By Richard Walters, SVP of Security Products at Intermedia
Today, most companies weather cyber-attacks on a frequent basis. According to Ponemon Institute’s Cost of Cyber Crime Study, in 2015 there was an average of 1.9 successful cyber-attacks on companies each week deriving from a variety of attack vectors, including malware, phishing, and stolen devices.
Cyber criminals are equal-opportunity offenders and will hit a company comprised of 50 people just as quickly as a multi-national corporation, typically using the same style of attack. The outcomes can be devastating resulting in crippling downtime, customer loss, compromised employee information, and IP theft among a number of other negative effects for small businesses in particular, which often lack the budget, personnel and resources to combat or recover as effectively as larger companies. Very few small businesses have dedicated security teams monitoring all inbound and outbound network traffic and rely solely on a few products to protect them. For this reason, they are easy targets for hackers looking for a quick payday, and it is only a matter of time before a hacker figures out where the vulnerabilities lie.
However, small businesses are by no means in a hopeless position. There are many steps they can take to increase their security posture and prevent the most common types of attacks, regardless of their size and limited budget. Below are three key strategies.
Email is the fastest way into an organization. Regardless of the security products in place to prevent spam or phishing emails, the users themselves are still the last line of defense — and therein lies the threat. Snapchat, for instance, publically apologized earlier this year when an employee fell for a phishing scam and disclosed payroll information to a hacker. Since then, companies of all sizes and industries, including Weight Watchers, Seagate Technology, PerkinElmer, and Sprouts Farmers Market, have become the latest victims of phishing attacks.
Stealing employee information isn’t the only way phishing and spam emails can wreak havoc. Once an email attachment is opened, malicious code can be deployed and do anything from stealing credentials to hiding within the network for months — or even years — doing reconnaissance or quietly infiltrating data. More recently, the volume of ransomware that encrypts files has increased exponentially.
For small businesses, awareness and technology can work in conjunction to stop this. Training employees of all levels on the red flags to watch for when reading emails can remove a huge layer of vulnerability within an organization. Hackers prey on employees by using social engineering, spoofed emails, and attachments. If employees know how to effectively evaluate emails for suspicious signs, phishers will find it more difficult to infiltrate a company.
However, no matter how well trained employees are, there are still those that will accidentally slip up. Implementing email security technology like click-time URL scanning can protect users that attempt to visit a webpage behind a malicious link.
Grant Access Without Compromising Security
For large companies with robust security and IT protocols, only a select few privileged users have administrative access to critical systems — and even then, most will be limited in what rights they have.
For small businesses, every employee may require access to critical web applications, and it doesn't make sense to have only a few dedicated gate keepers. Many operate under the false assumption that passwords to each individual application or system add a layer of security, but it is impossible for the average user to remember strong passwords for everything they use. Even tech-savvy users end up taking shortcuts: reusing passwords, creating weak passwords, storing passwords in a spread sheet or even writing them down backwards in a notebook that they carry with them. That’s where Single Sign-On (SSO) comes in.
An SSO solution can give employees a single portal with one-click access to all their web applications and services. Because they only have to remember one login, they can more easily comply with strong password policies. Passwords to the applications themselves can be frequently changed automatically and remain complex and secure. Administrators also hold the power to revoke access to a few or all web applications and services. For example, in the event that an employee leaves the company, his or her access to all web applications can be removed in one click.
Share, But Share Securely
Today, business doesn’t just happen in the office. Whether in sales meetings, working remotely or developing products from the other side of the world, it’s imperative that employees can collaborate in real time through file sharing. This collaboration doesn’t always happen on company-owned devices; oftentimes, employees need to access information on their personal phone or tablet.
Employees will always use tools like Dropbox because they’re convenient and easy. However, if they are not in a controlled environment, they are more likely to be compromised by attackers. Not only that, unprotected files can become the cyber weapons themselves. Malicious code can be added to a wide variety of file types which can then infect devices used by legitimate users accessing them.
Implementing a file sync-and-share solution alleviates this threat as it allows employees to sync files from work across multiple devices in a secure way. Additionally, it provides administrators with control over what is shared and with whom. This is a huge step in security for a small business because it gives administrators control over information sharing without prohibiting users from working in their desired way.
The reality of today’s threat landscape is that no business is safe from a cyber-attack. When hackers launch their assault on a small business, they are typically operating under a “spray and prey” mentality, launching simultaneous attacks on multiple companies they believe to be soft targets. They will go after the weakest link — employees — through phishing scams and insecure web applications or devices to catch a ride into a network. However, by taking simple steps like integrating SSO, sync-and-share, and email monitoring tools, IT teams can maintain control over their network and prevent cyber intrusions.
If the hacker isn’t able to gain access through the usual methods, it is rare that they would continue to attack through more advanced, time-consuming approaches. No small business can fully prevent a cyber-attack, but by taking control of common attack vectors, they can be almost as tough to crack as the big guys.
Richard Walters currently serves as Senior Vice President of Security Products at Intermedia.net, Inc. He has spent 20 plus years in IT, of which, over 15 years in C-level positions focused on information security. Richard has in-depth knowledge of operating system and database security, intrusion detection systems, identity and access management, and cloud and mobile security.
Dropbox is a trademark of Dropbox, Inc.