Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/13/2020
02:00 PM
Mike Puglia
Mike Puglia
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Small Business Security: 5 Tips on How and Where to Start

There is no one-size-fits-all strategy for security, but a robust plan and the implementation of new technologies will help you and your IT team sleep better.

With limited security budgets and overworked IT teams, small and midsize businesses (SMBs) are an obvious target for cyberattacks. As a business grows and its software systems scale, so do its vulnerabilities and attack surface. Nearly half of all cyberattacks target small businesses for this very reason, and 60% of those attacked go out of business within six months.

Most business leaders know their IT security systems are lacking, but overhauling and improving them is a daunting task, and many simply don't know where to start. Here are five tips for SMBs to establish a security strategy and protect their assets.

1. Be honest in your assessment.
The first step to addressing vulnerabilities is understanding them. A robust security assessment should encompass all IT systems and business processes, identifying the most vulnerable aspects to attack and the most critical assets for the business. Consider implementing security assessment software, which should not only identify vulnerabilities, but provide clear, concise benchmarks and offer recommendations to lower the risk of attack.

When weighing the options, effective security assessment tools should have the ability to identify the following:

  • External vulnerabilities that could allow malicious actors to gain access to the network
  • Flawed outbound protocols, which may leak sensitive data
  • Inadequate web browser controls
  • Wireless network vulnerabilities
  • Network sharing and user access permissions

2. Time is money: Automate patching to reduce risks quickly.
Most recent cyberattacks have been caused by inadequate or delayed patching. Establishing and maintaining patch management process is a key aspect of overall security, but with small, multifunction IT teams, often without dedicated security personnel, many small businesses struggle to manually patch vulnerabilities in a timely manner. Automated patching, on the other hand, is a cost-effective alternative to patching manually and greatly reduces the risk of prolonged patching processes, which allow hackers to take advantage of known vulnerabilities.

Kaseya's 2019 State of IT Operations Survey data showed that automated software patch management is a key area for improvement in most SMBs. Only 42% of respondents automate or plan to automate patch management and, similarly, just 42% monitor third-party software and apply critical patches within 30 days. Given that big security breaches are frequently a result of failure to patch in a timely manner, automated patching stands as a significant area for improvement for more than half of respondents.

3. Strength in numbers: Make multifactor authentication (MFA) a priority.
While it may seem comical, weak passwords — such as the painfully obvious "password" — are a major security risk and a leading cause of data breaches. WeWork, a shared workspace company, recently came under fire for using a "laughably weak" password in its national and international locations, which put thousands of customers and their sensitive data at risk. Old, weak passwords are ripe targets for brute-force attacks, where hackers use bots to systematically try to enter every possible password until they "guess" correctly.

MFA is a simple way to dramatically reduce the risk of unauthorized access by requiring an additional form of identification, typically in the form of smartphone app or token, which is commonly known as two-factor authentication (2FA). Over 80% of data breaches in 2017 were caused by hacked passwords, many of which could have been prevented by simply installing an identity and access management solution with 2FA.

4.  Be aware of threats from within.
Insider threats are another common source of security breaches that can be difficult to detect and are typically unaffected by traditional antivirus and antimalware tools. While many insider threats involve malicious attacks, employee negligence is also a contributor. Because the actors already have access to the system, it's critical for small businesses in particular to identify and respond to issues that may indicate an internal threat.

Specialized software is required to monitor and flag signs of insider threats, which include:

  • Suspicious, unnecessary, or unauthorized logins
  • Changes to user permissions or device access
  • New or unrecognized devices on restricted networks
  • New installations on locked or restricted systems

5. Back up your systems — all of your systems.
Ransomware, which denies users access to their systems until a ransom is paid, is a favored tool for hackers seeking financial gain. While large companies, states, and even local city governments recently have fallen victim to ransomware, small entities make ideal targets because they're less likely to have adequate security and backup systems in place, and more likely to fork over the money. Today's distributed software architectures offer hackers a multitude of critical systems and data lakes that can be held for ransom, making a business continuity and disaster recovery solution a crucial aspect of any security strategy. Look for a solution that's capable of securely backing up every system in the IT stack, from on-premises to cloud.

Evolved malware and hacker capabilities coupled with the sheer number of vulnerabilities and points of access make an entirely secure system next to impossible for giant corporations and small businesses alike. There is, unfortunately, no one-size-fits-all strategy for securing a small business, but a robust plan and the implementation of new technologies such as automation will help you and your IT team sleep better.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Mike Puglia brings over 20 years of technology, strategy, sales, and marketing experience to his role as Kaseya's chief strategy officer. He is responsible for overall customer marketing, management, and development across Kaseya's portfolio of solutions. Prior to joining ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Techgmyth
50%
50%
Techgmyth,
User Rank: Strategist
2/15/2020 | 12:16:55 PM
Regarding Business Security Tips by Professional Support
Thanks for sharing such a nice summary of content and ideas. It is really helpful for the startup business.
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:12:37 AM
Opinion
Thanks to the author for raising 
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:10:44 AM
Opinion
Thanks to the author for raising a really necessary topic. Given the fact that I devoted my whole life to the financial sector, I managed to see not so many business owners, and especially startups, who would realize the importance of budgeting and cash flow statements. The main goal for me and my entire team of financial experts at FinModelsLab was to automate the tables and help in maintaining the necessary budget documentation in the field of business planning and forecasting using Excel templates. It is worth remembering that the budget tables differ in their purpose for each business sector. For any kind of startups, either real estate or service stations, this is a must. For my part, I would like to ask entrepreneurs personally what would you like to add to the templates? I will be happy to answer!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.