Cyber Risk Management Tips for Small to Medium Size Businesses
In today’s fast-paced Information Technological (IT) environments it is difficult to keep pace with the ever-evolving changes, updates, and new products. Organizations struggle to keep their IT systems running with cybersecurity often being a second thought or project. According to Computer Weekly, 71% of C-suite executives admit to having gaps in their cyber threat knowledge. With senior leaders unaware, or unsure of what risks exist then the probability of risk mitigation decreases significantly.
Could this be why it seems that we are hearing more about cybercrime in the news over the past few months with stories of large organizations being attacked? Whether it is the Colonial Pipeline Ransomware breach that the company paid $4.4 million to the cybercriminals and greatly reduced the availability of gasoline or the JBS U.S. beef plants that were forcibly closed by cyber-attacks causing a widespread change to futures within the U.S. market.
Cybercrime, specifically ransomware, is garnering more media attention in recent months, however, they tend to focus on the larger more “dramatic” attacks. This does not mean that small to medium-size businesses (SMBs) are not also facing a greater threat landscape. SMBs are now attacked at close to the same rate as their larger counterparts. The major difference now is the time it takes to discover the breach. Large businesses find breaches within “days or less” in over half of the cases while small businesses and medium businesses discover breaches “days and beyond” in most cases.
The Increasing Need for Cybersecurity
It is becoming increasingly clear that the need for cybersecurity is more important than ever. How does an SMB become “cyber secure”? Large businesses typically have budgets specifically for cybersecurity and yet they are still breached. If this is the case, then what can an SMB do with limited funding for IT, let alone cybersecurity? To start, let us move away from the idea of cybersecurity as in today’s environment the cybercriminals work faster at keeping pace with technology and therefore are finding new ways to breach IT systems. The focus should be instead on Cyber Risk Management (CRM) where an organization clearly defines risk and works towards the only four actions available against that risk:
- Acceptance: Business understands the risk and takes no action, most often for minor risks
- Avoidance: Business avoids activities involved in risk, most often when risk is the major impact
- Mitigation: Business takes action to reduce risk occurrence and damage, most common approach
- Transfer: Business moves risk away from the organization through insurance; used as last option
When SMBs realize that the goal is not to remove all risk, which is a daunting, expensive task to achieve, but considers all their risks and make informed decisions on what actions could be taken it lessens the burden and allows them to provide proper due diligence towards cybersecurity.
Conduct a Cyber Inventory
The first thing an SMB should accomplish to develop their CRM program is a complete cyber inventory of your organization. This is not just a physical inventory of your equipment but also software, data types (PII, PHI, etc.), storage locations, connections to other organizations, cloud environments you may use (Office 365, Dropbox, etc.), ownership of devices (any personal devices like cell phones used), cyber training levels of employees, Internet connections and any other item that may allow risk within your organization. The collection of this information helps build the cyber footprint against which risk is determined.
With your cyber inventory in hand, it is time to begin the cyber risk analysis to calculate the SMB current risk. Risk is calculated by taking the impact the risk would have timed the likelihood of the occurrence of the attack as demonstrated below.
Consider All Actual Risks
Once the SMB has completed the inventory and understands how to calculate cyber risk the next stage is to consider actual risks to the organizations. One of the biggest threats facing any organization today is that of social engineering. Social engineering exploits the weakness in decision making and human behavior utilizing authority, time pressure, tone (persuasive/polite), and fear to have an individual within the organization act on their behalf. The number one social engineering attack vector is known as “phishing”. This is an email that requires some action on the person receiving the email, be that clicking a link or opening an attachment. The cybercriminals create realistic-looking emails in hopes of “fooling” the recipient to act. A ransomware attack is most often delivered in this manner.
Defense Against Phishing
Defending against “phishing” starts with user education. Providing employees once a year, death by PowerPoint slide presentation is not the most effective way to train. Instead create a customized training solution that provides awareness education throughout the year in shorter, more easily digested training materials that can adjust to current threat trends and provide real-world examples and testing of employees.
Strengthen Your Passwords
Another weakness that organizations face is the use of poor or improper passwords. The most recent and infamous attack that started with a poor password was the SolarWinds malware attack. A simple password in use was “solarwinds123” which allowed outside criminals to inject malicious code into a SolarWinds product. Cybercriminals also find that many individuals reuse the same login/password combination across many sites and services. Once they can break into one site, they have the information to gain access to user’s other sites.
Take Precautions When Connecting to Your Home Network
The events of the past year and the COVID-19 pandemic have forced many people within organizations to work from home thus adding another level of cyber risks to the business. When you connect to a home network you open the business IT device (laptop, tablet, etc.) to an array of devices that may not have been considered during a risk assessment. In today’s typical home there are many Internet of Things (IoT) devices that are a threat. Does your home use a wireless security camera, thermostat, or perhaps even your refrigerator is connected? These devices all become attack vectors into your organizational device. We love our family, but can we trust their Internet habits and that they are not going to infect the network by clicking a link or opening an attachment? SMBs need to consider these factors when they are looking at their CRM program.
Hear From Industry Experts
Read the latest tips, research, best practices, and insights from our community of expert B2B service providers.
Use a Password Management Program
It is becoming clearer that everyone needs to consider cybersecurity and develop a CRM program. We also know that SMBs work with limited budgets and cannot afford to jump “all in” on technology to mitigate their cybersecurity risks. We recommend some simple “fixes” to some of the most common problems faces by SMBs. To start utilizing a password management program such as LastPass or Avira (there are many to choose from) to maintain your assortment of passwords. These types of programs securely store your passwords within their cloud-based management system with you, the user, needing to only remember the “Master” password for access. The benefits are you can have a unique password per site that is generated randomly by the software. Gone are the days of writing passwords down, storing them on your device, or having passwords that are too easy to break.
Utilize a Virtual Private Network (VPN)
Another valuable and inexpensive tool would be to use virtual private network (VPN) software when you are connecting to the Internet while not residing within the physical office. A VPN provides a secure “tunnel” that encrypts your network traffic until it reaches the other side of the connection. This offers a layer of privacy when you are on unprotected networks such as coffee shops, hotels, and home offices. SMBs that have internal networks can create VPNs that connect from the user’s device directly into the organizational network as if the person was physically at the office location.
Attend Cyber Awareness Training
Lastly and often the most important tool is user cyber awareness training. There are organizations like Digital Beachhead that offer customizable training at less than $10 a user. Training can be slide-based, interactive quizzes, or even based on a game methodology. The training could include a “phishing” test to organizational users that if failed directs the user immediately to a training program. All this data is tracked via a web portal so leadership can see who is taking the training, how many users are failing the “phishing” tests, and take action to change, update or increase the amount and types of training. Spending the entire cybersecurity budget on technology and not any for training misses the point that it only takes a “one-click” to bring an organization down. If the email makes it through the technology to the user and they are unaware of potential risks, the result could be catastrophic.
Cyber Risk Management Is Imperative
Cyber risk management is vital in today’s climate to maintain a successful organization. Taking the time to develop a full and meaningful full CRM plan does not require a great expense. It takes time, planning, and a dedication to protecting your organization. Only once you have identified risks can you make informed decisions on how to best cope with them. A small “mom and pop” coffee shop does not need a multi-thousand-dollar firewall as it is cost-prohibitive. They can, however, ensure their passwords are strong and secure, they use different network access than their guest Wi-Fi for business and train their employees on cyber awareness. Doing nothing no longer meets the standard, so be educated, and do what can be done. The biggest defense if and when you are breached is that you took the due diligence based on your size and company scope to protect the sensitive data and had a CRM plan in place.