Just because you’re not a large enterprise or a household name, that doesn’t mean your business doesn’t need to worry about security breaches. Indeed, it might surprise you to discover the truth is actually quite the opposite: smaller businesses are the most likely to be vulnerable, and attackers know that. The government’s 2021 ‘Cyber Security Breaches Survey’ found only 31% of businesses surveyed had cybersecurity-related continuity plans, and less than 15% had carried out a cyber security vulnerability audit.
It’s understandable; small businesses “have less time and fewer resources to focus on cyber security, which often takes a back-seat to sales-related activity,” Hemant Kumar, CEO and co-founder at Enpass, says. Yet, they also “often have larger companies as customers, making the potential gain greater and the consequences of a breach more severe”. It’s not all that surprising that cyber security takes a backseat when you consider solutions are often seen as “expensive and overcomplicated” according to Pete Bowers, COO at NormCyber. “But whilst enterprise-level solutions can come with enterprise-level price tags,” Bowers continues, “there are some simple free and inexpensive measures that small business owners would be wise to implement.”
It’s important to remember there’s no such thing as ‘100% secure’, and in the real world of threat mitigation, there may be obstacles in the way. Even so, understanding where to focus your resources puts you in a better position to reduce your exposure. The trick is knowing what security holes you have, and which need to be plugged “stat.”
Identity is “probably the first issue that small businesses struggle with concerning security,” according to Tom Bridge, principal product manager at JumpCloud. This is the question of who’s using a device and how you can prove it, and for big enterprises “there’s a whole industry out there addressing identity and security using strong authentication and single sign-on (SSO).” For smaller businesses, however, there’s a catch: “These technologies often build on Microsoft Active Directory, and that is not aimed at small businesses.”
What you can do is employ the power of password management, multi-factor authentication (MFA) and the principle of least privilege to plug your identity and authentication security gaps. A simple password policy just won’t do, with password reuse rife and many people opting for one of the most common passwords out of convenience.
The simple fix is enforcing strong, unique passwords for all business-critical applications and accounts. “Random password generators are a great option for guaranteed one-time use, with password managers helping users to stay on top of these,” recommends John Goodacre, director of the UK Research and Innovation “digital security by design” challenge and professor of computer architectures at Manchester University.
Any identity management policy should also include a robust MFA process wherever that’s achievable. Lee Wrall, director at managed services provider (MSP) Everything Tech, says recent Microsoft research revealed 99.9% of the cyber attacks customers that approached them may have prevented attacks if MFA was activated. “If a vendor doesn’t support it,” Wrall says, “it’s time to look for another.” Truth be told, it’s not difficult to find vendors that appreciate the value of MFA as a selling point. “The technology of MFA has been used in the banking industry for a long time,” Adam Seamons, systems and security engineer at GRC International Group says, “and it’s now in many mainstream products such as Microsoft Office 365, Google Workspace and Apple iWork. Enabling MFA isn’t a silver bullet for account compromise, but it can go a long way to make things harder for attackers.”
That brings us to the final line of defense when it comes to identity security: the principle of least privilege, which simply means ensuring that access to data and systems are available only to those who need them. “If everyone in your company can make system changes and access important data, then all it takes is one account to become compromised by malware or a cyber criminal and it’s all over,” Seamons concludes. “Unavoidably, in the small business world, employees often have to wear multiple hats and work across a range of roles and systems, so you may need to weigh security against convenience, but putting your thumb on the security side of the scale is rarely a bad move.
For Jamie Akhtar, CEO and co-founder of CyberSmart, the security hole that most urgently needs addressing in most small businesses is patching.
“Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated,” he says. “The trouble is, patching is only as effective as the number of customers who regularly update their operating systems and software.” And that can be hard to manage for the smaller business.
Patch management tools can help to centralise the process, but the real key is getting into a routine of patching. As Ken Galvin, senior product manager at Quest, says: “Misconfigured, outdated and unpatched software are three primary vulnerabilities that hackers attempt to exploit.” Being able to automate the process is particularly beneficial for smaller businesses without an IT team. “Look for tools with built-in vulnerability scanning which can find susceptible devices and tell you how to remediate issues,” he recommends.
It might seem odd to think of email, something so central to most every business, as a security hole, but it is. “A business email system is an open front door that accepts virtually any message sent to a valid email address,” Galvin explains. Even once you sweep out dangerous attachments, phishing attacks are as prevalent as ever – and they’re a threat that it’s almost impossible for you to manage.
“Much of your success in thwarting these attempts will be controlled by your employees,” notes Galvin. Sure, security training and email filtering, plus antivirus software, all help mitigate the fundamentals. But for better protection, he recommends “gaining better visibility and control of the devices that access your network, through tools such as unified endpoint management software”. That can be a big ask, and a big spend, for a small business. However, these points of entry to your platforms and services present a huge opportunity for attackers, so investing into their protection is of utmost value.
If your staff do fall victim to a phishing attack, remember that how you respond after the fact can still have an impact on the overall threat environment. “If a small business does fall victim to a phishing attack, it’s always important to report it to Action Fraud,” advises Goodacre – “and remember not to punish staff, as it discourages them from reporting future incidents.”
Use of the Remote Desktop Protocol (RDP) and other remote-access tools has skyrocketed in the past few years, as businesses have increasingly adopted a hybrid model. It can be a risk, though: “With this window into your business environment,” Galvin says, “if hackers manage to find open ports by using penetration testing software like Cobalt Strike, a brute force password hack on those open ports to gain access to could be implemented, resulting in a complete IT system control takeover.”
Ioan Peters, co-practice leader for EMEA cyber risk with Kroll, recommends your remote desktop should only be accessible via a virtual private network (VPN) or a virtual desktop solution, to minimise the chances of an attacker finding a way in – and, so far as possible, to establish distance between business-critical resources and employee’s personal systems.
“In 2022, your small business is only as secure as your weakest cloud service provider,” says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre. In fact, protecting sensitive data from being pulled out of the infrastructure by unauthorised users is one of the most critical challenges for a business of any size. With companies increasingly reliant on cloud-based platforms like Google Workspace and Microsoft Office 365 to enable their employees, this is a cyber crack threatening to turn into a full-blown security sinkhole.
“A small business might not have an in-house security team,” says Burak Agca, a security engineer at Lookout, “but data protection can be aligned with secure IT practices concerning how users access the infrastructure and the data within it.” Lee Wrall recommends you seriously consider investing in a managed service provider: “The longer you ‘wing’ your IT on your own, the more you’ll be at risk,” he warns. “Small businesses should get used to paying someone to allow them to sleep at night from the very early days in their business; most providers have a scaling price model to bring them within your budgetary reach.”
Small businesses often don’t have the resources to put everything through a deep security review, and that can lead to dangerous software being let loose on your company network. “This primarily applies to mobile apps,” Agca says, “especially since users could unknowingly download apps laced with malicious loaders that pull malware down to the device after installation.”
Although it may be hard to enforce in the age of bring your own device (BYOD), security software is a must for every smartphone and tablet that’s used in a small business setting. “Proactive malware protection is critical to ensuring your employees and data are protected from threat actors,” Agca says.
The advice is especially pertinent since many small businesses have very little, if any, visibility into what vulnerable assets actually exist in their infrastructure. Satya Gupta, founder and chief technology officer (CTO) at Virsec, reminds us that supply chain attacks, which can result in compromised or malware-laden software getting deployed, are also to be considered here. “These attacks are increasing in volume lately and allow the attacker to inject malicious code in the business without having to exploit a vulnerability or leverage stolen credentials,” Gupta says. A good application control solution can help mitigate this.