Nowadays it seems like on a weekly basis we’re hearing about one major data breach after another, large companies are having data stolen and in some cases posted online publicly in large volumes. The fact that the majority of stories that end up making the rounds in the media are due to failures at large enterprises can lead some small businesses to think they are too small to be targets of hackers and malicious actors.
Unfortunately, small businesses are targeted just as much as the big guys. Small businesses don’t typically have the technical and security resources of large organisations, making the risk that much bigger.
According to a report published in 2017 by the Ponemon Institute, 61% of SMBs experienced a cyber attack and 54% of SMBs had these attacks result in actual data breaches.
Being compromised by hackers or other malicious parties can come in many ways, let’s discuss some of them and what can be done to reduce these risks.
1. The Basics
SplashData recently released an updated list for 2018, of the most commonly used passwords. The top 3 of which are:
If you or someone in your company is using a password that appears on the full list, change it now. You can come back and continue reading after.
Passphrases vs. Passwords
A new trend of recommendations from security professionals is that we should start using passphrases instead of passwords. When discussing this topic I typically like to direct people to a couple sources, first of which being a entertaining interview between John Oliver and Edward Snowden from 2015.
Or if you don’t have time to watch a video, or can’t due to audio restrictions, the following xkcd comic sums it up as well.
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
Even with the most secure passwords, they are only as secure as the platforms you use them on. If you use the same password across multiple platforms or services, and one of the platforms is compromised, hackers or malicious actors can take that password and try to use it to break into your accounts elsewhere. For example, if the password you used to login to your company email is the same as the password you used to login to LinkedIn back in 2012, then your password was compromised.
One solution to this beyond simply using a different password for every service (which can be difficult without a password manager, which we’ll get into later), is enabling multi-factor authentication.
Many platforms and services offer multi-factor authentication options. This means that in addition to your password (something you know), you’ll have to also prove you are who you say you are upon login to a service by also proving something you have (common) or something you are (less common).
Commonly when enabling multi-factor authentication, you have at least one these options for proving something you have:
- SMS OTP (One Time Password), proving you have the cell phone associated with the mobile number you registered with the service or platform you’re trying to login to. It’s worth noting that given your threat profile, this can be a very poor choice for additional protection as SMS messages can be intercepted relatively easily by certain people with privileged access to mobile networks.
- TOTP (Time-based One-Time Password), which a number of mobile apps implement, for example Google Authenticator.
- Security Tokens, have been around for a long time and are physical devices that display codes to be entered into a services login system, often used by consumers to login to certain online banking applications. More commonly, U2F tokens like YubiKey are becoming popular as a modern security token, and are used by the likes of Facebook and Google employees.
Using multi-factor authentication options prevent people from getting into your accounts even if they have your password by adding a second layer of authentication for verifying who you are based on something you have.
Reducing the impact of someone gaining access to your passwords can be achieved through the use of a password manager in two ways.
- Not all platforms and services offer multi-factor authentication.
- Using a password manager you can limit yourself to remembering one password, but still ensure that all the services you use have a different password.
Using a password manager you can login with a single password or rather a secure passphrase that you can remember. You can then record all the passwords for the different platforms and services you use securely in one place, now that you don’t have to remember these passwords you can make them very long and completely random (32+ characters, alpha-numeric-special-characters-upper-lowercase). Best of all for services that don’t let you enable multi-factor authentication directly you can use the multi-factor authentication on your password manager login as a pseudo work-around.
2. Website Security
The first attack vector a hacker would typically take is to try to find simple (but common) vulnerabilities in your publicly facing infrastructure, and this usually means your website.
Depending on who manages your companies website, you’ll want to be mindful of some of the items on the OWASP (Open Web Application Security Project) Top 10.
- Injection, if you have these vulnerabilities on your website hackers or malicious actors could exploit them to gain complete access to your website’s database or any databases integrated with your website. If your website provides an interface into the underlying server file system a hacker could use this to steal private files on your website or it’s server if input is not properly sanitised.
- Sensitive Data Exposure, commonly web developers may place sensitive files (or website backups) in publicly accessible areas of your website. Even though these files may not have links to them, a hacker can guess at the filename and easily retrieve them directly from your website.
- Known Vulnerabilities, popular website CMS (content management systems) and blogging software (for example Wordpress) have new vulnerabilities released very frequently. Often these vulnerabilities aren’t the fault of the software’s development team but rather due to poorly written third-party plugins or add-ons that you may have installed on your site. It is extremely important to keep up-to-date with security updates and new releases of the software you use to host your website. You can’t hire a web developer to build your site once and then let your site sit dormant for years.
3. BYOD (Bring your own device)
Do employees at your company connect their personal cell phones, iPads, and other devices to your companies WiFi? Do employees at your company access their company email account from these devices?
