Casey Crane is a tech lover and cybersecurity journalist for Hashed Out and Infosec Insights.
Verizon’s 2020 Data Breach Investigation Report indicates that cybercriminals don’t care how big or small your business is — they want your credentials and data regardless (and will do what they can to get them)
businesses across every industry — and small businesses are no different. Verizon’s 2020 Data Breach Investigations Report (DBIR) reports that 28% of data breaches were experienced by small businesses in 2019.
The U.S. economy rests on the backs of small businesses, which means that every business, no matter how large or small, needs to take steps to protect themselves from cyber threats. In this article, we’re going to cover some of the top data security mistakes that small and midsize businesses make that lead to data breaches.
Data Security: The Top Causes of Data Breaches for SMBs
When it comes to strengthening your cybersecurity and data security efforts, there are lots of things small businesses can do well and places where they tend to drop the ball.
1. Small Businesses Believing That They’re “Too Small” to Be Targets
The biggest data security mistake that SMBs make is thinking that their business is too small to be targeted by cybercriminals. Just because your business is categorized as a “small business” doesn’t mean that cybercriminals are going to just magically choose to ignore it.
Think that your business is too small to be worth the effort of cybercriminals? Think again. If your business has any type of data —
customers’ personally identifiable information (PII), employee credentials,
financial records, intellectual property, trade secrets — then they want it.
Like Smeagol and his ring, your data is Precious to cybercriminals.
Why? Because they can use it to commit fraud, steal money, or sell to your competitors or other cybercriminals. Yeah, cybercriminals are greedy that way.
Simply put, neither you nor your customers can afford for you to be complacent about cybersecurity.
2. Not Providing Cyber Awareness Training to Employees and Other Authorized Users
In many cases, the social engineering awareness and cybersecurity savviness of your employees may be the only things standing between a cybercriminal and your most valuable data. This is why cybersecurity awareness training is a critical part of your organization’s cyber defenses. Education is what helps your employees understand and recognize the different types of social engineering tactics and cyber threats that lurk on the web.
“GetApp’s recent data security survey found that 43% of respondents report that their company does not provide data security training on a regular basis; 8% reported never receiving training.”
But why is this training so important? Verizon’s 2020 DBIR states that cybercriminals are primarily concerned getting access to credentials and personal data from any organization regardless of its size. The reason they want to get their hands on your info is because it allows them to gain access to any accounts (and any systems those accounts have access to) that use those credentials. After all, it’s a lot easier for a cybercriminal to walk through the front door than it is to hack their way through a (fire)wall and into your network.
3. Not Controlling or Limiting Access to Networks and Databases
Make no mistake: Cybercriminals want access to your data no matter how big (or small) your organization is. If external threat actors can get their hands on legitimate user credentials, they’ll use it to access whatever systems the compromised user accounts have access to.
“The new #1 concern: detection of rogue insiders and insider attacks. A close second: user security awareness and education. Clearly, enterprises need to devote more attention to monitoring and educating their own people.”
Thankfully, there’s something that you can do to limit the reach of both internal and external cybercriminals and contain the damage they cause: implement access control. This process involves limiting access your network, databases, and other critical systems to only those individuals whose jobs actually require it.
This means that no matter how much James in Human Resources complains or says otherwise, there’s no reason for him to have access to your customer data. There’s a big difference between someone wanting or needing access to data — it’s critical that you recognize the difference and take steps to limit access.
Don’t believe us? There are multiple glaring examples of insider threats and external hackers using compromised credentials that have made headlines:
4. Not Performing Timely Updates and Patching
Running a business that operates on outdated legacy equipment is like fighting a battle while wearing crappy armor. You’re going to take a lot of damage and likely will succumb in the end without timely intervention.
Not updating and patching your system regularly leaves gaping holes in your cyber defenses. I’m talking holes big enough that a Mack truck could plow through them. To combat these vulnerabilities, manufacturers release updates and patches with the hope that they can plug those holes before they get exploited by hackers and other cybercriminals. (Think of Microsoft’s Patch Tuesday releases.)
But what happens if you don’t apply one of these patches in time? One of the most obvious examples of a failure to apply updates and patches was the 2017 WannaCry fiasco. Despite Microsoft releasing a patch that would eliminate a vulnerability in their legacy Windows operating systems, organizations and businesses of all sizes globally found themselves the targets of a mass ransomware attack because of one simple fact: They didn’t apply the patch.
5. Not Adopting a Defense-in-Depth Approach to Cybersecurity
Cybersecurity isn’t about being 100% impervious to attack — it’s about making yourself a tougher target than the guy next to you. If a cybercriminal has the choice of trying to hack your highly fortified network or the vulnerable network of your competitor, which company do you think they’re more likely to set their sights on? I’ll give you a hint: It’s not the company with the virtual steel-reinforced barriers and bazookas.
Unless you know something that the rest of the cybersecurity world does not, it’s simply not possible to prevent every cyber attack. And there’s no single tool or method that can make you 100% resistant to cyber threats. But having a defense in depth strategy is key to making your small or midsize business a tougher target… and that’s all that anyone can hope for.
Defense in depth, a term that originated in military circles, is a holistic approach to shoring up vulnerabilities and protecting your data. It’s a combination of tools and strategies that aim to detect threats and mitigate them. The idea here is to manage risk with diverse strategies that can step in where another layer of defense fails.
“Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset.
For example, a software system with authentication checks may prevent an attacker that has subverted a firewall. Defending an application with multiple layers can prevent a single point of failure that compromises the security of the application.”
What You Can Do to Protect Your Small Business
Okay, so you know some of the big ways that SMBs are dropping the ball. But what can you do to make sure you’re not fumbling as well? Some examples of defense in depth tools and approaches that you can put into action include:
- Making applying updates and patches a priority to keep your software applications, operating systems, servers, and other IT infrastructure up to date (and as secure as possible).
- Implementing network perimeter defense tools and processes (firewalls, antivirus and anti-malware software, network segmentation, etc.).
- Using automation tools and technologies to detect threats (IDS/IPS, SIEM tools, etc.).
- Filtering web and email traffic.
- Limiting access to only authorized individuals (maintain access lists, implement a policy of least privilege, use client authentication certificates and multi-factor authentication tools, etc.).
- Evaluating your vendors and their cybersecurity policies, processes, and procedures.
- Providing employee training and enforcing policies and procedures.
This includes all types of data — everything from website transactions and emails to mobile apps and software.
But what if you’re a small business (even by the SBA’s small business standards) that can’t afford a bunch of fancy tools and multiple IT employees to use them? You’re not alone. There are plenty of companies in your shoes.
Regardless of the approach you choose, doing something to protect your small business is better than doing nothing. Do everything within your power to make yourself a more challenging target than other SMBs.