Avatar

With their traditionally less-sophisticated security infrastructures and limited personnel training, small and midsize businesses are more frequently becoming the focus for attacks.1 According to the Cisco 2018 Security Capabilities Benchmark Study, 54 percent of all cyberattacks result in financial damages of more than U.S. $500,000 including, but not limited to, lost revenue, customers, and opportunities, and significant out-of-pocket costs. That’s half a million dollars few businesses, small or otherwise, can afford to swallow.

Yet, even without dedicated cybersecurity teams, there are dozens of strategies and best practices small businesses can adopt to protect their data. A confident cybersecurity strategy takes these individual resources and creates an ongoing process committed to securing the business today and in the future. Ultimately, the best data protection strategies are a coordinated effort between the organization’s technology, people, and processes. We’ve gathered five of the most accessible, tech-agnostic solutions for any small businesses hoping to improve their cybersecurity strategy.

Protect your People

Few employees aim to create a cybersecurity risk, yet workers often serve as the easiest point-of-entry for cybercriminals. Unknowing employees can regularly put their own data and that of the entire organization at risk. As one cybersecurity expert recently wrote, “Cyberattack methods are evolving rapidly, but human beings really aren’t evolving that much. This is why nearly all new cyberattacks are basing their execution on exploiting human nature.”2

Nearly all new cyberattacks are basing their execution on exploiting human nature.

In the world of the cybercriminal, targeting people can be faster, easier, and more profitable than targeting the system itself. The primary method to compromise a system via human interaction is still malware delivered in malicious emails, but things like malvertising and credential compromises may also lead to a successful cyberattack or data breach. Using repetitive passwords on multiple public sites, personal (free) email solutions, and social media are all contributors to the safety of our people.

Knowledge is power and education is key. Security awareness training is a great place to start. It should be a common, repetitive program that not only focuses on what has happened but also what may happen. A good example of what’s to come is deep-fake audio attacks. How would your employees respond to a phone call from a key government leader or even your CEO asking for password data or other information?

1. Articulate the risk

Employees must understand the impact cyber threats can have on their organizations, and how their actions directly shape the stability of the company’s security efforts. Protecting business data relies on building an organizational culture of security, and that starts by ensuring employees are practicing basic cybersecurity hygiene and maintaining their own awareness in the face of potential threats.

2. Help them manage passwords safely

Even in the Digital Age, password protection is still an ongoing necessity for any organization. Password management tools provide an easy way for employees to randomly generate and store a variety of complex passwords. These services remove the challenge of remembering, logging, or worse, repeating, passwords and often scale across devices—even mobile phones. This helps prevent your employees from using the same password on multiple sites—where if one is compromised, the rest will follow.

3. Be mindful of mobile

Mobile phones are an easily overlooked access point for a growing number of cyber threats, and employees ought to be mindful of how these devices can impact company data. Keep phones locked when not in use, avoid public charging stations and unsecured networks, use device encryption, and enable multi-factor authentication to improve device security.

Improve Your Processes

Data security is the responsibility of the entire organization. The right tools and a vigilant team are a critical foundation for ensuring data protection, but even the most security-aware organizations can open themselves up to vulnerabilities if their operational processes fail to support their teams.

4. Have a response plan and perform regular “check-ins”

Only 38 percent of organizations have an active cyber-risk strategy in place.3 Having a strategy in place before a breach occurs equips organizations to take an active response to a cyber threat. Train end-users on how to react and communicate in the event of an attack, and build response and crisis communication plans to enable faster recovery and mitigate potential damage. Data security is not a one and done procedure; it’s an ongoing ecosystem that must adapt to the world around it. Regular security check-ins, internally and with managed service providers, help identify gaps in an organization, ensure new threats are accounted for, and keep tools and tactics up to date.

5. Consolidate tools and vendors

Adopting a more complex product and vendor environment creates more alerts, more invoices, and more to monitor. This swell of resources results in 46 percent of alerts going uninvestigated.4 Consolidate these assets from as few vendors as possible for a more efficient and manageable security system. Integrations that include common UI, common logging formats, and API-driven interaction with operational tools make the most sense. The goal of consolidation is to end up seeing everything that matters from all of your security controls in less time, with higher accuracy and with actual evidence to confirm what is being seen. Actionable threat intelligence drives this, and when integrations are done correctly, you should have 360-degree visibility of your business in a single window. This simplified operation allows you, or your managed service partner, to detect, investigate and take immediate action against threats large and small.

While security may be urgent, it’s not a race. Adapting to new mindsets takes considerable time and effort from owners and employees alike.

Data protection works best when multiple elements across a business’s technology, people, and processes unite to support a more secure organization. While security may be urgent, it’s not a race. Adapting to new mindsets takes considerable time and effort from owners and employees alike. But don’t let that be a discouragement because incremental change is still progress. The goal ought not to be locking down the ideal cybersecurity environment on day one, but rather in implementing solutions one step at a time. Identify what seems most accessible and build from there.

Want to learn more about how small and midsized businesses can protect their data? Read Small and Mighty: How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats or visit our Small Business Security Resources page.

_______________

1 Cyberthreats and Solutions for Small and Midsize Businesses, Vistage Research Center, 2018. Developed in collaboration with Cisco and The National Center for the Middle Market. Available at: https://www.vistage.com/research-center/business-operations/risk-management/20180503-22912/.

2 Mike Elgan, “Why Humans Are a Growing Target for Cyberattacks — And What to Do About It,” https://securityintelligence.com/articles/why-humans-are-a-growing-target-for-cyberattacks-and-what-to-do-about-it/, (October 2, 2019).

3 Cyberthreats and Solutions for Small and Midsize Businesses, Vistage Research Center, 2018. Developed in collaboration with Cisco and The National Center for the Middle Market. Available at: https://www. vistage.com/research-center/business-operations/risk-management/20180503-22912/.

4 Cisco 2018 Security Capabilities Benchmark Study, https://www.cisco.com/c/en/us/products/security/security-reports.html.



Authors

Mike Storm

Distinguished Engineer

Security Business Group