Today’s blog is an excerpt from the article Understanding Cybersecurity Risk — Small Business Edition by Andrew S. Baker, president and CEO of Brainwave Consulting Company, LLC. This article can be read in it’s unedited entirety on the WV SBDC website, which can be found here.
A Subset of Overall Business Risk
Every single business has some level of risk that its business owners need to understand and manage in order to be successful. There are risks related to financing, office space, staffing, supply chain, inventory, and physical security – just to name a few. Cybersecurity risk is a subset of overall business risk, and in 2021 (and 2022!), it can represent a significant percentage of all the risk that a business owner will have to understand and manage.
Owners and proprietors of small businesses today are often at a disadvantage when the topic of cybersecurity risk arises, for three very important reasons:
- They are often unaware of all the areas of risk involved.
- Risk management failures are often more devastating for a smaller business.
- The pandemic has added computing challenges that also add cybersecurity risk.
Who Has Cybersecurity Risk?
Many small business owners assume that they do not have similar concerns to larger organizations when it comes to cybersecurity risks, but the truth is that the internet levels the playing field in two keys ways. First, it allows a business of any size to obtain the same maximum reach for customers as any other business. Second, it exposes every business to all the same attackers as every other business. And larger businesses usually purchase bigger and better tools, and have more staff to look at security issues than smaller organizations.
(Bigger tools and more staff don’t automatically make a business secure, but they can be helpful in identifying and reducing risk.)
Here’s are some of the most common areas of cybersecurity risk that small businesses face:
“Need to Know”
- Limit access to each person to what they actually need
The Tech Side of Security
- Inadequate or non-existent device inventory
- Non-existent backups
- Phishing and Malware (including Ransomware)
- Inadequate network security
- Inadequate device security
- PCs and Laptops
- Tablets and phones
Convenience over security
- Connecting to any random wireless network to work
- Allowing everyone to have access to almost everything for flexibility
Need To Know
“Need to Know” a key principle, and it says that people should only have access to the accounts and systems that they actually need to be able to do their jobs effectively. For instance, if someone is responsible for managing Human Resources (HR) data, but not Payroll data, then they should not be given account credentials that would allow them to access Payroll data. Their credentials should only grant them access to the systems/applications that they need to do their jobs (i.e. HR), and if their job changes, so should their access.
To minimize this risk, make sure that every employee is using separate, unique credentials. Also make sure that the credentials needed to access different types of applications is different. If the same credential is used for Payroll, HR, Accounts Payable, and Sales, then it is very likely that a breach of one system or application will result in the breach of all the other systems.
Network Security & Asset Security
Your network needs to have good security and configuration.
This includes your WiFi. If your WiFi is not secure, then other people nearby might be able to connect to you network and gain access to your critical data that way.
If your network gateway is not configured securely, then other people might be able to access your network from across the internet (from anywhere in the world), and probe your network for vulnerabilities. Billions of networks are scanned each and every day, as attackers search for vulnerabilities in software or configurations that they can exploit to steal data and run malware.
Your assets need to have good security software installed.
In addition to the protection provided by your network security device, you need to ensure that every computing asset also has good security software installed on it, to protect against various forms of malware. Every layer of defense is important, especially when you have mobile assets which might not always be behind the protection of the network security gateway.
This is important enough to repeat: Make sure that any assets that connect to your network or applications in any way, are kept up to date, and properly inventoried and patched.
Lastly, your staff need to be trained to recognize security threats.
Security Awareness training is vital for helping your employees understand how security attacks occur, and teaching them to adjust their behavior to minimize their risk of falling for an email phishing attack or a social engineering attack over the phone.
Good defenses on each asset can prevent breaches or limit their scope from all your assets to just a single asset.
Be Careful with Convenience
We all want things to be more convenient for us, especially if we have to perform specific acts several-to-many times a day. But convenience can be a two-edged sword. What is easier for you, is also easier for an attacker.
- Using the same credential everywhere makes it easier for you to logon to multiple systems. But it makes attacks easier, also.
- Using the default passwords and configurations make it easier to get setup and running – both for you, and for your attacker.
- Connecting to any random WiFi network in an airport or coffee shop makes it easy for you to get your work done wherever you are. But all of these things make it easier for your attacker, too.
To reduce your cybersecurity risk, you are going to have to do things a little bit harder, in order to make it a whole lot harder for any attackers that come your way.
- Limit yourself to using only known, secure WiFi connections and hotspots.
- If you choose to use strange WiFi connections, be sure to also use a Virtual Private Network (VPN) to secure your access.
- Use multifactor access, especially for sensitive systems and applications.
- Don’t give everyone in your organization access to everything, just because it is easier in an emergency. Plan to have a limited number of people with access to specific systems, that they need to run your business successfully.
- When people leave your business, make sure you change everything they had access to.
- Be careful where you download your software from, and what you install on your assets.
- Remember: if it is too easy for you to access, it is even easier for your attacker to do so.
Cybersecurity risk are not just technology based. Inventory, backups, patching, network device configuration, account credentials, multi-factor, and anti-malware software are all important parts of managing cybersecurity risk.
But there is a people side to cybersecurity risk as well. It is important to address security awareness training, policies for what is acceptable to do on your network, and strategies for how your staff will access and manage applications and data. Most important is understanding the “need to know” standard for your organization.
Small business owners can begin to get a better handle on their cybersecurity risk by getting themselves acquainted with the items outlined above, and beginning to evaluate and implement the recommendations provided.