By Hossein Dadkhah
Cybersecurity risk is translated directly into business risk. According to Inc. magazine, 60 percent of small businesses fold within six months of a cyberattack. Fortune 500 businesses are not the only ones that need to worry about cyberattacks anymore. In fact, small and midsize businesses (SMBs) made up over half of last year’s breach victims. It doesn’t necessarily matter how small the company is or how it doesn’t have much sensitive data, or how the company stakeholders don’t find their products or services attractive to hackers.
Cybercriminals could have so many different motivations to attack a business. For some, the motivation is money. Some would go for the businesses data or intellectual properties. But among all, there are those who simply love a challenge to break in.
The truth is, all businesses can mitigate most cybersecurity risks through employee awareness and cybersecurity best practices. Italian economist Vilfredo Pareto was the first one who officially noted the 80/20 connection: in most cases, we can achieve 80 percent of the benefit from 20 percent of the effort. SMBs can successfully apply 80/20 rule in securing their businesses and make most of their cybersecurity investment.
While no guidelines or services can guarantee against security breaches, here are seven advices that CPAs can recommend to reduce their clients’ data breach risks:
1. User Secutity Awareness Training
Security attacks are becoming more advanced while phishing emails and potential threats are getting harder to recognize. Therefore, businesses should provide ongoing cybersecurity training program as well as basic security practices for employees, since negligent employees, third-party vendors and contractors are responsible for over half of the data breaches. After all, humans are the weakest link in security.
2. Apply Strong User Authentication
Businesses should balance security and usability when it comes to user authentication. They should put two-factor authentication in place, wherever possible. These methods combine the use of something the user knows (e.g., a password) with something that the user has (e.g., a physical token, an app-generated code, an automated phone call to a telephone number on file). Moreover, businesses should implement policies on password length, recycling passwords and use of password managers.
3. Implement Security Software
The word “malware” is applied to computer viruses and spyware. It is one of the leading causes of data being stolen or breached. It is critical to have a centrally managed anti-malware installed on all systems, including servers and workstations. The anti-malware should also be automatically updated with new definition files.
4. Automatically Patch Operating Systems and Applications
Malwares and cybercriminals exploit system vulnerabilities in operating systems like Windows and Mac OS. Applications such as Adobe Acrobat and Microsoft Office also have vulnerabilities. It is important to keep all operating systems and applications up to date with automatic security patches. If a software or hardware is not capable of automatic patching, then a risk assessment should be conducted to determine whether to keep or replace it.
5. Securely Configure Devices
Default administrator passwords and insecure default settings on devices are a major security concern in companies’ network and infrastructure. We often see configured devices such as router and firewalls with default administrative passwords, which could become accessible to the public.
SMBs should deploy secure configurations for all their network connected devices and change all the default passwords. They should also turn off unnecessary features and enable all relevant security features on those devices.
6. Backup and Encrypt Data
SMBs should have a defined and documented data backup plan that ensures all critical data is properly backed up. The 3-2-1 backup rule indicates that one copy of data should be stored off-site (either physically or via cloud services) in addition to two on-site copies in the event data on servers need to be restored. A standard backup plan for company data should address a list of systems needing to be backed up, what data needs to be backed up and how often the data will be backed up.
SMBs should periodically test the backups and ensure that all data is being properly backed up, recoverable and can be restored. Backups should be stored in an encrypted state and access to the backups should be restricted only to those who must access them for the testing or restoring.
7. Securing Mobile Devices
Mobile devices include cell phones, laptops and tablets. They are widely popular tools to conduct business these days. Businesses need to decide on the ownership model that they wish to have for these devices. They typically either should provide company-owned devices or allow employees to bring their own devices (BYOD). In both cases, businesses need to take steps to secure sensitive information on the such devices.
Whether business- or employee-owned, data separation between work and personal data is critical on mobile devices. This will apply to apps, email accounts, contacts, etc. Businesses should determine how to enforce this separation in a way to balance business needs and security needs. All mobile devices should store all sensitive information in a secure, encrypted state. Businesses could also choose to implement an enterprise mobility management (EMM) solution that enables them to apply more security controls as well as provide better device administration. EMM solutions typically include functions to manage, audit and support mobile devices. EMMs will typically have the option to remotely wipe a mobile device as well.
Hossein Dadkhah is the founder and COO of Utah-based cybersecurity consulting firm Data Driven CIOs that offers cybersecurity planning and solutions.