Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/13/2020
02:00 PM
Mike Puglia
Mike Puglia
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Small Business Security: 5 Tips on How and Where to Start

There is no one-size-fits-all strategy for security, but a robust plan and the implementation of new technologies will help you and your IT team sleep better.

With limited security budgets and overworked IT teams, small and midsize businesses (SMBs) are an obvious target for cyberattacks. As a business grows and its software systems scale, so do its vulnerabilities and attack surface. Nearly half of all cyberattacks target small businesses for this very reason, and 60% of those attacked go out of business within six months.

Most business leaders know their IT security systems are lacking, but overhauling and improving them is a daunting task, and many simply don't know where to start. Here are five tips for SMBs to establish a security strategy and protect their assets.

1. Be honest in your assessment.
The first step to addressing vulnerabilities is understanding them. A robust security assessment should encompass all IT systems and business processes, identifying the most vulnerable aspects to attack and the most critical assets for the business. Consider implementing security assessment software, which should not only identify vulnerabilities, but provide clear, concise benchmarks and offer recommendations to lower the risk of attack.

When weighing the options, effective security assessment tools should have the ability to identify the following:

  • External vulnerabilities that could allow malicious actors to gain access to the network
  • Flawed outbound protocols, which may leak sensitive data
  • Inadequate web browser controls
  • Wireless network vulnerabilities
  • Network sharing and user access permissions

2. Time is money: Automate patching to reduce risks quickly.
Most recent cyberattacks have been caused by inadequate or delayed patching. Establishing and maintaining patch management process is a key aspect of overall security, but with small, multifunction IT teams, often without dedicated security personnel, many small businesses struggle to manually patch vulnerabilities in a timely manner. Automated patching, on the other hand, is a cost-effective alternative to patching manually and greatly reduces the risk of prolonged patching processes, which allow hackers to take advantage of known vulnerabilities.

Kaseya's 2019 State of IT Operations Survey data showed that automated software patch management is a key area for improvement in most SMBs. Only 42% of respondents automate or plan to automate patch management and, similarly, just 42% monitor third-party software and apply critical patches within 30 days. Given that big security breaches are frequently a result of failure to patch in a timely manner, automated patching stands as a significant area for improvement for more than half of respondents.

3. Strength in numbers: Make multifactor authentication (MFA) a priority.
While it may seem comical, weak passwords — such as the painfully obvious "password" — are a major security risk and a leading cause of data breaches. WeWork, a shared workspace company, recently came under fire for using a "laughably weak" password in its national and international locations, which put thousands of customers and their sensitive data at risk. Old, weak passwords are ripe targets for brute-force attacks, where hackers use bots to systematically try to enter every possible password until they "guess" correctly.

MFA is a simple way to dramatically reduce the risk of unauthorized access by requiring an additional form of identification, typically in the form of smartphone app or token, which is commonly known as two-factor authentication (2FA). Over 80% of data breaches in 2017 were caused by hacked passwords, many of which could have been prevented by simply installing an identity and access management solution with 2FA.

4.  Be aware of threats from within.
Insider threats are another common source of security breaches that can be difficult to detect and are typically unaffected by traditional antivirus and antimalware tools. While many insider threats involve malicious attacks, employee negligence is also a contributor. Because the actors already have access to the system, it's critical for small businesses in particular to identify and respond to issues that may indicate an internal threat.

Specialized software is required to monitor and flag signs of insider threats, which include:

  • Suspicious, unnecessary, or unauthorized logins
  • Changes to user permissions or device access
  • New or unrecognized devices on restricted networks
  • New installations on locked or restricted systems

5. Back up your systems — all of your systems.
Ransomware, which denies users access to their systems until a ransom is paid, is a favored tool for hackers seeking financial gain. While large companies, states, and even local city governments recently have fallen victim to ransomware, small entities make ideal targets because they're less likely to have adequate security and backup systems in place, and more likely to fork over the money. Today's distributed software architectures offer hackers a multitude of critical systems and data lakes that can be held for ransom, making a business continuity and disaster recovery solution a crucial aspect of any security strategy. Look for a solution that's capable of securely backing up every system in the IT stack, from on-premises to cloud.

Evolved malware and hacker capabilities coupled with the sheer number of vulnerabilities and points of access make an entirely secure system next to impossible for giant corporations and small businesses alike. There is, unfortunately, no one-size-fits-all strategy for securing a small business, but a robust plan and the implementation of new technologies such as automation will help you and your IT team sleep better.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Mike Puglia brings over 20 years of technology, strategy, sales, and marketing experience to his role as Kaseya's chief strategy officer. He is responsible for overall customer marketing, management, and development across Kaseya's portfolio of solutions. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:10:44 AM
Opinion
Thanks to the author for raising a really necessary topic. Given the fact that I devoted my whole life to the financial sector, I managed to see not so many business owners, and especially startups, who would realize the importance of budgeting and cash flow statements. The main goal for me and my entire team of financial experts at FinModelsLab was to automate the tables and help in maintaining the necessary budget documentation in the field of business planning and forecasting using Excel templates. It is worth remembering that the budget tables differ in their purpose for each business sector. For any kind of startups, either real estate or service stations, this is a must. For my part, I would like to ask entrepreneurs personally what would you like to add to the templates? I will be happy to answer!
Ejew1973
50%
50%
Ejew1973,
User Rank: Apprentice
2/14/2020 | 4:12:37 AM
Opinion
Thanks to the author for raising 
Techgmyth
50%
50%
Techgmyth,
User Rank: Strategist
2/15/2020 | 12:16:55 PM
Regarding Business Security Tips by Professional Support
Thanks for sharing such a nice summary of content and ideas. It is really helpful for the startup business.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7050
PUBLISHED: 2020-02-15
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies ...
CVE-2019-13965
PUBLISHED: 2020-02-14
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed...
CVE-2019-13966
PUBLISHED: 2020-02-14
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
CVE-2019-13967
PUBLISHED: 2020-02-14
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only a...
CVE-2019-15592
PUBLISHED: 2020-02-14
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.