Small BusinessData Breach Risks for Small & Medium Sized Businesses

Data Breach Risks for Small & Medium Sized Businesses

Today, small and medium sized businesses (SMBs) are sometimes at a greater risk of cyber-attacks and security breaches than large enterprises and corporations. Seventy-one percent of cyber-attacks happen at businesses with less than one hundred employees due to less secure networks, lack of time, budget constraints, and limited resources for proper security. Other factors, such as not having an IT network specialist, being unaware of risks associated with cyber security, lack of employee training on cyber security practices and protocols, failure to update security programs, outsourcing security, and failure to secure endpoints may play a role in the increased cyber-attacks on SMBs.

Common Cyber Attacks on SMBs:

  1. Advanced Persistent Threats. These are passive cyberattacks in which a hacker gains access to a computer or network over a long period of time with the intent to gather information.
  • Phishing. Criminals utilize phishing, via email or other communication methods, to induce users to perform a certain task. Once the target user completes the task, such as opening a link or giving personal information, the hacker can gain access to private systems or information.
  • Denial of Service Attacks (DoS, DDoS). Hackers will deny service to a legitimate user through specially crafted data that causes an error within the system or flooding that involves overloading a system so that it no longer functions. The hacker forces the user to pay a fee in order to regain working order of the system.
  • Insider Attacks. An insider attack may occur when employees do not practice good cyber safety resulting in stolen and/or compromised data.
  • Malware. Malware may be downloaded to the computer without the user knowing, causing serious data or security breaches.
  • Password Attacks. Hackers may use automated systems to input various passwords in an attempt to access a network. If successful in gaining network access, hackers can easily move laterally, gaining access to even more systems.
  • Ransomware. Ransomware is a specific malware that gathers and encrypts data in a network, preventing user access. User access is only restored if the hacker’s demands are met.

To help ensure your business is protected, it is important to know and understand the different ways hackers can gain access to a network and pose a threat to the data security of the business.

Some Ways SMEs Can Help Avoid Being a Victim of Cyber-Attacks

  1. Understand Legal Requirements

Often, SMBs are unaware of cybersecurity best practices, so they rely on vendors without first determining what their legal obligation is to have certain cybersecurity and data privacy practices in place. Some laws dictate what steps an organization are required to take. Thus, it is prudent for a company to develop a plan with legal counsel and then identify the ideal vendors to help execute that plan.

  • Use a Firewall

Firewalls are used to prevent unauthorized access to or from a private network and prevent unauthorized users from accessing private networks connected to the internet, especially intranets. The Federal Communications Commission (FCC) recommends all SMBs set up a firewall, both externally and internally, to provide a barrier between your data and cybercriminals.

  • Document Cybersecurity Policies

It is critical as a business to document your cybersecurity protocols. As discussed above, there may even be legal obligations to do so. There are many sources available that provide information on how to document your cybersecurity. The Small Business Administration (SBA) Cybersecurity portal provides online training, checklists, and information specific to protecting small businesses. The FCC’s Cyberplanner 2.0 provides a starting point for security documents and the C3 Voluntary Program for Small Businesses contains a detailed toolkit for determining and documenting the cybersecurity practices and policies best suited for your business.

  • Plan for Mobile Devices

With technology advancing and companies allowing employees to bring their own devices to work, it is crucial for SMBs to have a documented written policy that focuses on security precautions and protocols surrounding smart devices, including fitness trackers and smart watches. Employees should be required to install automatic security updates and businesses should implement (and enforce) a company password policy to apply to all mobile devices accessing the network.

  • Educate Employees on Legal Obligations and Threats

One of the biggest threats to data security is a company’s employees, but they also can help be the best defense. It is important to train employees on the company’s cybersecurity best practices and security policies. Provide employees with regular updates on protocols and have each employee sign a document stating they have been informed of the business’ procedures and understand they will be held accountable if they do not follow the security policies. Also, employees must understand the legal obligations on companies to maintain certain practices, including how to respond to inquiries the business may receive from customers about their data.

  • Enforce Safe Password Practices

Lost, stolen, or weak passwords account for over half of all data breaches. It is essential that SMB password policies are enforced and that all employee devices accessing the company network are password protected. Passwords should meet certain requirements such as using upper and lower-case letters, numbers, and symbols. All passwords should be changed every sixty to ninety days.

