dangers. Humans who fail to take the necessary procedures to protect sensitive data add to the vulnerability. Humans are often the weakest link in data security, whether it’s saving data in plain text or storing it in an improper area. A ransomware assault can compromise even encrypted data. Ransomware software can prohibit access to crucial information at the file level or across the entire system on which the data is stored.
Endpoint vulnerabilities
An endpoint is a computer, a desktop, a smartphone, or a tablet that is connected to a company’s network. Each device has the potential to be a malware entry point. A small business’s susceptibility to endpoint vulnerabilities is determined by the amount of applications installed on each device and whether each application adheres to security regulations. A small organisation could have thousands of endpoint vulnerabilities due to compromised programmes and missing or obsolete operating system and application fixes. Many security experts believe that signature-based antiviral solutions are no longer adequate because many sophisticated attackers can simply overcome signatures. The best signal that an attacker has cracked the defences is unusual activity at the endpoint.
Credential Management Vulnerabilities
A lack of adequate credential management is one of the most common causes of system or account penetration. One of the most abused vulnerabilities for small businesses is users reusing the same password for various accounts, including reusing passwords for personal accounts on corporate systems. This information is valuable to hackers because it may be used in a sort of cyberattack known as credential stuffing. When malicious actors employ automated systems to attempt logins across a wide range of prominent sites using credentials stolen in earlier breaches, this is known as credential stuffing. Because credential management flaws are behavioural, they can be fixed without the deployment of expensive security measures. Avoiding them, on the other hand, necessitates self-discipline on the part of small business owners and personnel.
Cybersecurity Mitigation Strategies
Risk can only be decreased if the threat and vulnerability elements are lowered in the basic risk equation of Risk = Threat x Vulnerability x Impact. The impact factor is rarely changed because it is the negative outcome of an attack. Mitigation strategies are methods, rules, and tools that a small business owner can implement to reduce the threat and reduce vulnerabilities. Risk is rarely lowered to zero, however it is possible if a vulnerability is completely eradicated.
Mitigating Behavioural Vulnerabilities
In a nutshell, training is the most effective technique to counteract behavioural flaws. This is true for organisations of all sizes, but the necessity of cyber training for small business owners and staff cannot be overstated. Training will deliver the best cybersecurity results for small firms without the resources to invest in advanced cybersecurity systems and equipment. More businesses should do phishing tests, pretexting, and other social engineering ploys on a regular basis. Many training programmes are available to help reinforce security awareness principles; where possible, the training should be contextual and relevant to an employee’s job tasks. Tracking a user’s success or failure rates during testing, as well as “live fire” tests with phishing emails and other methods, is critical. Look into remediation actions that are appropriate for that organisation for users who don’t improve.
Mitigating Injection Attacks
Monitoring computer systems for unusual input behaviour has shown to be a successful injection attack mitigation approach. There are next-generation antivirus programmes that look for activities that aren’t consistent with human input and behaviour patterns that have been linked to bad actors. These technologies offer a more in-depth look at criminal conduct, as well as more customizable preventive and detection choices. Small firms might think about investing in security systems that incorporate some behavioural inspection approaches. Antivirus technologies based on signatures are increasingly becoming obsolete as hackers discover new ways to circumvent them. Some of the more advanced mitigation solutions also include real-time reaction capabilities.
Mitigating Attacks Against Sensitive Data
Encrypting data is a low-cost endeavour, and small firms should use encryption to protect their data according to best practises. A common and practical approach is to use a VPN to encrypt data as it is transferred. Even if access controls like usernames and passwords fail, data at rest should remain encrypted. If social engineering attempts to get system login credentials are successful, the data will still be protected if this procedure is followed. It is suggested that encryption be increased on many levels. Cryptography can be applied to both the data database and the physical storage where the databases are kept. The encryption keys for data should be updated on a regular basis. Encryption keys should be kept distinct from the data they encrypt. A security policy should include periodic audits of sensitive data, which should occur on a regular basis. Encrypted flash drives are one approach that many small organisations find sufficient for protecting data in transit. When encrypted data is required in a remote location, physically transporting the data on an encrypted disc may be the best option in some cases. Small organisations will benefit from a multi-pronged backup and recovery plan to protect data from ransomware. System snapshots and replication, database backups, and end-user storage should all be part of this plan (often cloud-based).
Mitigating Endpoint Vulnerabilities
The most effective and least expensive endpoint protection approach is to create and enforce policies that require all programmes and operating systems on any endpoint connected to the business network to be updated and patched. However, as the saying goes, it’s easier said than done. Small business owners and workers frequently use the same smartphone for personal and business purposes. It might be difficult to enforce security measures that affect or restrict the use of mixed-use devices. It’s critical to establish explicit endpoint security requirements from the start to minimise future misunderstandings and policy non-compliance. Vendors of antivirus and endpoint security software are constantly updating their products. Small business owners should make every attempt to keep up with the most up-to-date technologies that are within their budget.
Vulnerabilities in Credential Management Mitigation
Implementing strict password management can assist most firms. Longer passwords, more complicated passwords, more frequent password changes, or a mix of these principles may be used to achieve this goal. Longer passwords, even when not updated frequently, are safer in practise than shorter passwords that are changed frequently. Small business owners can adjust the access credentials of individual employees using password management solutions in a team environment. Users should utilise multi-factor authentication when accessing sensitive data or sites for any sensitive access. Multi-factor authentication software can help with this. While researchers frequently discover other serious cybersecurity flaws in the wild, the concerns discussed here are among the most regularly encountered by small enterprises around the world. To decrease risk more effectively, look for ways to eliminate risks and weaknesses.
Cybersecurity Resources for Small Business
CyberSecure My BusinessTM, a national initiative run by the National Cyber Security Alliance (NCSA), teaches small and medium-sized businesses (SMBs) how to be safer and more secure online. https://www.staysafeonline.org/business-cybersecurity/ The Federal Communications Commission provides a cybersecurity planning tool to assist firms in developing a strategy that is tailored to their specific needs. The Cyber Resilience Review (CRR) of the Department of Homeland Security (DHS) is a non-technical examination that evaluates operational resilience and cybersecurity procedures. Self-assessments are available, or you can request an on-site evaluation from DHS cybersecurity experts. Small businesses can also get a free cyber hygiene vulnerability scan from the Department of Homeland Security. This service can assist protect internet-facing systems against known vulnerabilities and poor configuration.