Small businesses and sole proprietors do not need an IT department to keep their enterprises and clients secure and safe from cyber threats. However, what they do need, experts say, are good cyber habits.
Rick Dreger, president of WaveGard, Inc., and Richard White, a University of Maryland Global Campus adjunct professor, and senior vice president and chief information security officer at Flushing Bank, both shared that view at the Charles E. Smith Life Communities event for cybersecurity professionals on how to maximize data security and client protection. The event was held just prior to the novel coronavirus taking hold in the United States.
For businesses ever since, prioritizing security may be additionally challenging as they try to stay afloat and provide their employees and clients with great service, all while adhering to social distancing and other public health guidelines. Of course, the need to maximize security has always been an ever-present reality.
In 2019 alone, 15 percent of small businesses experienced some type of cybersecurity incident, according to The Manifest’s “Data Safety for Small Businesses: 2020 Cybersecurity Statistics” report. Of that number, 7% were hacked, 5% were infected by a virus and 3% suffered a data breach.
But even with today’s challenges, solo practitioners and the owners of small businesses can take command of their security needs by focusing on the basics. “[They] can set strategic goals for cybersecurity that are pragmatic and tactical,” White said.
A good place to start is with the things that any business owner can do at low or no cost. First, Dreger advises, business owners should take an inventory of what they have.
“Developing a comprehensive inventory of applications, hardware, software and other unique items within your enterprise is the foundation of security activities such as backup, patching and access management,” he said.
Also, small businesses can adopt an identity management tool such as 1Password Business, LastPass enterprise or similar products designed for teams, which “allow users to balance the need for access with the risk of exposure,” Dreger said.
With them, a business’s credentials can be selectively—and securely—shared with guests, associates and teams by using long, unique passwords. Identity management tools allow a business to limit and monitor access to data as well by providing only the information that its employees and contractors need to do their jobs.
“Limiting access and authorization helps to reduce exposure to partners’ risks,” he added.
A small business with several employees and a budget of less than $50 thousand per year for cybersecurity can broaden its support through constructive communication and cost-effective third-party tools, White said. For instance, scheduling cross-functional risk discussions with team members helps in taking a proactive posture against threats. Such meetings make it possible to develop and talk through real-world scenarios of how best to respond to attacks.
One topic might explore what employees would do if hit with a malware infection. Discussion points could include who within the organization should be notified, and how to respond to the infection.
A business can also consider adopting a security information and event management (SIEM) solution to monitor its egress points, critical systems, active directory and network traffic.
“This may sound costly, but there are many cost-effective and easily managed SIEM solutions for small businesses,” White said. One popular example is Alien Vault, acquired by AT&T in 2018, with a $7,500 initial cost and a small annual or monthly subscription thereafter.
Using tools such as Venminder and Security Scorecard to evaluate vendors and service providers for the risk they may pose, gives an organization insight into risk and helps manage unique risks that are presented by third-party vendors. For the small business, the costs associated with these services can be adjusted based on the number of vendors and organization size.
“The small cost associated with this type of risk reduction is well worth the small amount of funding required,” said White. If purchased as a cloud service, the per-month cost can be as low as $400.
For a low cost, small businesses also can adopt a third-party two-factor authentication solution, which makes it harder for “bad actors” using false credentials to steal data if a breach does occur. There are many such solutions to choose from, including Cisco Duo and AuthLite. Cost is determined by the number of users and the level of support a business requires.
Technology can help small businesses mitigate security risk in many ways. But keep in mind that low-tech approaches such as implementing sound policies and procedures and adopting a healthy dose of skepticism can be equally important.
Policies that prohibit accepting banking information by email and require multiple approvals for large transfers, and two-factor authentication for approving large payments, often are more effective than any technological solution.
The bottom line: if something feels wrong there is probably a reason. A healthy dose of skepticism will help limit what information a business gives away in an email or via social media.
“The more information an attacker has about us, the more plausible the spear-phishing or social engineering attack can be,” warned Dreger. “Think before clicking or providing information over the phone,” he said.