The Five Most Critical Cyber Security Best Practices
The statistics are alarming. According to the Better Business Bureau, almost half of all Canadian SMBs have been victimized by a cyberattack and 71% have experienced a data breach.
The increase of such attacks on SMBs is deliberate. Cyber criminals target small and medium sized organizations for two reasons. Hackers know that the IT systems are less likely to be adequately protected from taking what they want—personal identifiable information, passwords, credit card data, intellectual property, etc. They also know that gaining access through an SMBs value chain is an effective way to gain access to prime targets (banks, government, larger corporations, etc.).
With fewer financial and human resources, SMBs are vulnerable. Some make the mistake of believing that an attack won’t happen at their company. Others decide to avoid the topic and face the consequences if something happens.
It’s not a case of if, it’s a case of when, and when it does happen, cyberattacks can cause devastating financial losses and liabilities. Only through greater awareness and cyber security best practices, can SMBs take steps to mitigate most threats. Here are the 5 most critical.
1. Train and Educate Staff
Human error is the leading cause of data breaches, so companies, regardless of size, need to equip staff with the knowledge of what constitutes a potential threat, and how to protect the company.
Training and education in security (which starts at onboarding) should be in place to help staff apply best practices to real-world situations. Topics should include:
- How to recognize a potential attack – This reduces the chances of falling prey to attacks such as phishing, malware and ransomware.
- Controlling physical access to company and personal devices – Staff should learn how to secure their personal and company devices such as workstations, phones, and laptops that aren’t in use.
In addition, there should be clearly stated rules on the appropriate use of the Internet, social media and email, with penalties in place for violating such rules. For example, no one should connect a personal device (even a storage device) to the business network. Training should be followed by regular security vulnerability assessments to keep everyone on their toes.
2. Enable Cyber Security Software and Keep it Updated
Infection by malware, which includes annoying (and scary) ransomware attacks, account for 53% of all cyberattacks on SMBs. Malware showing up on mobile phones is now of particular concern over the past year.
Existing anti-virus tools (such as ones that come with a company’s hardware) are not very effective against attacks because of the ubiquitous nature of most malware these days. Malware has an astonishing ability to change almost as quickly as new anti-virus tools are developed. Malware is also able to do its damage by lurking in the background, and by the time it is detected by an anti-virus program, it is too late to save a company’s data.
The trick is to prevent malware viruses from entering a company’s IT system in the first place. Choose an antivirus software and strong firewall designed to stop more than 95 percent of malware. Make sure the program or device is constantly updating and scanning automatically for malware. This includes screening email attachments before they are opened, and checking websites before they load.
Updates are designed to block any new viruses or malware immediately. Never ignore an update! As soon as someone clicks, “Remind me later”, company data becomes vulnerable. Policies can be put in place to ensure only up-to-date systems have access to the company network.
3. Password Management
Weak or stolen passwords are still one of the major causes of security breaches. Despite these statistics, over 80% of Americans still admit to using what are considered weak passwords; and over half have reused the same password in more than one system!
Every password-protected account connected to a company is a doorway into the business. Implementing a strong password management policy with multi-factored authentication is one of the easiest (and least expensive) steps a business can take.
4. Website and Network Security
Websites play an increasingly critical role in the operation of a business and its customer relationships. Unfortunately, this means that web application vulnerabilities are a common point of intrusion for cyber criminals. Automated bots from hackers are constantly searching the Internet for websites with security weaknesses. When a site is hacked or infected, customer data and payment information could be at risk. A company website might be completely re-written, or just disappear (along with the data!).
Proactive maintenance is key. SMBs should ensure that the person responsible for website maintenance (in house or outsourced) runs routine maintenance and security checks. This includes measures to keep the site patched and updated, and making regular backups, so if there is an issue, the website can be restored quickly.
The same applies to network security. With the rise of the virtual office and co-working spaces, many SMBs depend on employees and associates that work offsite. Data and systems being accessed remotely are vulnerable to security threats and need to be proactively secured. Server logs, for instance, should be reviewed to monitor remote access for any unusual activity. The schedule depends on the business activity.
SMBs should restrict access to unauthorized users and use at least two-step authentication in order to enter the system. It’s also advised that a company limit remote access to the minimum functions required. For example, does the bookkeeper need access to the company’s customer data? Such practices may slow up access for a few seconds, but they are well worth it.
Geographic restrictions are another means to reduce the attack surface area for business networks. Often attackers are overseas and if the business has no legitimate reason for staff to access the network remotely from specific countries, those countries can be blocked. Alternatively, if a business only operates in Canada, the firewall can be restricted to limit remote access accordingly regardless of credentials.
5. Leadership and Culture
Keeping a company safe from cyber threats, including what to do when a threat occurs, doesn’t just depend on security software or strong passwords. It’s a combination of people, processes and technology. All three make up what is considered a security culture. Leadership for such a culture comes from the top. There needs to be a stated commitment that cyber security is a growing priority for the business. It is part of day-to-day operations like finances and human resources. Everyone is responsible, not just the IT department.
SMBs with strong security cultures actively promote their cyber security rules, not just to staff, but to stakeholders and the company’s clients. This emphasizes the value of data assets, and the importance the organization places on protecting the personal information of its staff and clients from cyberattacks.
Secure Your Business
The risk of data breaches and loss is a huge burden for SMBs. Outsource IT can help alleviate this burden. We offer around the clock network monitoring and proactive protection to identify and block potential threats. We use IT security best practices to ensure your organization’s devices, network, and data stay safe and secure.
Contact an Outsource IT account manager to learn about our IT Security Best Practices, or to arrange a security audit to identify any vulnerabilities and areas at risk in your organization’s network environment.