Regardless of what size your business is, you shouldn’t ignore cybercrime. Everyone is a target. Too many small businesses believe they are too little for cybercriminals to target them, thinking their data has no value. According to the Ponemon Institute’s 2016 State of Cybersecurity in Small and Medium-Sized Business study, about 55% of small and medium businesses said they had suffered a cyberattack and 50% reported they had data breaches involving customer and employee information in the past 12 months. Yet only 14% rated their ability to mitigate cyber risks as “highly effective”.
While it’s true that cybercriminals aren’t necessarily interested in the small company’s data, they often use small businesses as unwitting pawns to breach larger organizations. In the 2013 Target cyberattack, it is believed the breach began with a phishing email sent to an HVAC company that had a data connection with Target for electronic billing, contract submission and project management.
What You Should Know About Phishing
There are three types of email phishing approaches. The first and most common casts a wide net, with cybercriminals sending emails to large groups in order to ensnare as many victims as possible. The second, spear phishing, is a more refined approach which targets specific groups or individuals. Spear phishing emails often appear to come from a familiar sender and include requests for sensitive information such as social security numbers, credit card numbers and financial account information. This technique is, by far, the most successful on the internet today, accounting for greater than 90% of attacks. Spear phishers gather personal information about victims from social media and other sources to use in bait emails to increase the chances users will believe them.
The third phishing technique is known as whaling. These are highly customized and personalized emails that often include the target’s name, title, and other personal information and are targeted towards C-level executives and other high level targets.
Knowing that the biggest security vulnerability within any organization is it’s employees, businesses need to train users to identify and avoid phishing emails. Additionally, email security should be enabled so incoming emails are evaluated to verify if they were sent by an authorized host, with auto-whitelisting and a regularly updated spam filter that identifies and filters potential phishing emails.
Cybercriminals utilize web-based attacks to download malicious code designed to alter files, disrupt network operations, and steal sensitive information. Web-based threats includes clickjacking – when a legitimate website link is redirected to an infected website where users either share confidential information or trigger an intrusive action. Another example of a web-based threat is drive-by downloads. When a user visits an infected website, malware is downloaded, often hiding in the background until it activates to either steal sensitive information or turn the workstation into a bot, controlled remotely by hackers. Other commonly used web-based threats are watering hole attacks, web tools plug-in vulnerabilities, social engineering data theft, and malvertizing.
To protect against web-based threats, employees should be educated on safe web browsing practices that help prevent downloading malware. Security tools including a good anti-virus, firewalls, and web filters should be deployed with up to date patch management.
Too many small and medium businesses spend their limited funds on security products only to see their investment – and best intentions – wasted when they fail to implement the most basic security practices. Here are 10 security practices to protect your SMB from cyberattacks:
1. Install Antivirus
Your best defense against the vast majority of malware is your antivirus solution. Look for advanced features that protect against prevalent threats like ransomware, and choose an endpoint security solution that offers protection at
multiple attack points to defend against bad websites, phishing and spam, malicious URLs, Zero-days and other online threats.
2. Restrict Administrator Rights
Only authorized, knowledgeable IT admins should have administrator rights to your PCs.
3. Install and Update a Firewall
Firewalls monitor and control traffic in and out of your network. To protect against downloading malicious content or to stop communication to harmful IP addresses, a firewall is a critical line of defense.
4. Implement Patches
Cybercriminals exploit vulnerabilities to open a backdoor onto your systems to drop malware and infect your network. Implement an automated patch management solution to fix newly discovered security vulnerabilities.
5. Enforce Password Policies
Require strong passwords or passphrases to maximize effectiveness, implement regular updates and instruct users not to share them.
6. Lock Screens
Enforce a short lock-screen timeout as added protection, especially in environments where users can walk away from workstations without logging
7. Secure Wi-Fi Routers
Wireless routers and networks are notoriously easy to break into, so take extra precautions in securing them. Use a separate Wi-Fi network for business guests.
8. Secure Your Browsers
Configure web browsers to avoid inadvertent malware downloads by users. Steps to take include disabling popup windows, which can contain malicious code, and using web filters that warn you of potential malware attacks and harmful sites.
9. Use encryption
Many machines come with built-in encryption, both at the disk and file levels. Take advantage of each device’s encryption capabilities to prevent data from getting into the wrong hands when laptops, external hard drives, USB drives and other mobile devices are lost or stolen.
10. Train and Recruit Your Users
Your users can be your biggest liability or your biggest asset. Engage your users and educate them on security best practices and why they are important.
This was originally posted by Vipre. Image credit Secure Thoughts