Companies from all sectors of the economy should protect their business from cyber threats. Small and medium-sized businesses are often more vulnerable to cyberattacks. This is because it is easier for large companies to invest in information security, while small businesses may not afford serious protection costs. In addition, many small business executives still believe that cybercriminals are not interested in their companies, so it is not worth spending money on security. However, this is not true. Information is the most valuable asset of modern business, regardless of its size, and protecting that information should be a priority for every organization.
According to the report, the number of data leaks increased by 424% last year, which was caused by hackers targeting small businesses. SMB definitely should not hope for cybercriminals to ignore them. Cybercriminals do know that small businesses are worse protected, so they are easier to attack. And attacking small businesses is not a trend of the future, it is a reality that we are already living in today.
There is also no hope that a cyber-incident will be cheaper than organizing protective measures. Moreover, money is not the only thing a company will lose in case of a successful cyber-attack. Among the consequences will be loss of productivity or even downtime during the recovery, customer’s loss, and the resulting loss of revenue. The damage will be significant. For some companies, it can even be fatal.
Meanwhile, it is not so difficult for a small business to provide protection against cyber threats. It is enough to follow simple guidelines.
Types of threats
In more than 90% of cases, the victims of hackers are companies attacked by chance, as a result of impersonal automated attacks called opportunistic. For example, opportunistic attack on a website is an attempt to gain unauthorized access to a web resource, in which the attacker does not aim to hack into a particular website, but attacks hundreds or thousands of resources selected by some criterion.
Attacker’s goal is to make as much money as possible; they even do not make efforts to hide their actions from security monitoring systems.
In a targeted attack (10% cases), an attacker selects a specific target, for example, stealing or damaging valuable data. The process involves accurate planning, hackers know whom to attack, and what protection is installed in a particular organization. Often such attacks are carried out through suppliers. This is when hackers first penetrate the supplier’s software and then infect the company’s systems. Such attacks are increasingly important now, as it is difficult to verify all downloaded software. And this is another key feature of B2B cyber protection: you need to protect not only your perimeter, but also everything that comes from outside.
How to protect companies from cyber threats
Basic level of protection in the form of antivirus for the end nodes is only suitable for the first type attacks. The quality of protection against them can be easily examined with tests.
Targeted attacks, when attackers try to bypass each of the layers of protection, require more serious security measures. The purpose of the defense solution is to make bypassing the protection resource intensive, so that the price of the attack is higher than the potential benefit from it. For example, the company has several layers of protection a hacker needs to break through all of them. This is expensive, requires a lot of resources and may be unprofitable.
Best practices for cybersecurity defense
Conduct cybersecurity awareness training. The management of the company needs to keep in mind that the biggest danger is hidden inside the enterprises. Most cyber attacks are somehow related to the company’s employees. Cybercriminals often use the individual’s carelessness or ignorance to penetrate the system. Therefore, with proper training, your employees will be a powerful protection against cyber threats. One-time training is not enough, as attackers techniques change. For this reason, first training should be conducted at hiring and then every twelve months. After the training, employees should be tested.
Establish detailed security policy. Every employee should know how and whom to contact immediately in case of suspicion of an emergency or a cyber-incident. The longer the response time to an incident, the more severe its consequences. If attention is drawn to what is happening at an early stage, the damage can be avoided at all.
Build a secure infrastructure. The need to be protected must be considered even in the activities not related to information security. For example, when choosing office equipment. Today, when we are actively using the Internet of Things, this is especially important. When documents with sensitive data are shared and delivered to an organization’s information environment through MFPs, it can become a source of information leaks.
Tighten password policy. The need for complex passwords has long been talked about, but users still use weak ones. So let us repeat again: the password must be unique, generated specifically for the service or device. Use strong software to manage your passwords. Require that employees never share their passwords or store them in easily accessible places.
Choose safe cloud technologies. Use cloud storage and application from reliable providers. Those that provide secure management of your data, protecting it from unauthorized copying. Control access to your documents, use content encryption and set up automatic data archiving and deletion.
Use two-factor authentication to provide access to sensitive accounts or information. Attackers can create letters on behalf of a company asking them to share confidential data or make a financial transaction. Ask employees in such cases to call their colleagues to make sure that the request did not come from a fraudster.
Keep your software up to date. Many software updates not only extend functionality, but also address security vulnerabilities. Do not forget that not only do computers need updates, but other office equipment, like scanners, printers or MFPs too.
Do not use public Wi-Fi. If you cannot do without it, do not enter sensitive information because everything you enter can be read on the attacker’s laptop when captured. Access to corporate resources from public networks must be arranged through a VPN to avoid interception of information.
Regularly test your employees’ compliance with security policies and their response to cyber threats. If there are no incidents for a long time, the attention of even the most attentive employees undermines. Therefore, you should test them occasionally. Effective tools include sending phishing emails, making anonymous calls to corporate phones asking for personal or corporate information. Based on the results of the testing, you should do additional work with employees, update the information security policy and infrastructure.