Here’s what we’re going to cover:
- Advanced persistent threats
- IoT security
- Penetration testing
- Wi-Fi security
- Password security
- Employee training
- Data backups
- The need for data backup
- The pros and cons of onsite backup
- The pros and cons of offsite backup
- Why compliance shouldn’t drive cybersecurity
- Auditing for compliance vs cybersecurity
- In-house vs outsourced compliance and cybersecurity
How to protect your business against common cyberattacks
Imagine what it would be like if the technology you depend on to run your business everyday was suddenly unavailable? What would you do?
A number of different cyberattacks could put you in that position. The way to protect your business is to stay current on the latest types of attacks, and then find out how to protect yourself.
SMEs aren’t immune to cyberattacks
SMEs sometimes believe that cyberattacks are only targeted at large corporations.
However, according to Verizon’s 2018 Data Breach Investigations Report, small businesses were the target of attacks 58 percent of the time. It’s critical that all businesses address the common cyber threats discussed below.
Advanced persistent threats (APTs)
An APT attack results from a breach of your network. The hackers want to maintain access over an extended period. They are also very good at hiding the breach, allowing it to go undetected. During the time it is active, the hackers can access the sensitive information on your systems.
Once a hacker has gained knowledge about your business operations, they’re ready to harm your business by doing things like spoofing emails.
How to protect yourself from APTs
You need to use sophisticated cybersecurity solutions to protect the health of your network.
These types of systems can identify weak spots in your security and provide protection at the end-user and network level. In addition, if you use cloud services, make sure that your cloud provider knows how to keep your IT systems safe and secure.
During a ransomware attack, hackers manage to load a ransomware file onto your servers. When a user opens the file, the malicious code automatically encrypts and locks key files on your system. The code also displays a message to anyone who attempts to open one of the locked files. The message explains that the systems have been “kidnapped,” and demands a payment. If the business makes the payment, the hacker provides the encryption key.
These types of attacks have been growing rapidly. Research has shown a 2,502 percent growth in ransomware attacks in 2017. Part of this growth is because “ransomware kits” are being sold on the dark web. In the past, hackers needed advanced technical skills to carry out any type of cyberattack. Now, the tools sold on the dark web allow anyone, regardless of their technical knowledge, to join the ranks of the hackers.
How to protect yourself from ransomware
Ransomware files often gain access to your systems because they arrived as an attachment to an email. When the person receiving the email opens the file, the attack is on. One way to combat this problem is to educate your employees about the threat and potential consequences of a cyberattack.
Train your employees to spot suspicious emails.
For example, assume an employee receives an email from a customer with a message similar to, “Here’s that file you need.” If the employee hasn’t spoken to that customer recently and isn’t aware of any file they should be sending, it should raise a red flag. The employee should do some investigation to determine the validity of the email before opening any files.
From a technical perspective, you can use a multi-layered email-filtering monitor to help catch suspicious emails before they ever reach an inbox.
The IoT has given businesses capabilities they never had before using smart technology. For example, organizations in the healthcare industry often use medical devices that can communicate. In other businesses, endpoints in their network may include conferencing systems, printers, and more.
Unfortunately, those devices also give hackers another way to attack your company.
How to protect yourself from IoT attacks
Awareness is the key here. You can’t think of medical devices or conferencing system as just tools. You need to think of them as access points into your system.
Document your IT infrastructure. Include IoT devices in your documentation and in your cybersecurity strategy.
Get started today
If you don’t think you’ve covered all the bases to protect yourself against cyberattacks, you need to improve your cyber security now. Too many people have thought it would never happen to them – right up until the attack happens.
The non-negotiable ingredients for basic network security protection
SMBs are putting a high priority on network security and for good reason. Studies show that 58 percent of cyberattacks are against small businesses. If you don’t have the basic ingredients in place to protect your network, you may be the next target of a cybercriminal.
Firewalls are among the most basic network security tools.
At a minimum, set up an external firewall to separate your systems from the hackers. You can also consider installing internal firewalls for even better protection. If your employees connect to your network from their home computers, establish policies requiring that the employees install a firewall.
For better compliance, consider providing the firewall software and support to help employees set up their home systems properly.
