Did you know that small businesses are more likely to be targeted by cyber attackers than large businesses?
It sounds counter-intuitive, of course, since it’s quite logical that bigger businesses have more valuable data to steal and offer richer rewards. But it’s true, reflected in a sharp rise in SMBs being targeted in the last decade or so.
Security firm Symantec noticed it as far back as 2012, when “50 percent of all targeted cyber attacks focused on businesses with fewer than 2,500 employees. Attacks on business with fewer than 250 employees increased from 18 percent in 2011 to 31 percent in 2012,” according to a report they put out at the time.
And if you think about it, that makes sense: if hackers can breach big companies and take their data when those companies spend literally millions of dollars on cybersecurity every year, wouldn’t it be mere child’s play to target smaller organisations with smaller cybersecurity budgets and far less sophisticated defences?
The answer, of course, is a resounding “YES!”.
What this means is that small businesses owe it to themselves to do as much as they can to shore up their cyber defences. If they don’t, they run the risk of losing their hard-earned profits to data breaches, ransomware, lost productivity, and the loss of reputation and customer confidence that accompanies any sort of successful attack.
With all that in mind, here are some top tips on what SMBs can do to protect themselves. Some are easy to implement, others less so, and some are so simple that you’ll probably slap your head and go “Dur!”, but all are vital for the long-term survival of any SMB.
Keep your devices up to date
This is the one that could potentially have you facepalming, but it’s also one that’s all-too-often overlooked: keeping your devices updated significantly lowers the risk of being infected by malware.
That’s because operating system and software vendors are constantly patching their products as they learn of new vulnerabilities, trying to stay a step ahead of the bad guys.
They can be a bit slow, as updates require testing and that takes time, so even being up-to-date isn’t enough to keep yourself safe. But it’s still much better than ignoring updates that patch known software flaws and leaving your business wide open to the right kind of attack.
Get a security suite
That segues nicely into this tip: don’t rely on software patches alone to keep your devices safe: be sure to install some sort of security suite on all of your business’s end points.
The vendors of such security suites (Kaspersky, Norton, Trend Micro etc.) work incredibly hard behind the scenes to make sure they can identify malware and stop it before it does damage.
They do this by using technologies like AI and machine learning to analyse massive malware databases to determine if that strange thing your computer is doing is harmful or not. The software suite that lives on your end points is how they use that information and prevent any harmful actions from having the desired effect.
There are plenty of vendors in the cybersecurity game, all with excellent track records and great tech backing up their promise to keep you safe. Taking them up on it and adding a further layer to your endpoint security is all but essential in 2020.
Force a complex password policy
We all know how annoying passwords can be, but they remain a necessary evil in 2020 to access all manner of business resources.
Keeping those resources safe from unauthorised access is a matter of enforcing a strict password policy that will almost certainly inconvenience your employees, but is essential nonetheless.
The prevailing wisdom of the day says to create password policies that ensure strong passwords that can’t be easily guessed or cracked, combining uppercase and lowercase letters with numbers and special characters to form long, difficult passwords that an attacker can’t easily break.
And because human nature means staff are likely to forget some (if not all of) their passwords at some stage, the compromise is to authorise use of some sort of password manager, like LastPass, to manage them all automatically.
The only concern with this is that the password manager then becomes the weakest link, as guessing just one password will give attackers access to every password it manages. This is why strong, unique, and memorable Master passwords are encouraged for whichever password manager the IT department approves of.
Buy devices that support Windows Hello
Another way around the annoyance of remembering a zillion passwords is Windows Hello, a security feature built into Windows 10 that uses high-tech facial recognition technology to allow staff access to their devices using just their face.
Windows Hello is so sophisticated that it can’t be fooled by anything that isn’t the real thing, too. By using webcams that have infrared camera technology baked in, Windows Hello can “see” human faces in far more detail than other, less sophisticated webcams do.
Once it’s set up, PCs literally unlock immediately when the authorised user sits down in front of it – the webcam identifies them within milliseconds and grants them access right away.
And because Windows can use it elsewhere, Windows Hello can be used as an authentication method for business resources and Microsoft Store purchases, too.
As a business owner, you just need to make sure that the devices in use inside your organisation are compatible with Windows Hello. Chat to your salesperson when making new notebook purchases to ensure that the ones you’re buying support Windows Hello.
Use two-factor authentication
Forcing users to authenticate a second time when accessing business resources is another fantastic way to keep those resources safe.
This is where Two Factor Authentication (TFA) comes in: after a successful authentication, the user is asked to input a number or string of characters sent to either an app on their smartphone or to their email address to confirm that they are who they say they are.
The idea behind it is that only the right user will have access to both the correct password and the secondary method of authentication, something that dramatically boosts the odds that they are indeed the authorised party.
Do not share too much business information on social media
Did you know that information posted to social media can give out information about your company or employees that could be used to guess passwords?
It sounds odd, but it’s true: information like birth dates, pet and children names, favourite colours and more can quite easily end up on social media, and people being people, these are the kinds of things that often make their way into passwords.
The best approach here is to be very strict over what information is and isn’t shared over the business’s social media accounts.
You have no control over employees’ personal use of those platforms, however, so perhaps also share with staff why you want to limit what’s shared on the business’s social media in the hopes that it will filter down into how they use it too.
Make staff use a VPN to access work resources remotely
This last one is very important as well: because neither public WiFi nor the home networks of your employees can be trusted (both can have infected devices connected to them unbeknown to your staff), the smartest way to grant access to your business resources remotely is via connections secured by a VPN.
That way it doesn’t matter how they are connected to the internet, by the time their connection requests reach your network, they are sanitised and secure.
A good start
These tips are by no means the only ones businesses should investigate in order to better-secure their IT resources, but they are a good place to start.
Should you want more information on any of these methodologies, or you’d like to talk to one of our experts to discuss planning a better cybersecurity strategy for your business, you’re welcome to get in touch.