We already used to hear about the big data breaches in the news every now and then. Nowadays, it looks like this things happening with every increasing frequency. The victims in those reports are always either government institutions or large enterprises. On the surface those companies take cyber security seriously and invest a lot of money in hiring personnel, employing security solutions and keeping their protection up to date. However, under closer examination you will often find many cyber security mistakes, such as understaffed security departments and widespread use of legacy software. There are only few large enterprises that have truly great security systems, while many more sitting on ticking bombs ready to go off.
But if large companies do not take cyber security seriously enough, what about smaller ones? Do cyber security mistakes in small business are as common as in the large ones, or do smaller companies have it all together? The truth is, not many small businesses realize their own security mistakes. This article describes the most common small business mistakes when it comes to cyber security. If you consider your company well protected, scroll down through the list and you may find that you have some vulnerabilities that you didn’t even thought about.
Mistake 1: Not realizing your own vulnerability
The first step to solving any problem is to realize that there is a problem. Sadly, small businesses tend to put cyber security on a backburner, because they don’t realize their own vulnerability. Cyber security is a continuous process – new threats are emerging constantly while perpetrators invent new ways to get your data. However, most small companies think that employing basic security measures such as antiviruses and firewalls makes them safe. Executives tend to justify such carefree approach to cyber security by the fact that the company has very little valuable data to steal. However, they often don’t realize that they undervalue their own data. While some internal documentation, such as instructions and corporate policy, may not be of any use to others, this documentation will take time to recreate in case it ever goes lost. At the same time, credit card information and customer personal data always carry a price. Most companies not only underestimate how valuable their data is to potential criminals, they underestimate how valuable it is to them. By not realizing the full extent of the damage a potential cybercrime can deal, companies are unable to provide sufficient protection for all the valuable data they have.
Mistake 2: Using the wrong approach
Small companies are often going into cyber security with compliance-based mindset. They think of business IT security as going through the list of compliance requirements and checking off entries with minimal effort and resources possible. Such an approach will leave your security full of holes and not ready to take on any real threat. In order to truly effectively protect your most valuable assets, you need to employ approach based on the risks you face. Adequately identify all the valuable data, analyze potential threats and vectors of attack and determine how vulnerable your company is to each particular scenario. Such thorough risk assessment should then be used to complement compliance requirements and cover the bases in a truly holistic process that will strengthen your security posture from all directions.
Mistake 3: Underfunding your security
It is no secret that cyber security is very expensive. Considering the fact that it doesn’t bring any profits, requiring costs can often be very hard to justify, especially when company hasn’t had any incidents for a while. Moreover, security budged is often one of the first thing to get cut when company needs to save money. However, such underfunding leads to dire consequences down the line when company will get attacked. Data leak may not only cost your company reputation, but also loss of clients and potential lawsuit. When finalizing security budged, it is important to take into account all the risks your company faces and understand how costly underfunding security can be down the line. Smart planning and robust security policies will allow you to create a reliable IT security for small business in an affordable manner. Shure, the enterprise solutions are expensive, but there are always alternatives, designed specifically with small businesses in mind, and by cutting costs on those, you’re not making yourself any favors.
Mistake 4: Neglecting insider threats
Another common mistake when it comes to cyber security for small businesses, is to disregard the threat of potential malicious insiders and completely focus your security efforts on protecting your digital perimeter. Small companies usually have tighter personal relationships between employees and much more trust between them. This however, leaves your data much more vulnerable for any potential malicious actions. Insiders have legitimate access to all valuable company information and can easily steal or misuse it without anybody noticing. Whether it is to sale data, commit fraudulent actions, or start their own competing business on the side and steal your clients, insiders are in the best position to do this successfully without ever being discovered. Besides, any malicious third-party who managed to get an insider credentials in some way, gets this access. It is paramount to took the necessary measures to be able to detect and respond to insider threats in your company. Such measures may consist of minimal background checks, smart access policy and user activity logging. While the trust between coworkers is important, educating them on the matters of insider threats and enlisting their help will allow you to both protect your company and establish a healthy atmosphere at the office.