If so, you have to also concern yourself about the security of these devices which you don’t have control of. BYOD requires a fine balance between convenience and security, and there are a few common solutions to this problem.
- Guest WiFi, often companies will setup two wireless networks, one for guests or visitors and one for company devices. Your employees should also be connecting their personal devices to this guest network. Guest wireless networks should be completely isolated at the network level from your company network, thus preventing any devices or malicious actors on that network from gaining inside access to your companies networked resources (such as a file server, printers, intranet sites).
- Mobile Device Management, typically reserved for larger companies or enterprises MDM allows companies to have fine grained control on how company data is accessed from personal devices, as well as ensuring minimum security requirements on those personal devices (for instance forcing a user to type a password to unlock their phone, instead of simply swiping up).
As a small business, Guest WiFi can be a simple thing to setup depending on the wireless router you use, however Mobile Device Management can be overly complicated and overkill.
If you reduce the amount of sensitive data that is contained within emails (which is a good practice in general), then you’ll automatically reduce the risk exposure of employees using their company email accounts on their personal devices. When dealing with sensitive documents, it’s best not to attach them to emails but rather use a secure document sharing platform instead (for instance Lockdrop, shameless plug).
4. Email Phishing
One of the most successful ways of gaining internal access to an organisation is by sending phishing emails in a targeted or en-mass attack. Often these emails looks very legitimate and prey on peoples fears to make them do something they wouldn’t normally do in a clear frame of mind.
- Emails appearing to come from management asking for sensitive company information, in reality these emails when replied to go to a hacker or malicious actor outside the company.
- Banking phishing emails commonly involve you clicking a link to login to your account to check or agree to some changes on your account or terms of service, realistically the link will take you to a phishing site that looks similar to your banks website but in reality is meant to steal your credentials.
- Malicious Email Attachments, often you’ll receive an email that doesn’t look quite right with an attachment of some sort. It’s best not to open attachments if you weren’t expecting them in the first place and/or if they look out of place. By opening these attachments you’ll potentially end up with malware on your computer, or in really awful situations with ransomware.
Unfortunately, phishing attacks prey on the most vulnerable part of your company, it’s people. People are not perfect, and they fall victim to these attacks more than anyone would like to admit. 76% of businesses report being victims of phishing attacks and 12% of users click on malicious links or open phishing email attachments.
When an employee falls victim to an attack like this, all of their emails and access to internal resources can be compromised and available to the hacker and malicious actor. This happens all the time, and often businesses don’t report the incident, or let their customers know about the potential compromise.
There are a few things you can do to reduce your risk of being victim of a phishing attack. For forged emails appearing to come from management or other internal employees, you can have your IT administrators setup DMARC to block spoofed emails from your domain. Awareness is key across your company, everyone needs to be aware to take great caution when handling emails that may appear suspicious or are unexpected.
5. Your People
As was mentioned under #4, people are going to be your weakest link in your security fence. Here are common ways employees are knowingly or unknowingly compromising your companies sensitive data.
- Not validating callers, as awkward as it may seem to ask your clients when they call you to validate their identity, it’s extremely important and many clients will appreciate the effort your taking to protect their information. It is often too easy for a hacker or malicious actor to simply call up a company, claim to be one of their clients and ask for information from their file.
- Falling for phishing schemes or other scams, as mentioned in #4 this is one of the most successful ways of getting into your companies systems, and perhaps one of the most under reported and under appreciated.
- Data leaks, how your employees handle sensitive data is extremely important. Are they sending sensitive data in email attachments that could be compromised if their or their recipients email is compromised or intercepted. Are they sending documents un-encrypted on USB sticks or CDs in the mail? Are they throwing paper documents in the recycling or trash without shredding them? Are their mobile devices encrypted in case they are stolen, or lost?
It’s important to make sure your employees are trained, and aware of the security implications of their actions every day. Stressing the importance and the risks related to the actions they take is key to eliminating the mindset of it won’t happen to us, or who cares?
If your client data is compromised, the repercussions that follow can literally put you out of business, which means employees can lose their jobs, and that’s the level of seriousness that people need to take when handling sensitive data.
The point of this article is not to scare anyone, it’s hopefully made you more aware of the realistic risks facing small businesses, and some of the things you can do to reduce that risk. As with any threats, you can’t necessarily eliminate them all, but you can try to reduce the risks as much as possible, and to fill in the gap you can look into something like Cyber Liability Insurance.
If you take an informed approach to handling your sensitive information and data assets instead of remaining ignorant or ignoring the risks, you’ll be in a much better position to feel confident of your security posture, and sleep well at night.
Hopefully this has been informative, and I’d encourage you to Like, Share and/or Comment if you have something you’d like to add!
Originally published at https://www.linkedin.com.