DALLAS, TX – Did you know that the average cost of a data breach for a U.S. company in 2020 was $8.84 million? This year alone, the largest ransom paid to cyber extortionists was $40 million.
As we have changed how and where we work, bad actors have widened their attention to target small businesses with ransomware attempts. For little to no capital investment, you can initiate several steps to protect your company from this growing threat. Here are ten common pitfalls to avoid.
- Thinking “we are too small” or “it won’t happen to us”
Ransomware doesn’t just affect deep pocket companies. On the contrary, small businesses make up over half of the victims of cyber incidents. Cyber actors can attack more victims because criminals no longer need to create proprietary ransomware and can instead license a ransomware-as-a-service (RaaS). Along with these purchased ransom tools, the FBI’s Internet Crime Complaint Center found a 20% increase in reported ransomware incidents and a 225% increase in ransom amounts. The actual damages can be compounded if your company is subject to regulatory fines for breach of personal information.
- You don’t know what you don’t know
Many small businesses are unaware of what lives on their networks. Free port scanning tools can review your network for all connected devices in your environment. It’s a good practice to run these tools monthly to verify there are no unknown devices with access to your sensitive data. Similarly, it’s a good idea to review all the software on your systems to understand their business purpose. If your company doesn’t have a business need for the software, remove it. Additionally, having a separate public Wi-Fi isolated from your business network helps keep unwanted devices at bay.
- Not updating your computer’s defenses
Each device you use daily is vulnerable if you don’t update it. The bad actors are constantly moving the target by finding new exploits. Your best defense is to keep your devices (including phones) updated. Consider encrypting the data on all systems as an added layer of protection. Many small businesses have old or legacy systems that can no longer be updated. In these cases, isolate these systems from your business environment and minimize internet exposure.
- Using too simple of passwords
We all must balance a memorable password versus a secure password. Weak passwords can be easily guessed or cracked. Similarly, using the same password for all your accounts opens you and your company up to a possible breach if a password combination is hacked elsewhere. One possible solution is to create long (12+ character) passphrases that are easy to remember but very hard to crack. Stay away from easy to guess phrases such as family names or birthdates. Try something like a favorite vacation and year or even a movie quote: “WereGonnaNeedaBiggerBoat!” or “MarthasVinyard1975.” Administrators in your systems hold “the keys to the kingdom” and should be required to use multifactor authentication (MFA) to protect these privileged accounts. MFA can be something you know (PIN), something you have (token or smartphone), or something you are (fingerprint, voice, or iris scan). Lastly, 34% of phones do not have a passcode. Ensure all mobile devices have either a password, pin, or biometric (face or thumbprint).
- Needing fences to make good neighbors
Security in layers is the best defense. Protect your environment with a firewall that limits your internet traffic to what’s necessary to conduct business successfully. This “fence” will protect your company from unwanted activity both outside and inside your network. Firewalls are a minimum cost for the enhanced security they provide. Each device on your network should have its own endpoint protection with an antivirus antimalware program; there are many free or value-priced options. Keep these programs updated regularly. Lastly, as a small business owner, one of the most significant attack risks will be incoming phishing attempts. Protect your email by using an email protection service to scan your emails for spam and phishing attempts to reduce the likelihood of a malicious email making it to your inbox.
- Everyone has access to everything
How many people in your company have access to every file and every system? Small business is a team sport, and it’s not unusual for everyone to wear multiple hats. As your company grows and matures, each user should only have access to files and systems they need to get their job done, also known as the principle of least privilege. Even the smallest of companies need to be aware of the access each employee maintains. Regular reviews will ensure that a team member doesn’t inadvertently bring your business to a halt due to unauthorized access.
- Out of date backups or no redundancies
An often-unnoticed component of cybersecurity is reliable data backup. Being cyber smart isn’t just about stopping threats. It’s also about returning to normal after a cyber event, better known as “disaster recovery.” A reliable backup system could literally mean the difference between business- as-usual and bankruptcy. Small businesses should, at a minimum, be backing up their critical data to an offline device or the cloud. Check these systems regularly to ensure that backups are working properly, and your data can be restored if needed. More sophisticated systems come at a cost but can reduce your return to operation time to hours, not days.
- Not having a disaster recovery plan
It’s not if… but when. Business-disrupting disasters happen all the time. Fires, cyber events, floods, earthquakes, pandemics, or power outages are part of everyday life. A business often cannot foresee or prevent all of them, but they can at least prepare for them. Every business should create a disaster recovery plan to handle these events. It would be best to outline how decisions will be made if you do not have all your company resources. Computer systems should be a central part of the process as well. Plan how you will conduct everyday activities through alternate means or secondary locations until your systems can be restored. Finally, check your insurance policy to verify you have coverage in case of a natural, physical, or cyber event.
- Lack of cyber risk training
91% of cyber-attacks start with phishing emails. Even more concerning is that around 30% of
company employees are likely to click on a link in a phishing email without proper training. Educate your employees on how to spot and avoid phishing emails and who to notify of suspicious communications or concerns regarding previously clicked links. Consistent training over time will empower your employees to be vigilant in preventing and reporting phishing attempts. You should also cover other cyber topics, such as understanding your digital footprint regarding social media and how bad actors can use social data to target your employees and your business. Lastly, review your disaster recovery plan and procedures just as you might discuss your fire escape plan, so that everyone is on the same page in the event of an incident.
- Making assumptions and not testing your defenses
You have done the hard work and fortified your small business to potential cyber threats. Now it is time to test your defenses. Testing of this scale usually involves a significant amount of work and time to do correctly. It would be difficult without in-house cybersecurity professionals. Luckily, the Cybersecurity and Infrastructure Security Agency (CISA) offers several FREE scanning and testing tools to assess your exposure including these cyber hygiene services:
- Vulnerability Scanning: This service provides weekly vulnerability reports and ad-hoc alerts.
- Web Application Scanning: Evaluates known and discovered publicly accessible websites for potential bugs and weak configuration.
- Phishing Campaign Assessment: This is a practical exercise intended to support and measure the effectiveness of security awareness training by sending out phishing tests to your company.
- Remote Penetration Test: Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways.
Email CISA vulnerability_info@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services” to get started.
