Small Business: Large Threat

by: Joe Ezell

Cybersecurity is an exciting concept, provoking thoughts of hackers and sometimes reminding people of their favorite movies such as Wargames (1983) and The Great Hack (2019). The reality is not as glamorous as movies depict. The internet and computing environments attract cybercriminals, with very real implications of lost time, money, data and privacy, all of which can equate to legal liability. Large businesses make the headlines with stories of ransomware incidents and demands for large sums of money, leading the public to believe they are more frequently targeted than small businesses (SMB). In actuality, large businesses usually have more funding and subsequently robust security infrastructure to prevent criminal attempts. SMBs often cannot boast the technological security resources and processes necessary to thwart cyber-attacks, making them prime targets for cybercrimes.

So, what is cyber and why do I need cybersecurity?

According to Merriam-Webster, cyber is defined as, “of, relating to, or involving computers or computer networks”, making for a very broadly described term. Cybersecurity encompasses the protections utilized to secure your computer systems and data from potential loss. These safeguards can involve hardware and software components ranging from simple, low-cost firewall devices, to robust and costly tools, or even as the procedural efforts of risk analysis, employee training and industry best practices. Cybersecurity’s simple goal is to protect your assets and reduce the risk to your company from known threats.

Attempting to list all of the threats could be overwhelming, but the top three are listed as follows:

• Social Engineering is probably the easiest and most common threat. It involves exploiting humans to convince them to divulge sensitive business information. Criminals pose as legitimate technical support members, or a vendor you often use in order to gather intelligence until they have enough to take action. The key to mitigating this is education: make your employees aware of social engineering, how to recognize it and how to avoid the threat.

• Phishing is an attempt at data gathering. A criminal will attempt to gather your personal information through electronic means, such as an email with a legitimate looking link to a familiar website. Clicking the link will take you to a website that will ultimately collect and use your information asking you to update your personal information. Again, education is key here, but so is backing up your data in case of loss.

• Ransomware is one of the leading cybercrimes to date. The object is to infiltrate your system, steal and encrypt your data and ransom it back to you, usually at a price lower than your insurance deductible. Keeping your data encrypted and having encrypted backups stored in a separate location from your network is one of the easiest ways to prevent catastrophic damage from a ransomware attack.

How do I determine my risks?

For even the most powerful corporations, risk analysis can be a costly venture, but the return on investment can outweigh that cost exponentially. Risk assessment is a critical process to identify where to spend precious capital on defending critical resources. Rather than attempting to prevent all potential threats, and impossible endeavors, your team should focus efforts on defending the most critical assets to the business.

As an example, if your business is primarily online, you will rely on a public facing web page as a store front. What impact would this have if it were defaced? Public facing web pages can usually have security settings applied quickly and easily. However, having your system infiltrated and your proprietary engineering drawings stolen or destroyed could cripple your business. Focus on backing up and restoring critical information and components, and protect them from cyber threats.

Prevention is the key!

There is no single answer regarding how you should protect your business interests from the criminals. Each business is unique, with distinctive goals and objectives. After identifying your risk areas, you should next consider the other preventive measures you can easily accomplish.

Below are some simple measures to help mitigate risks to your business: www.proprinters.com

Educate your employees. The more they know, the more secure your business can be. Teach them how to identify phishing emails, educate them on good internet browsing practices, strong passwords and protecting company data. These steps will help reduce the risk to your company. Some free training resources are listed at the end of this article.

Keep your systems up to date. If you are running your own server and network equipment, regular updates can help prevent system infiltration. Older systems have well-known vulnerabilities hackers have already identified, making them a legitimate security risk to your systems. Eliminating these vulnerabilities will make it harder for a hacker to get in.

Encrypt and backup your data to the best extent possible. Consider having a regular data backup plan. Encrypt your data backups and keep them in a separate location, unattached from your network.

Having well-written policies can help mitigate risks. One policy cannot cover everything, so you should have several to cover a broader area. Data backup policies, acceptable use policies (for computer and device use), and maybe even a training policy covering required training for employees are a good start. Other policies should incorporate topics such as the use of social media, what makes an acceptable password and perhaps a policy talking about appropriate use of personal devices in the workplace.

Cybersecurity seems a daunting concept but the necessity is real. Protecting your business from cybercrime by reducing risk can help prevent intrusions to your systems and support your business’ uninterrupted sustainment. Educating your employees is imperative in preventing or reducing damage from a cyberattack. A list of free, basic cybersecurity training is available on the National Institute of Standards and Technology website here: https://www.nist.gov/itl/appliedcybersecurity/nice/resources/online-learning-content.

Additionally, the Internet Information System Security Certification Consortium (ISC2) offers a FREE, accredited cybersecurity certification: https://www.isc2.org/ landing/1mcc.

For any of your commercial printing or graphic communication needs, please contact Tim Cantrell at 803-587-2174 or tcantrell@proprinters.com.