(This column originally appeared in the Philadelphia Inquirer)
According to a recent survey of 6,700 private sector cybersecurity leaders across 27 markets from technology infrastructure firm Cisco, a mere 15% of organizations globally have the “mature” level of readiness needed to be resilient against today’s modern cybersecurity risks. Unfortunately — due to fewer resources — small businesses are most at risk of suffering a data breach and getting hacked can cause significant disruptions and additionalcosts or even cause a company to permanently go out of business.
“We’re seeing a constant threat of infiltration and attacks in particular among our smaller clients,” said Brian Pickell, the founder and CEO of IT services firm KP Interface, based in Royersford. “I think the hackers have been committed to the fact that despite the knowledge of this risk most businesses are still very weak in terms of properly responding to these threats so their exposure is very high.”
Here are five ways to protect your small business from security threats.
Change how people can access your network. Subscribe to a password management application like LastPass or Keeper which, although not impenetrable, will help you and your employees implement complex passwords using symbols and other irregular characters.
In addition to deploying complex passwords, it’s also critical to implement multi-factor authentication (MFA) so that anyone trying to get access receives a text message with a special code to use or has to use a special code generated elsewhere.
David Mulvey, the founder of ANP, a Plymouth Meeting IT services firm, said clients who add controls like multi-factor authentication have seen a “90% increase” in their protection.
“There are great authenticator tools from companies like Okta, Google, and Duo, which regenerates a code for use each time or even a hardware ‘key,’which you connect to the USB port of your device for identification,” he said. “There’s also software like Microsoft Windows Hello which offers biometric security like eye or facial scans from your camera’s laptop.”
Mulvey also said “passwordless security,” where a unique link is created whenever an employee needs access to a system rather than requiring a password be entered, is also extremely effective.
Erik Gudmundson, a vice president at managed service firm Pegasus Technologies, which has locations throughout the Delaware Valley, agreed.
“I feel that app-based MFA is more secure than text message-based MFA because if a criminal can convince your mobile phone carrier that they’re you, they can intercept your text messages,” he said. “That said, any MFA is better than no MFA.”
Whether your employees are using Microsoft Windows, Apple iOS, or Google Android, make sure that everyone is upgrading their operating system when reminded. That way they’ll be running the most recent security patches. Combine this with local security software like Malwarebytes, Avast, and Norton to ensure that everyone’s device is protected with current defenses, and use an IT firm to help manage these changes, particularly for your remote workers.
“Remote workers can be a challenge,” says Pickell. “We ask those employees to sign a letter authorizing us to install security tools on their personal devices which is a challenge both for us and our clients. I realize it’s not easy for companies to force their employees to do this, but it’s important for us to do our job.”
Study after study has shown that the biggest security threat is ourselves: owners and employees of businesses who mistakenly click on “phishing” links or download and open unknown documents that release malicious malware. The best way to minimize this risk is through regular training from an IT firm or using special software that tests employees on the latest threats.
Like many of my clients, you should seriously consider outsourcing all of your applications and data to a managed service provider. These firms provide round-the-clock access to your information but also have the resources to employ the latest security tools and software to protect your data. All of them offer backups, advanced access controls like multi-factor authentication, and training for their clients.
“When you outsource your IT to a managed service firm, you’re basically being handled by somebody with a lot more expertise and resource than if you were doing it on premise or with an ‘old school’ IT services provider,” said Gudmundson.
Many large insurance companies offer this as part of their general property and liability coverages and others have separate policies. Cyber insurance can help to cover the losses incurred by a prolonged business interruption and may be helpful in compensating customers or other parties whose data you were storing.
Please know that none of these steps will fully protect you against a data breach because there’s no such thing as a 100% guarantee against these kinds of threats. But doing so will cause many hackers to avoid spending too much time trying to get access to your data.
“Small businesses don’t necessarily need the strongest defenses, but they shouldn’t be the weakest target,” said Gudmundson. “Criminals are growing more sophisticated by the day, so organizations continue to increase their defense posture. Don’t be the lowest hanging fruit.”