For most small to medium-sized businesses (SMBs), being successful, unsurprisingly, ranks as their number one goal. But, success can be measured in a number of different ways. Unfortunately, at the same time most business owners wouldn't say that successfully implementing the appropriate level of cybersecurity controls to protect their technology is really one of their key initiatives when it comes to achieving success. Understandably, business owners focus on improving the bottom line or achieving sales goals when they think of business success.
However, technology has become such an increasingly integral component of the success of SMBs that small business owners have to focus at least some of their attention on this often-neglected area if they want to ensure a successful enterprise. Simply put - to ensure your business is truly successful is to ensure that your data (and that of your customers) is protected and secure.
I. Dangers from Poor IT Security Protections Are Increasing
It seems like each year, the levels and risk of cyber crime continue to skyrocket above and beyond the levels of the previous year. This danger is a threat to governments, organizations, and businesses across all industries. However, for small businesses this threat is particularly daunting.
Inc. Magazine, citing research from the National Cybersecurity Alliance (NAC), estimates that more than 70% of cyber attacks target small businesses and that 60% — nearly two-thirds — of the SMBs that do fall prey end up closing their doors within six months of a cyber attack.
According to SonicWall’s Cyber Threat report, “cyber attacks are becoming the No. 1 risk to businesses, brands, operations and financials”.
Cyber attacks are an enormous threat to the bottom line of businesses and organizations worldwide. Research from IBM and the Ponemon Institute shows that last year the global average cost of a data breach totaled more than $3.6 million, with each lost or stolen record having an average price tag of $141.
While these breaches can result from a variety of attack methods, some of the most common include:
Phishing and spear phishing are key areas of concern for businesses of any size, especially SMBs. According to Verizon’s Data Breach Investigations Report, “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common compromise vector (96%).”
One example of an increasingly common security danger to businesses is a phishing email attack known as “business email compromise” (BEC). This sophisticated scam typically targets businesses (or government organizations) that perform frequent wire transfers and work with foreign suppliers; the cybercriminal poses as one of the international companies they regularly work or partner with. According to the Federal Bureau of Investigation’s (FBI) Internet Crime Report, BEC accounted for more than $360 being reported as stolen in more than 12,000 complaints last year alone.
Some of the most significant attacks were the result of malware — or, what is known as malicious software. As more varieties of this harmful software are being created each year, that trend doesn’t seem to be changing for the better anytime soon. And, unfortunately, they come at a high cost to SMBs.
According to Kaspersky, “a single crypto malware attack may cost up to $99,000 on average for small and medium businesses (SMBs) and more than half (67 percent) reported complete or partial loss of corporate data.”
3. Ignored or Unpatched Updates
A lot of people are guilty of this. They’re working on their computer and that pesky pop-up notification appears in the bottom or top right corner, notifying you that your system or a particular software program is in need of an update. It’s common for people to simply hit the “Remind Me Later” button and continue whatever task is at hand.
In terms of the security of your computer and network, that’s a huge problem. If you were to build a fence around your home, would you intentionally leave random gaps along its borders? Of course not. However, that’s what many end users and owners of unmanaged networks are effectively doing with their small business IT security. By not implementing new patches and updates when they are released from major tech companies, they’re essentially leaving holes in their network defense for hackers to exploit.
4. Operational Technology and IoT Vulnerabilities
Some business leaders believe that Operational Technology (OT) and Internet of Things (IoT) devices are somehow safe from cyber attacks or somehow not related to their networks. However, this couldn’t be further from the truth. These technologies are becoming more and more common and this faulty mindset about their safety is nothing more than a false sense of security.
According to Cisco’s Security Capabilities Benchmark Study, 31% of security professionals have already seen Operational Technology (OT) cyber attacks taking place. Another 38% expect these attacks to soon extend into IoT, and 20% expect the same.
II. Implementing IT Security Solutions to Address These Concerns
Rather than focusing on one specific technology issue or IT concern, it’s important for any IT professional to look at the situation from a holistic approach. This means evaluating all technology inefficiencies and issues from a more strategic perspective because many of those granular issues tend to result from NOT looking at the broader issues.
1. Conduct a Technology Audit
Can you name all of the devices and other technologies that are connected to your network off the top of your head? This includes things like desktop computers, laptops, mobile devices and smartphones, printers, scanners, external storage units, wireless access points, smart TVs, Alexas — and the list goes on and on.
So, if you’re like most people, the answer is likely no. This is why having your IT staff know your complete inventory at any given time is critical to the success of your IT which is crucial to the success of your business. After all, if you don’t know what’s on your network, how can you possibly protect it? An audit can be performed by a member of your IT staff, or another option is to use the network management services of an experienced IT Service Provider.
2. Implement a Layered Security Approach
While it’s true that there's no way to stop 100% of all attacks, a layered approach to IT security is the most effective way to protect your network and business from potential threats. By creating multiple layers of defense for automated cyber attacks to probe and have to break through gives your system time to respond to the threats and either stop them in their tracks or prevent them from causing further damage.
A layered security approach typically includes the use of all of the following:
- An effective firewall
- Quality antivirus and anti-malware software
- Network monitoring and managed services
- Automated alerts and responses
- Internet Threat Protection
- Software Encryption
- Dual-factor authentication
- Regular server, network, and device updates and patches; and
- Remediation recommendations and implementations.
This holistic approach to your business’ defenses will help you position yourself as a trusted business owner who cares about the protection of your customers and their personally identifiable information (PII).
3. Make Employee Cybersecurity Awareness Training Mandatory
I can’t even begin to tell you the horror stories I’ve either heard from clients or have witnessed over the past 25 years regarding employee-related security issues. It’s truly terrifying how little the average end user actually knows about cybersecurity, yet is often allowed to operate unchecked on company computers and networks. Without the knowledge of cybersecurity best practices, this means that they end up opening malicious emails, downloading infected software, and creating other data vulnerabilities in your network.
This underscores the necessity of effective cybersecurity awareness training for every small business (and businesses of ANY size, for that matter). An effective training program is one that informs end users of the dangers and helps them learn how to identify and respond to those threats quickly and efficiently.
But, what truly differentiates a mediocre program from a mature one? There is a model to help us define that. The Security Awareness Maturity Model, which was developed by a division of the SANS Institute, determines the “maturity” level of a business’s cybersecurity awareness training program by gauging whether it is:
- Promoting Awareness and Behavior Change
- Long-Term Sustainment and Culture Change
- Applying a Metrics Framework
Which leads me to one of my final questions: Do you know where YOUR small business stands in terms of protecting your invaluable data? If the answer is no, now is the perfect time to figure it out. Download our free Cybersecurity Report Card now to find out.
What are you doing to promote the success of your business through the use of technology? Share your thoughts and experiences in the comments section below or send me an email and we can chat about it more in-depth.