Install antivirus software
Many of the cyberattacks that are plaguing SMBs come from employees providing inadvertent access when using the internet and email.
Installing antivirus software for small businesses will help to identify malware before it can infect your entire network. Software packages for small business offer a central dashboard where you can protect from two to 100 endpoints all in one place.
Perform penetration testing regularly
Some people call penetration testing “ethical hacking.” That nickname came about because penetration testing is a process of trying to break into your network to find weaknesses. Once a weakness is found, you can decide how to eliminate it.
Testing includes the use of software that tests for various ways in which a hacker could penetrate your network.
Unfortunately, the majority of the free hacking or testing tools you may find on the internet are contaminated with malware. Anyone using those tools will end up with bigger problems. Always ensure that people doing the testing use tools that you know are untainted.
Secure Wi-Fi networks
Wi-Fi networks can be beneficial, but they’re also an excellent entry point for cyberattacks. Your Wi-Fi should be encrypted and hidden, meaning that the software doesn’t broadcast the network name.
In addition, install security such as a complex password, to gain access to your router. It’s also a good idea to change that password regularly.
Enforce employee password policies
Human error leads to many unplanned problems related to security. Enforce a password policy requiring that employees use strong passwords and change them every three months.
A multi-factor authentication is another way to make access more difficult. Using that type of authentication, the employee would need to provide additional information before accessing the system, such as answers to security questions.
Educate your employees
Successful network security consists of technology, and the people using the technology, working in concert. Your employees probably don’t know how to spot a suspicious email. They may ignore a warning from their browser telling them that a website they want to visit isn’t secure.
You need to provide the leadership that will set the stage for your employees to become vigilant about security. You also need to provide the training on the specific things they can do to help keep your network safe from cyberattacks.
Backup your data
The best network security strategy can’t guarantee that you will never experience a security breach. One tool you can use to ensure that you recover from an attack is backing up of all of your critical systems.
Many small businesses are backing up in the cloud, which provides a high-level of security against cyberattacks. It’s also your lifeline if you ever experience a natural disaster or other event that destroys your onsite systems.
Don’t let lack of time or expertise leave your network unprotected
One thing SMBs share is a need to keep their workforce lean. If you don’t have the expertise among your employees to ensure that your network is secure, obtain the help you need.
You may think that your staff needs to stay focused on core systems. The problem with that thinking is that without adequate network security, you won’t have any core systems to worry about.
If you’re not comfortable with the status of your network, arrange to get an assessment of your systems to give yourself peace of mind.
Pros and cons of onsite vs offsite backup and disaster recovery
You probably have a backup and disaster recovery plan. But, imagine you were in the middle of a large 150-person project, and as you were looking for a file, you began to see all the project files being deleted one at a time.
What would you do?
It happened to Oren Jacob, former Chief Technical Officer of Pixar, when he watched the files for the movie Toy Story 2 disappearing for seemingly no reason. Here’s what he did. First, he called the IT department and told them to unplug the server. No shutdown protocol, just pull the plug out of the wall.
He discovered that a DOS command entered into the wrong place had deleted a large portion of the files for the movie. However, his troubles weren’t over. He then discovered that his data backup plan wasn’t as effective as he thought.
No one tested the backups. While the staff did recover them, the backup files were corrupted.
A recently pregnant employee saved the day. She had copied the entire project to her home computer to work on while taking maternity leave. Pixar was able to retrieve her copies.
There’s no doubt that similar situations arise on a regular basis—Pixar’s is just the famous one that got media coverage. It did give many companies the incentive to review their own backup and disaster recovery plans.
Today, the decision isn’t whether or not to back up. The decision is whether onsite or offsite is the best approach. There are pros and cons to each alternative.
The pros and cons of onsite backup and disaster recovery
Onsite backup consists of doing regular backups to a storage device in your company’s offices. Employees use a secure network to backup files to storage such as hard disks and servers.
- You maintain physical control over your backup
- Critical data is stored in-house where no third party has access
- No internet connection is required
- You may be able to backup and restore files more quickly due to a direct connection
- Cost—you must make an investment in hardware and infrastructure
- You need a physical space designed to host the hardware
- You need technical employees to maintain the system
- You have no protection after a disaster that makes your office and everything in it inaccessible or unusable
- You can’t increase or decrease your capacity quickly and cost-effectively
- You work to minimize IT downtime, but there are no guarantees
The pros and cons of offsite backup and disaster recovery
Offsite backup consists of doing regular backups to a storage device that isn’t located in your office. In today’s environment, most companies are backing up to cloud storage.
