Investing in cybersecurity isn’t something a small or medium-sized business does when they can afford it. It’s an essential step the moment you’ve got devices connected to the internet. Security risks start from day one and only increase as you build your business, accumulate more sensitive information and grow your online customer base.
Even worse, small to midsize businesses can be more prone to cyber-attacks because they typically have limited resources and partially staffed IT departments that can’t provide 24/7 vigilance.
An active approach to cybersecurity strengthens your business’s reputation, customer service satisfaction and privacy.
Today, we are synthesizing all the fantastic advice offered by our cybersecurity subject matter experts in Zeifmans’ most recent virtual live event, Cybersecurity – Where to Start. Zeifmans’ Partner Ahmad Aslam hosted the first part of our Entrepreneurship In Focus, Digital Transition Webinar Series on cybersecurity together with special guests Steve Rainville, CEO of CYDEF, a cybersecurity protection firm, and Michael Noory, Senior Cyber Threat Hunter. Here, the experts at CYDEF help break down what’s at stake and recommend some preliminary actions you can take to address common security threats.
Common types of cybersecurity attacks
Phishing
One of the most common attacks businesses face is called a phishing attack. In this scenario, an employee receives an email they mistakenly believe is from someone they know and trust. Their device is compromised after they open the email or link, giving the hacker a foot in the door so they can attempt to infiltrate the rest of the network.
Misconfigurations
Another way hackers can bypass protections is through misconfigurations introduced by staff setting up internet-facing software incorrectly.
Business email comprises
Business email comprises are a common email-based attack. Hackers will compromise an email system and start sending doctored emails or invoices to the business, posing as a supplier and demanding payment. The hackers employ social engineering, slowly building pressure and urgency in the hopes that staff will bypass the company’s accounting procedures. The fraudsters may request that funds be sent to their “new” bank account, or even impersonate a senior executive and pretend to approve a rush payment of an invoice. But in reality, the money is being delivered straight into the criminals’ coffers.
What you want is a security onion
Relying on one security measure means you have no backup protection if that measure fails, causing your system to be compromised. The best defense is multiple layers of protection – a literal security onion.
One of the simplest/most effective ways to improve your security posture should be two-factor authentication. In the past, accessing a system required just a username and password. If the hacker cracked your password, they were in. But two-factor authentication requires an additional log-in credential, acquired by accessing something that belongs to you like a phone or app. Microsoft says this simple step can reduce the risk of being compromised by 99% in the case of automated attacks.
Draft an incident response plan
Human error is unavoidable. It’s best to expect a cyber incident and plan accordingly, by having an incident response plan in place so you don’t respond haphazardly in the heat of the moment. Your response plan should outline what you are going to do in the event of a hack, who will manage triage and when you need to notify affected parties. In CYDEF’s experience, groups with incident response plans were much more successful in responding to cyber events and remediating issues.
Don’t blame your users
In cybersecurity circles, the phrase “people are the weakest link” tends to be thrown around a lot. But that’s not a fair assessment of the situation. Security controls like antivirus and firewalls are the first line of defense to scan and block suspicious attacks, and user guidelines act as a secondary set of guardrails. But if a phishing email reaches a user, that means the automated systems failed first and it’s unfair to assign blame solely to the person in the event they fall prey to the scam.
Instead, focus on training your employees on the processes they need to follow so that they can identify anomalies and work safely.
Change your mentality on cybersecurity spending
CYDEF wants to shift management’s perception of cybersecurity from reactionary to proactive. Cybersecurity contributes to the overall quality of your IT services and is worth the investment before an attack happens. A solid security plan means
- Your systems are always available and provide confidentiality,
- Employees know how to protect themselves, and by the same measure, protect your customers, data and investors,
- The people who need access have it, and all others are kept away from your data,
- Stored information is reliable and trustworthy.
Successful cybersecurity aligns with good business practices.
Despite this, CYDEF says companies are still not thinking proactively about cybersecurity and are only engaging with a security vendor after experiencing an incident. Too often, a solid security plan is seen as an expense instead of an investment that could prevent a data breach or ransomware attack, ultimately saving millions of dollars.
Worth the investment
Having formalized and well-documented accounting, customer care and cybersecurity processes offers a host of benefits including less downtime, lower customer churn, fewer helpdesk tickets and improved employee productivity.
Explore more educational articles from our Entrepreneurship in Focus series or watch the full recording of Cybersecurity – Where to Start for more detailed cybersecurity advice from CYDEF.
Cybersecurity and business planning go hand-in-hand, especially when building your defences against financial fraud and ensuring adequate IT spend. Let Zeifmans help you improve your business planning today.