10 Things Small Business Leaders Should Confirm their IT Team does—to Avoid Being a Cyber Security Statistic
Small Business Trends recently reported that 43% of cyber attacks are targeted at small businesses. The reason for this high percentage of attacks on small businesses is simple; most small businesses have made minimal investments in their security infrastructure, making them easy prey for cyber attacks. As a small business leader, there are actions you can take to protect your company.
Firewalls and Antivirus Are Not Enough
Small businesses need more than a firewall and some antivirus software to truly be secure. If you haven’t experienced it yet, it won’t be long before your supply chain partners (including customers) start to ask for proof that the information they are sharing with you is properly secured on your networks and servers. You will likely need the help of a cyber security consultant or Managed Security Services Provider (MSSP) that specializes in compliance to prepare for that certification or attestation.
“The cost due to malicious insiders increased by 15% in 2018.”
The insider threat (e.g. employees, temporary staff, and others who have access to your network) is still the largest threat to an organization. While this statistic from Accenture and Ponemon Institute refers specifically to malicious insiders, not all insider attacks are done maliciously. Some employees may unknowingly put your company at risk of a security breach, simply by using shared logins, leaving their desk without locking their computer or having a weak password. As a business leader, it is important to monitor the activities of your employees and set information security policies to avoid malicious actions and prevent attacks caused by insiders.
DAVE’S BEST PRACTICES:
PROTECT YOUR ORGANIZATION FROM INSIDER THREATS
1. Limit the number of Privileged Accounts you have for administrative purposes
Privileged Accounts should be limited to “need to know” personnel or system admins only.
2. Use a Central User Repository or Directory Service (Active Directory) to manage identity information and credentials
Maintaining a Central User Repository simplifies employee onboarding and offboarding processes. The Central User Repository allows you to control employee access to multiple accounts and provides an easy way to view all identities within an organization.
3. Enforce your Password Policy
Users should change their password every 90 days. We recommend 30 days for Privileged Accounts.
4. Avoid shared logins
Every employee should have their own login, and a privileged user should have two accounts: a Privileged Account and a standard User Account. The Privileged Account should be used for system and network administration, and the standard User Account should be used for everything else (email, network file sharing, intranet, etc.).
5. Automate screensaver locking
Organizations should put controls in place to automate locking of screens and initiate the password-protected screensaver. This can be configured in Active Directory as a group policy, making a standard lock out time for everyone in your organization. There should also be a limit to the number of password attempts allowed per login.
6. Use a Change Control process to monitor and approve changes in your environment
Change Control is a process used to review changes to systems and infrastructures. This is a great way for companies to review new users added to security groups, new permanent network devices, or new cybersecurity applications. All additions to a domain administrator group should undergo change control to lower the risk of malicious insider attacks.
“Approximately 1 million cyber-attacks are attempted per day.”
Today, all cyber-attacks are automated. It doesn’t matter how large or small your company is. If you are the weakest link, then you are the most vulnerable for a cyber-attack. However, you can protect your business by keeping your systems patched and maintained.
DAVE’S BEST PRACTICES:
CHECK THE VULNERABILITY OF YOUR ORGANIZATION
7. Conduct continuous vulnerability scanning to identify the devices on your network that need attention.
One network device that we find is often overlooked by companies is their Uninterruptible Power Supply (UPS). Companies often don’t typically change the UPS’s default username and password for some reason, which is a security issue for any device on the network. Make sure to change usernames and passwords, and update passwords regularly.
8. If you use multiple software products, ensure that regular vulnerability scans are conducted on your devices.
Use of third party software and applications adds additional risk and may make you more vulnerable because these third party software products do not always offer automated updates. If your company uses Microsoft products only, you are less vulnerable because Microsoft auto-updates and patches their products to help keep your devices protected.
“The most popular day for phishing events in 2018 was Tuesdays.”
Humans tend to be the weakest link in any kind of cyber security. Without proper training and awareness of potential phishing events, your employees could fall prey to phishing scams. The phish-prone rate for companies without any awareness training is about 30%. That means that in a company of 100 people there are about 30 people that could inadvertently trigger a firestorm of malware. It only takes one bad click to compromise your company’s information.
DAVE’S BEST PRACTICES:
PREVENT PHISHING EVENTS
9. Providing security awareness training for your employees helps minimize the risk of phishing events.
With proper security awareness training you could decrease your phish-prone rate from 30% to 2% (the industry average) in 6 months to a year.
“IoT botnet activity represented 78% of malware detection events…in 2018.”
Some of the security devices you use to protect your business may actually be a point of entry for a cyberthreat. The Internet of Things (IoT) includes devices such as: indoor and outdoor video surveillance cameras, intrusion detection sensors, access control panels and card readers, smart door locks, or environmental sensors for monitoring heat or water in your server rooms. Other common non-security IoT devices on your network can include copy machines, smart thermostats (Nest), vending machines that accept credit cards, unified communication telephones, smart televisions, digital signage, and other cloud-based devices you use in your business. These devices are part of your company’s network and need to be secured (and patched) too.
DAVE’S BEST PRACTICES:
DECREASE IOT BOTNET ACTIVITY
10. Conduct a WiFi or Network Assessment to check for security issues within your network.
Malware, viruses, and worms can sit dormant and undetected on your network for a very long time—often “calling home” every few weeks. This inactivity makes the infection hard to identify. A thorough WiFi or Network Assessment will look for known vulnerabilities and malicious files on all your workstations, servers, storage, network, and IoT devices. A packet-level assessment may identify additional potentially malicious activities on your network.
These statistics can be scary. If you do the basic blocking and tackling listed above, you should be able to get your organization in better shape. If you need assistance or a deeper understanding of where your organization’s information security risk lies, Ezentria Risk Advisory Services can help you manage the risk within your organization and answer your questions about cybersecurity.
Download (.pdf) a summary of the 10 Best Practices [no registration required]
Share this Post with Your Social Media Followers (use the icons on the left or the “Share This” bar on mobile).
Recent Blog Posts
BlogRobust FTC ResourcesThe Federal Trade Commission (FTC) offers a great “Cybersecurity for Small Business” website that helps small business leaders learn about cybersecurity basics. Developed in cooperation with the National Institute of Standards and Technology...
BlogCISA Cyber EssentialsThe United States Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) recommends that small business leaders develop an actionable understanding of cybersecurity basics and best practices. They have...