In 2017, Verizon’s Data Breach Investigation Report revealed 61 percent of all cyberattacks target small businesses. And according to the U.S. Cyber Security Alliance, 60 percent of small business that suffer a cyberattack go out of business within six months.
Bad actors are using phishing and ransomware attacks to steal information to empty bank accounts via wire transfers, steal customers’ private information, commit health insurance fraud and file false tax refunds. All in all, the Ponemon Institute found the average price for small businesses to recover after being hacked stands at $690,000, and for middle market companies it’s over $1 million.
All too often, small business owners underestimate the need to invest in enterprise-grade authentication solutions, such as SSL certificates, believing their small operations are less attractive to hackers than their larger, highly-profitable competitors — when in reality, vulnerable systems make SMBs the more attractive targets.
Here are a few ways small businesses can amp up cybersecurity practices:
SSL/TLS certificates
First impressions are important. That’s why business owners need to ensure there’s nothing affecting customers visiting their website. Browsers help protect Internet users by alerting them when a domain isn’t using encryption certificates to secure sensitive customer information like passwords, email addresses and credit card numbers. Small business owners need to make sure they’re using SSL/TLS certificates to avoid greeting customers with unsettling security alerts.
It is important to note that on March 1, 2018, new security protocols for SSL/TLS certificates are set to take effect. These new protocols mandate that DV, OV and EV validity periods be reduced from the previous 27-39 months maximum to a new maximum of 825 days. Moreover, in April 2018, Google Chrome will require all SSL/TLS certificates to be CT-logged in order to be trusted.
Failing to comply with these new protocols will prompt security warnings that may ultimately result in lost website traffic, reduced online sales and a diminished digital reputation.
Employee education
Cybersecurity is like oxygen: everyone needs it, but it’s something that’s hard to explain. Most employees don’t fully understand how cybersecurity works, but they want it and expect it to be there. So, while it’s top of mind for everyone, there’s minimal understanding of how it’s actually delivered. As a result, it’s often written off as an infrastructure issue. Organizations need to change this mindset through actual investment in cybersecurity infrastructure and by building programs that educate people on why this infrastructure is important. Cybersecurity education programs, for both employees and consumers, will transform the enterprise, as well as small-to-medium sized businesses. Companies of all sizes could benefit from formalized approaches to cybersecurity education, as well as additional investment to build network security alliances between industry players.
Securing a connected workplace
While the rise of connected things in the workplace presents new opportunities for growth, it also introduces a high level of risk for organizations if not executed correctly. Many business owners today are focused on digital strategies and are pushing this forward at a rapid pace. But cloud access and connected devices can lead to IT headaches and leave unsecure entry points exposed to malicious individuals. The first step for businesses is to understand the need for IoT security, as well as the actual number of connected devices hiding in plain sight. Every wireless sensor, laptop, alarm system and automated office device can be hacked to crash an organization’s servers and gain access to the network. Despite having impressive Internet access and connectivity, most of these devices were not built with security being top of mind. With this said, there are simple things business owners can do to help prevent an IoT breach. Update all software, back up your data, and physically secure your office so only authorized employees have access to these devices.
Remote workforces and B.Y.O.D. policies
According to FlexJobs and Global Workplace Analytics’ ‘2017 State of Telecommuting in the U.S. Employee Workforce’ report, the number of people telecommuting in the U.S. increased 115 percent between 2005 and 2015. This is not only changing how businesses operate and manage their employees, but also how they approach cybersecurity and the risks involved with having their networks accessed around the globe. Today, remote workers authenticate themselves through a VPN, which gets them behind the company’s firewall. Mobile access, however, does not sit behind the firewall and creates a world without boundaries, which presents a huge identity problem for IT given the rise in BYOD (bring your own device) policies. Employees are using unauthorized applications to access sensitive work and personal info on their mobile devices. Ultimately, businesses want to enable access for employees in order to increase productivity, so the challenge is to control and protect that access. The key is to implement security solutions that go beyond the traditional username/password combination to authenticate employees in a more advanced capacity. For example, requiring two-factor authentication when logging into a secure network or installing mobile credentials on work phones.
As the number of cyberattacks continue to rise, it’s crucial that small business owners understand enterprise-grade security practices are necessary for more than just large corporations and take action to protect their companies, their customers and themselves.
[su_box title=”About Jay Schiavo” style=”noise” box_color=”#336588″][short_info id=’104457′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.