Recently, I had the pleasure of being a guest on the Adirondack Regional Chambers of Commerce (ARCC) Weekly Radio Show, “I’m in with the ARCC,” hosted by ARCC’s Marketing & Communications Manager Amanda Blanton. The theme of the August 23rd show was cybersecurity for small to midsized businesses in the Albany Capital Region. If you follow our blog and my posts, you know that protecting our clients and our local communities is really important to me, so I was excited to be part of the discussion.
The State of Cybersecurity for Small to Midsized Businesses
Amanda began our talk by reminding the audience that cybersecurity is constantly evolving and asking me what the state of cybersecurity is right now for small to medium sized businesses (SMBs). While I don’t like to use fear when I talk about what we do, I had to tell her that the one word that encompasses the reality of cybersecurity as it affects SMBs today is “scary.” You might still hear more about data breaches at big enterprise companies, but the truth is SMBs have never been a bigger target than they are today. For every massive breach involving thousands of records that you hear about, there are hundreds of breaches of smaller businesses that don’t ever make the news. Professional services, including accounting and legal services, education and municipalities are especially attractive to hackers right now.
“We’re Too Small to be a Target”
The risk increases for small and midsized businesses in part due to a cultural mindset many SMBs have in common, in which their size leads them to a false sense of security. The two biggest fallacies we deal with in our day to day work are:
- “Nobody would be interested in me/us – we don’t have anything worth stealing,” and
- “We’re adequately protected.”
Let’s take these one at a time. Number one, no one is immune and everyone is a target. You don’t have to be a major credit organization or an enterprise healthcare provider – you have data that a hacker could make money off of. Pick one production system, take an inventory of the kinds of data you store in it and think of what someone with malicious intent could do with that information or how much you’d be willing to pay to get access to that system if it were locked up with ransomware. Number two, if you think you’re adequately protected because you have a firewall and an anti-virus solution, sorry – that’s a good start, but it’s just not enough anymore.
“I’ve Never Had to Spend Money on This in the Past”
One of the big challenges SMBs face in dealing with cybersecurity is getting security investments in the budget. I frequently hear the objection “but we’ve never had to spend money on this before” and as someone who spent two decades in IT leadership, I can empathize with that. When you’re looking at the risk level of an organization, it becomes more of a business decision than technical.
You may hear from leadership “we haven’t had a security event/ data breach yet,” and maybe you haven’t – that you know of. But here’s the thing – how can you be certain? In the absence of security monitoring solutions, hackers can be in your system for months, even years, before ever doing something that alerts you to their presence. Check out this post on dwell time to learn just how much damage they can do in that time. The reality is, you have critical data and you have an obligation to protect it.
4 Ways to Protect Yourself and Your Small to Midsized Business
The good news is, there are things you can do to protect yourself and your company from today’s evolving cybersecurity threats, and all of them involve making yourself a more difficult target. Remember that for hackers, cybercrime is a business. The longer it takes to compromise your systems, the more money they lose. Just like installing a security system at home, the goal is to motivate a casual attacker to move on.
Keep your systems up to date.
- Vulnerabilities are coming out every single day. Keep your Windows machines updated with the latest patches. Keep your Apple devices (MacBooks, iPhones, iPads) up to date along with other systems.
Use strong passwords.
- And DON’T use the same password for everything. PLEASE.
Interestingly enough, the conversation about passwords is changing in the security industry but stay tuned for a future post on that. For right now, the longer you can make the password the better. No password should be under 8 characters; in fact I would recommend 12 – 16. You can make it even easier by using passphrases.
- And DON’T use the same password for everything. PLEASE.
Use multi-factor authentication (MFA).
- This should be a requirement at this point. You may not know what the term is but you’ve probably been exposed to it. That’s where you go to log into something and they text you a code to log in with. Passwords on their own just don’t do it anymore.
Train your users and train them on a regular basis.
- In a layered security strategy, the most important layer is a human layer. One of the biggest things we advocate is to make sure that you’re training your people. If everything else fails – and sometimes it does – you need someone in your organization to say “something doesn’t look right.” Some of the regulations now dictate a specific cadence but you should really be shooting for a minimum of annual training. We offer options for both in-person or online delivery.
We may be tired of hearing about security breaches, but the reality is they’re not going away. In security, there is no one-and-done answer. As I told Amanda at the end of our discussion, you’re not going to get to a point where you can say “okay, everything is done and now I’m secure.”
Follow this link to listen to the podcast of my talk with the ARCC.
ADNET has made this a core focus of our business, with a dedicated and certified security team because these threats are so pervasive. We hold our responsibility that seriously to protect our clients and our communities. Once you understand the risk you know what you’re up against and can make solid, educated decisions. The bottom line is, take cybersecurity seriously. Don’t wait until something has happened, because something WILL happen. If you have questions about cybersecurity for small businesses and your risk, reach out to us – we’re here to help.