Arraya Insights | September 5, 2019
No entity, no matter the size, can afford cyber security blind spots. The recent string of ransomware attacks targeting local governments has underscored that point. Hackers have gone after major cities like Baltimore and they’ve hit places the average person is less familiar with, like Lake City, FL. Despite the risks, many small-to-midsized municipalities, businesses, etc. count on their size to keep them safe, leaving dangerous security gaps open in the process.
Work-from-home policies are one such gap. SMBs have been overwhelmingly open to this trend, with 83% of owners allowing employees to work remotely according to Nationwide’s fifth annual Business Owner Survey, released earlier this year. Popularity aside, remote work is a security hazard for many of the SMBs that have embraced it. Nationwide found only half of SMBs have updated their work-from-home security policies in the last year. Today’s threat landscape changes fast. Regular review and revision of these policies keeps a company from inviting in needless risk by allowing employees to work remotely.
Maintaining policies around remote workers isn’t the only facet of cyber security in which SMBs seem to be struggling. Nationwide found just 4% of SMBs have fully deployed the U.S. Small Business Administration’s (SBA) list of cyber security best practices and recommendations.
Cyber Security best practices for SMBs
What makes this so concerning? The SBA’s list isn’t a collection of cutting-edge solutions or complex strategies designed to push already-elite cyber security environments to the next level. Just the opposite. The items on it are fundamental. They’re the kinds of things businesses of all sizes need to do to stay safe. Let’s review some of what’s there and how SMBs can incorporate these recommendations into their cyber security strategy.
- Deploy endpoint protection solutions (and keep them updated). It isn’t enough to roll out technology to stop malware, spyware, or any other malicious code attackers dream up. These solutions (and all others) must be kept updated and patched to ensure devices don’t become a liability. If onsite IT doesn’t have the time or resources to keep up, an outside partner makes an excellent alternative.
- Build up network defenses. Solutions such as firewalls and encryption are only one part of what must be done to keep networks safe. To start, organizations must take stock of what exists on their network and be sure that current builds allow for easy, secure growth alongside of the company itself.
- Set policies protecting high-risk information. Hackers will often take whatever they can get their hands on, but they’re predominantly after big-ticket data pertaining to health or finance. SMBs must create (and enforce) policies governing how staffers, contractors, vendors, etc. handle and store their most sought after, at-risk data.
- Educate employees about the threat landscape. Employees need to know what they’re up against. SMBs must allocate for proper security training around all aspects of the workday, including something as mundane as social media usage. Cyber criminals see employees either as a weak point or as a treasure trove of exploitable information. Proper training can turn them into a security strength.
- Implement password best practices. What defines a “password best practice” in 2019 is up for debate. Some swear by forcing end users to change their passwords regularly. Others point out that this breeds bad habits. Complex passwords that aren’t shared with others and are supported by multifactor authentication is an approach no one would question.
- Make regular backups a habit. A ransomware attack can force an SMB to close up shop for good. Regular backups to a separate server or to the cloud are an SMB’s best chance to survive such an attack. In its list, the SBA sets a low bar, urging backups “at least weekly.” Despite the “at least” qualifier, a week’s worth of data can be a devastating loss.
- Limit device and network access. Some of this pertains to physical access, like keeping data centers locked down. Another part ties back in to passwords. Administrator credentials should be issued selectively and their activity tracked to make for easier audits.
- Secure on-the-go employees. Back to the topic of remote work, SMBs need encryption to help protect data when it’s on the go. They must also retain control over that data even if the physical device belongs to the user. Anything less is could mean a data leak is just a lost phone away.
Next Steps: Empower a security-focused organizational culture
These pointers are things every SMB – and, really, every organization, should implement. The consequences of doing anything less are too great. If your organization is struggling with any of part of the above list – or some other piece of its cyber security environment – Arraya can help. Connect with our team of experts by visiting https://www.arrayasolutions.com/contact-us/.
Have some thoughts about this post? We want to hear from you! Leave us a comment on this or any of our blog posts through social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay updated on our industry insights and unique IT events.