- Cost—there is no need to acquire hardware or assign dedicated support
- You can access your data from any device that uses the internet, such as laptops, smartphones, tablets or desktops
- You only pay for what you need, and you can add or remove capacity on demand
- You are protected if an onsite disaster destroys your local storage
- You have the advantage of guaranteed uptime
- If you have a large amount of data, uploading or downloading data could be slower than a local backup device because it depends on the speed of your internet connection
- You don’t have as much control since your data is stored elsewhere
- Security is a concern for some people, but it is less of an issue since cloud service providers are upgrading their network security systems to the point where some cloud storage is even more secure than local storage
Making the choice
Your backup and disaster recovery plan will depend on your specific requirements. Some companies choose a hybrid solution, with some onsite and some offsite backups depending on the content.
The important point is to make sure you have a backup and disaster recovery plan that you can prove will protect you in any situation—from disasters to cyberattacks.
How to achieve regulatory compliance and cybersecurity at the same time
Virtually every company needs to meet some type of regulatory compliance requirements. At the same time, those companies need to implement viable cybersecurity programs to protect themselves from the possibility of debilitating cyberattacks. It can be a difficult juggling act, and often requires a strategic shift within your organization.
Consider these questions to determine if your company is both compliant and secure.
Are we relying on regulatory compliance to drive cybersecurity?
Many regulations, such as HIPPA, include cybersecurity requirements. With the sheer volume of regulatory requirements, it can be easy to focus on meeting compliance regulations, putting cybersecurity on the back burner.
There are a number of problems with this approach.
Laws can’t keep up with the changes in technology.
It can take two years or more for regulators to identify weaknesses in their guidelines, update and distribute changes to the guidelines, and set a reasonable timeframe for compliance. During that time, companies that are using compliance to drive cybersecurity are vulnerable to cyberattacks.
Compliance is easier than cybersecurity.
Compliance is difficult. However, it does have its charms.
- You may think that if you pass a compliance review, you have cybersecurity covered
- It’s easy to measure your level of compliance with a straightforward checklist
- Companies don’t always manage compliance efforts well, but if they pass their compliance audits, they declare success
As a result, achieving compliance can give you a false sense of security. Passing a compliance audit indicates that you have implemented generic and possibly outdated standards for security in a very narrow part of your business.
Achieving complete protection against cyberattacks is more difficult because the requirements change rapidly and there’s no simple checklist to tell you when you’re safe.
Are we auditing for cybersecurity?
In order to ensure that your systems are as secure as possible, you need to implement the cybersecurity requirements from regulators, and then do tests to identify the additional layers of security you need for total protection from cyberattacks.
Security evaluations like penetration testing and user awareness testing should be followed with a root cause analysis to identify weaknesses and updates that will address them. Securing your networks against all types of cyberattacks is critical.
Have we established an ongoing employee-training program?
You train your employees on what they need to do for regulatory compliance. Do you also train them about cybersecurity? One study indicates that respondents indicated that 54 percent of cyberattacks were due to employee error.
Often, these actions aren’t intended to open the door to a cyberattack. The person involved just had no idea what the outcome of their actions would be. It’s important to make security part of your culture. In addition, teach employees how to do things like identify and handle a questionable email. Educate them on the importance of strong passwords, protecting sensitive data, and more.
Do we have the talent internally to do both regulatory compliance and cybersecurity?
The staff that has been responsible for regulatory compliance may not have the skill set to address the more advanced cybersecurity issues. And, recruiting employees with that skill set is getting more difficult.
Every year, U.S. businesses can’t fill 40,000 cybersecurity jobs. That’s a frightening statistic considering the rise in cyberattacks. If you don’t have the expertise you need in-house, you may want to work with a managed IT services company who does cybersecurity every day for a variety of clients.
The Next Step
If you think you’re falling behind on maintaining regulatory compliance and cybersecurity at the same time, an assessment of your systems would be your best next step.