  • Regularly Back Up Data

It is recommended to regularly back up word processing documents, electronic spreadsheets, databases, financial files, human resource files, and accounts receivable/payable files, as well as all data stored on the cloud. Make sure backups are stored in a separate location not connected to your network and check regularly to help ensure that backup is functioning correctly.

  • Install Anti-Malware Software

It is vital to have anti-malware software installed on all devices and the networks. Anti-malware software can help protect your business from phishing attacks that install malware on an employee’s computer if a malicious link is clicked.

  • Use Multifactor Identification

Regardless of precautions and training, your employees will likely make security mistakes that may put data at risk. Using multifactor identification provides an extra layer of protection.

Both technology and cybercriminals are becoming more advanced every day. Cyber security should be a top priority for your SMB. The right technology experts can help identify and implement the necessary policies, procedures, and technology to protect your company data and networks.

Beckage is a law firm focused on technology, data security, and privacy. Beckage has an experienced team of attorneys, who are also technologists, who can help educate your company on the best practices for data security that will help protect you from any future cyber-attacks and data security threats.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

CybersecuritySome Proactive Measures to Improve Cybersecurity Preparedness

Some Proactive Measures to Improve Cybersecurity Preparedness

The impact of ongoing ransomware events in the healthcare and broader business communities compel us both professionally and personally to self-reflect and to ask tough questions like “how ready are we?” “can we really do anything to prevent it from happening to us?” and “what if it happens, then what?”.

There is no one-size-fits-all approach, but there are some relatively easy proactive measures that can help narrow an organization’s attack surface, despite their cyber-maturity. These measures can additionally mitigate the likelihood of falling subject to a ransomware event.

Resource Allocation

Organizations should focus on allocating resources to create robust incident response, disaster recovery, and business continuity plans and effective governance structures to support them. In addition, organizations should audit their existing network security as there are many opportunities for vulnerabilities. Luckily, these potential vulnerabilities can be prevented if your organization takes the proper steps. Some key points to consider regarding the security of your organization are:

• Proper segmentation or end point encryption

• Remote Desktop Protocol (one of the most dominant attack vectors)

• Explore running services on a non-default port for higher security

• Controls around change management and patching processes

• Data retention & data loss prevention

• Identifying access management and vendor management.

• Unsecure servers hosted by third parties.

Evaluate and Improve Patch Management Process

In addition to monitoring network security and keeping systems and applications up to date, organizations should address their “end of life” problem. If it is impractical or even impossible to update systems, it is critical to take additional steps to mitigate your risks. If your business has technology that is embedded in the fabric of your operations, segment end-of-life systems and software and develop a minimum-necessary access policy. This is particularly important with regard to medical devices, as many are still running outdated operating systems that simply cannot be updated. Remember, where preventative controls are not possible, develop detective controls and perform real-time monitoring to mitigate risks.

Backups and Testing are an Essential

Another measure your organization can take are restorable backups. Restorable backups may appear to be an easy process but there are many seemingly mature organizations that do not have a full backup of all critical data. Although restorable backups require data categorization or classification effort, it is equally important that an organization maintain an off-line, 100% off-network back-up instance. A good place for this is in an organization’s asset inventory. Organizations should also test the ability to restore their backups. In a worst-case scenario, a victim organization will have to rely on the availability of backed-up data.  Restorable backups are something every security framework requires. Do you align with an industry recognized framework? If you have not adopted a security framework, it is critical to do so as soon as possible.

Policies are Living Documents

Your organization should have well documented policies and procedures that meet legal requirements and provide a legally defensible posture. Every organization has different needs and different legal standards which they need to abide by, therefore it is bad security hygiene to copy and paste policies found online. You may be subjecting yourself to laws and standards that do not apply or leaving your company legally exposed. Every well-planned policy taxonomy will have both a sustainable governance framework that serves to keep your policies current and relevant, and a mechanism in place to enforce the policies.

Our Beckage team leverages their deep experience to assist organizations of various sizes and complexities in building efficient, longstanding and scalable IT due diligence programs. Our team of attorneys are seasoned technology professionals with backgrounds that include risk management, in-house counsel, governmental agencies, and information security and technology leadership.  We work with businesses across channels and industries to facilitate the design and implementation of enterprise-wide security programs and perform ongoing “health checks” to evaluate the appropriateness of controls and alignment with business requirements. As we continue through 2020, there has never been a better time to operationalize a risk-based methodology.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.