Mistake 5: Not keeping software up to date
Employees tend to stick to the software that they know and comfortable with. Even small UI change can take month to get used to and heavily disrupt regular working routine of your employees. Sometimes, features get removed or reworked, which may lead to changes in the workflow of your organization. This is why many companies, both large and small, are hesitant to upgrade or adapt new solutions. While the problem is huge for large companies, where whole departments tend to use legacy software, small companies tend to be more flexible with this. However, small companies also tend to not upgrade their software on time. This is not a big issue if you mostly employing cloud solutions, but many on-premises applications, especially security ones, may require manual update. However, from a security standpoint, it is paramount to keep all your software up to date. Most hacking attacks and malicious software will target known vulnerabilities and by simply updating all your software on time you will be able to cut the threats off significantly.
Mistake 6: Not restricting user privileges
Designating specific set of privileges to a specific user is a powerful way to set the scope of access that user should have. Privileges will allow the user to directly access any data and applications, required for them to perform their work, while blocking them from accessing everything else. Such a tool can be very useful in both preventing insider attacks and protecting your data in case of an account is breached, as this will limit what perpetrator could do with such an account. However, not many small companies use this tool, with majority opting to grant a full set of privileges by default to any new account without any restrictions. For effective data security the opposite approach should be employed. Each new user should be granted as little privileges as possible by default, and the scope of their access should be increased only when it is absolutely necessary. Users with elevated set of privileges should be put to special scrutiny when it comes to security and you should use a specialized privileged activity monitoring solution in order to control and audit their actions. Such an approach will yield great results when it comes to protecting your data, making it much harder for both malicious insiders and external attackers to get a full control over your system.
Mistake 7: Mismanaging passwords
Thoroughly securing access to data is the first thing you should do when establishing your protection. It means using passwords whenever possible and managing them accordingly. Sadly, many small companies tend to either not use passwords at all, or use very weak passwords that are easy to break. Many of them often stick to using default passwords, which are often public knowledge or very easy to guess, or use a single account shared between employees. In order for password protection to be truly effective, each of your employees needs to employ a unique complex password that they will not share between other applications. Sharing of such passwords should be strictly forbidden and they should be constantly changed after a set period of time. Proper password management can go a long way when it comes to securing accounts from both internal and external threats.
Mistake 8: Not terminating accounts properly
Many small companies do not have established procedure for terminating employees. When employee is terminated, their account rarely gets deleted. Some companies even hand such accounts to other employees without changing credentials. In case when account is not deleted or password changed, former employee may use their access to commit malicious actions – steal data, commit fraud or introduce malicious software to the system. In order to avoid it, it is necessary to establish the proper termination procedure and make sure that you track every account inside your company and know precisely how they are used.
Mistake 9: Not knowing what your users are doing
It is very hard to determine whether your employees have committed any malicious actions without having any insight into what they are doing. From the outside their actions can look completely legitimate and undistinguishable from their usual work, while in fact they copying your data to sell it or misusing it in order to commit fraud. The best way to detect such malicious actions is to have a full audit trail of user session. There are many ways to do that. You can use system logs and internal auditing tools built-in into various databases and applications that you employ. However, such tools will rarely give a full picture, and it is very easy for a tech savvy user with sufficient level of privileges to disable them or alter the log files. Much better solution is to employ a dedicated user monitoring solution, but such solutions more often than not are targeting large enterprises and are very expensive. The high price is one of the reasons why not many smaller companies consider using such security tools. However, as with many other solutions, there are always some affordable options on the market. Ekran System, for example, has a rich feature set and uses a flexible licensing scheme where the price is determined only based on the number of monitored endpoints without the need to pay a fixed price for any servers or infrastructure. Solutions, such as Ekran System will give you a full access into user actions, allowing you to control third party vendors, conduct employee internet monitoring and audit privileged users. By knowing what your employees are doing you will be able to detect malicious actions and take appropriate measures in a timely fashion.
Establishing great security is a very costly and labor-intensive continuous process, and it is easy to see how a small company on a tight budged with limited resources will struggle. However, it does not mean it is worth going in the opposite direction and neglecting security all together. You should realize the value that your company and your data holds and take the necessary steps to protect it. By employing affordable small business security software, using the right approach, establishing smart security policy and being mindful of your own vulnerabilities, you will be able to greatly strengthen your cyber security posture and protect your data from both outsider and insider attacks.
Read also about the best practices for cyber security maintenance.