Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/13/2020
02:00 PM
Mike Puglia
Mike Puglia
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Small Business Security: 5 Tips on How and Where to Start

There is no one-size-fits-all strategy for security, but a robust plan and the implementation of new technologies will help you and your IT team sleep better.

With limited security budgets and overworked IT teams, small and midsize businesses (SMBs) are an obvious target for cyberattacks. As a business grows and its software systems scale, so do its vulnerabilities and attack surface. Nearly half of all cyberattacks target small businesses for this very reason, and 60% of those attacked go out of business within six months.

Most business leaders know their IT security systems are lacking, but overhauling and improving them is a daunting task, and many simply don't know where to start. Here are five tips for SMBs to establish a security strategy and protect their assets.

1. Be honest in your assessment.
The first step to addressing vulnerabilities is understanding them. A robust security assessment should encompass all IT systems and business processes, identifying the most vulnerable aspects to attack and the most critical assets for the business. Consider implementing security assessment software, which should not only identify vulnerabilities, but provide clear, concise benchmarks and offer recommendations to lower the risk of attack.

When weighing the options, effective security assessment tools should have the ability to identify the following:

  • External vulnerabilities that could allow malicious actors to gain access to the network
  • Flawed outbound protocols, which may leak sensitive data
  • Inadequate web browser controls
  • Wireless network vulnerabilities
  • Network sharing and user access permissions

2. Time is money: Automate patching to reduce risks quickly.
Most recent cyberattacks have been caused by inadequate or delayed patching. Establishing and maintaining patch management process is a key aspect of overall security, but with small, multifunction IT teams, often without dedicated security personnel, many small businesses struggle to manually patch vulnerabilities in a timely manner. Automated patching, on the other hand, is a cost-effective alternative to patching manually and greatly reduces the risk of prolonged patching processes, which allow hackers to take advantage of known vulnerabilities.

Kaseya's 2019 State of IT Operations Survey data showed that automated software patch management is a key area for improvement in most SMBs. Only 42% of respondents automate or plan to automate patch management and, similarly, just 42% monitor third-party software and apply critical patches within 30 days. Given that big security breaches are frequently a result of failure to patch in a timely manner, automated patching stands as a significant area for improvement for more than half of respondents.

3. Strength in numbers: Make multifactor authentication (MFA) a priority.
While it may seem comical, weak passwords — such as the painfully obvious "password" — are a major security risk and a leading cause of data breaches. WeWork, a shared workspace company, recently came under fire for using a "laughably weak" password in its national and international locations, which put thousands of customers and their sensitive data at risk. Old, weak passwords are ripe targets for brute-force attacks, where hackers use bots to systematically try to enter every possible password until they "guess" correctly.

MFA is a simple way to dramatically reduce the risk of unauthorized access by requiring an additional form of identification, typically in the form of smartphone app or token, which is commonly known as two-factor authentication (2FA). Over 80% of data breaches in 2017 were caused by hacked passwords, many of which could have been prevented by simply installing an identity and access management solution with 2FA.

4.  Be aware of threats from within.
Insider threats are another common source of security breaches that can be difficult to detect and are typically unaffected by traditional antivirus and antimalware tools. While many insider threats involve malicious attacks, employee negligence is also a contributor. Because the actors already have access to the system, it's critical for small businesses in particular to identify and respond to issues that may indicate an internal threat.

Specialized software is required to monitor and flag signs of insider threats, which include:

  • Suspicious, unnecessary, or unauthorized logins
  • Changes to user permissions or device access
  • New or unrecognized devices on restricted networks
  • New installations on locked or restricted systems

5. Back up your systems — all of your systems.
Ransomware, which denies users access to their systems until a ransom is paid, is a favored tool for hackers seeking financial gain. While large companies, states, and even local city governments recently have fallen victim to ransomware, small entities make ideal targets because they're less likely to have adequate security and backup systems in place, and more likely to fork over the money. Today's distributed software architectures offer hackers a multitude of critical systems and data lakes that can be held for ransom, making a business continuity and disaster recovery solution a crucial aspect of any security strategy. Look for a solution that's capable of securely backing up every system in the IT stack, from on-premises to cloud.

Evolved malware and hacker capabilities coupled with the sheer number of vulnerabilities and points of access make an entirely secure system next to impossible for giant corporations and small businesses alike. There is, unfortunately, no one-size-fits-all strategy for securing a small business, but a robust plan and the implementation of new technologies such as automation will help you and your IT team sleep better.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Mike Puglia brings over 20 years of technology, strategy, sales, and marketing experience to his role as Kaseya's chief strategy officer. He is responsible for overall customer marketing, management, and development across Kaseya's portfolio of solutions. Prior to joining ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:10:44 AM
Opinion
Thanks to the author for raising a really necessary topic. Given the fact that I devoted my whole life to the financial sector, I managed to see not so many business owners, and especially startups, who would realize the importance of budgeting and cash flow statements. The main goal for me and my entire team of financial experts at FinModelsLab was to automate the tables and help in maintaining the necessary budget documentation in the field of business planning and forecasting using Excel templates. It is worth remembering that the budget tables differ in their purpose for each business sector. For any kind of startups, either real estate or service stations, this is a must. For my part, I would like to ask entrepreneurs personally what would you like to add to the templates? I will be happy to answer!
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:12:37 AM
Opinion
Thanks to the author for raising 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.