Small and medium business have as much if not more risk than large enterprises in today's threat landscape. Last year, more than 60% of cyberattacks targeted small and medium business - if you don't invest in the right level of defense, your business could be at risk and the cost of recovery may be much higher than you expect. You might have a plan for what to do in the event of a flood or a hurricane. Do you have a plan for what to do if you can't access your data? What happens if all of your email is gone? Your contact information and customer data deleted?
It's not uncommon for the small or medium business owner to skip spending on Information Security measures due to the perceived high cost and low risk, but when something bad happens it becomes clear that earlier investment, or at least some professional assistance, could have prevented disastrous business expense later on. Many businesses simply believe that they don't need it, or it loses priority in the list of 'to-do' items that never get done.
The unfortunate reality is that smaller businesses are seen as an easy target often making them a higher risk for CyberAttack. To stay protected small businesses, just like large enterprises, need to consider developing effective Cybersecurity to protect their most valuable asset - their data. This can be overwhelming for many small/medium business owners with concerns about limited budget, IT expertise and how to select a partner or solution that will balance cost with value....the good news is that there are a multitude of affordable solutions that will significantly lower the risk. Some tips to consider:
TRAIN YOUR EMPLOYEES
Often it's the employees of a company that are the biggest risk to your systems and data. An untrained user frequenting sketchy websites from a company device or clicking on a malicious link can introduce more risk than most other typical attack vectors. It's ultimately important to ensure that your team is trained to behave appropriately in today's threat landscape. Information Security awareness training doesn't need to be complicated, but it does need to be consistently applied. Do your team know how to watch out for Phishing attempts that are getting more and more sophisticated?
ALWAYS PROTECT AGAINST RANSOMWARE
One of today's biggest threats is ransomware, typically caught through a malicious email link and infecting a network, taking control of files, encrypting them and demanding a ransom to have them restored. Many typical anti-virus tools in use today offer zero protection against ransomware, but there are some great tools available that will provide this protection at a low cost.
USE MULTI-FACTOR AUTHENTICATION WHEREVER POSSIBLE
So many threats that continue to harm businesses can been completely avoided if some simple tools are implemented and some simple changes made to the tools you already use. Too many users today continue to rely on a single password to authenticate to critical systems. Deploying multi-factor authentication across all platforms, including email and social media accounts, is highly recommended to reduce risk. Simply by adding the additional step to authenticate through a text message or phone app can prevent serious breaches.
CONSIDER YOUR MOBILE DEVICE SECURITY
If your employees access your network through devices that you don't control, your risk automatically increases. The larger your network, the more vulnerable you might be. If you're a small business without an IT team or infrastructure, BYOD (bring-your-own-device) can be disastrous without some basic tools in place. If you don't have the skills or resource internally, this is where it can be valuable to engage with a business partner or advisor to assist. Just because you don't have a datacenter or IT team doesn't mean you don't have the same issues or risks - it's critically important to make sure that mobile devices and users don't put your data at risk by implementing and enforcing policies that control how your data is accessed.
KEEP SECURITY LOGS
Whether you're managing your own data or paying someone to do it for you, make sure you're retaining your security and access logs so you can be detecting events when they're happening. So many IT service providers today aren't proactive in monitoring security logs (and some don't even keep them or provide that service). While it's helpful to have the data to go back to when something has already happened, it's much more useful to employ active monitoring to detect intrusions and stop them in process. Using the right SIEM tool (Security Information and Event Management) is key, whether you do it yourself or outsource it to a third party. Just like some other areas of risk management, this can be more complicated and often involves some outside expertise to get it right.
PROTECT YOUR DATA
The most important asset of any business today is data. Protect it. You need to know who's accessing it, when they're accessing it and what they're doing with it. You need to know when sensitive data moves, how it's used, and ensure that it's not leaving without you knowing where it's going and why. You need to make sure it's backed up. And those backups need to work. It's not good enough to think you have a backup. It's not good enough for your 'IT Guy' to tell you that everything is fine. YOU need to know when your data backup and restore was last tested successfully. Having the right tools to manage access to your data and protect it is critical in today's world. This can also be complicated. But it doesn't have to be. There are many affordable solutions that scale according to the size of your business.
These are all relatively simple concepts. Some of them are easy. Some of them are harder. It's always a good idea to have a third-party conduct a Cybersecurity assessment to make sure your affairs are in order. And it's much more cost effective to do it before you've had an incident.
principia/RAID can help in all of these areas. Our team is standing by to answer your questions and discuss your issues.