It’s easy for small businesses to ignore cyber security – after all, it’s only an issue if something goes wrong. But leave it until the worst happens and you will wish you’d addressed it sooner.
Cyber security is a big topic and this can make it feel overwhelming for business owners to know where to start making their systems more robust and secure.
But, with 43% of all data breaches involving SMEs and 40% of the small businesses that faced a severe cyber attack experiencing at least eight hours of downtime, this isn't something to ignore.
"Many SMBs are under the misconception that they are less of a target for cybercriminals just because they are small, 'security by obscurity'. In fact, SMBs have been a growth market for cybercrime for the past decade," said Paul Morse, senior sales engineer at Avast Business.
What are the most common security problems in small businesses, and how can you mitigate against them happening or causing too much damage? And, how can small business owners educate staff about security measures?
Using the same password for private and work accounts is a particular problem for businesses as it makes your company’s sensitive data vulnerable to attack.
The first is introducing password management software. This works by generating strong passwords that are unique to every account. They’re stored in an encrypted environment so they can’t be hacked and automatically entered when you log on to the corresponding site for ease of use.
The second is multi-factor authentication. This involves an extra verification step to access business accounts, often a passcode sent to a mobile device or an email address. These are great because they can be used alongside password management software and they stop attackers accessing the account, even if they guess a password.
"Use the principle of least privilege," added Paul Morse. "There are lots of free auditing tools that will tell you who has permissions where. Prune out old or dead user accounts. There really is no argument for giving users Local Admin permissions these days."
Then there’s the issue of delaying software updates which can be time consuming. And for staff who like to have multiple tabs open, it can be frustrating to be forced to restart, so updates often get ignored.
Make sure your IT protocol supports this too. If the software is creating a lag in performance, find out why and optimise their computer or try out alternative software.
"People are and always will be the weakest link; humans are only human and lean more towards trust than don't trust. Great for society, not so great for digital security. Prepare for that. Train and re-train your users on good cyber hygiene; sensible password practices, how to spot a phishing scam, a fake or insecure website, a fake phone call, how to be secure online, including on social media," advised Paul Fenwick, senior sales engineers at Avast Business.
The problem arises when employees use public WiFi points to log into company laptops, or personal devices to log into work accounts at home.
This can put your data at risk as many public WiFi networks are unencrypted, making the information sent between the device and the wireless router easier to access.
Attackers can place themself between the device and the connection spot, increasing their ability to "eavesdrop" on your information and even add malware to the device.
The other potential issue with public WiFi is accidentally connecting to rogue hotspots that appear to be the public place you’re visiting. Once you’ve logged in, it’s easy for them to access your information.
Provide a Virtual Private Network (VPN) for home workers and install end-point security software on all personal devices.
It’s also worth providing a separate WiFi network for people using their personal devices in the workplace.
Sitting in a public place reading sensitive information that can be seen by someone on the neighbouring table might sound far-fetched, but it isn’t unheard of. Similarly, talking about work or sensitive information in a public place can be a big risk.
It’s also worth asking yourself:
Start by establishing a baseline of normal IT activity so you’re able to notice any unusual behaviour and investigate straight away when things don’t seem right.
Auditing staff permissions and privileges is another worthwhile task. Then you can remove any unnecessary permissions. And, make this issue a routine part of your employee exit strategy, disabling their access and making sure that saved passwords have been made inactive when they leave the company.
Cyber security is a big topic and this can make it feel overwhelming for business owners to know where to start making their systems more robust and secure.
But, with 43% of all data breaches involving SMEs and 40% of the small businesses that faced a severe cyber attack experiencing at least eight hours of downtime, this isn't something to ignore.
"Many SMBs are under the misconception that they are less of a target for cybercriminals just because they are small, 'security by obscurity'. In fact, SMBs have been a growth market for cybercrime for the past decade," said Paul Morse, senior sales engineer at Avast Business.
What are the most common security problems in small businesses, and how can you mitigate against them happening or causing too much damage? And, how can small business owners educate staff about security measures?
Problem one: You haven’t put a password policy in place
Why is this a problem?
It might sound obvious, but weak passwords are still one of the biggest reasons that businesses let cyber criminals in. Common problems include using the same password across multiple accounts or using something easy to guess like "password", their name or the name of the site the password is for.Using the same password for private and work accounts is a particular problem for businesses as it makes your company’s sensitive data vulnerable to attack.
What can be done?
There are a couple of different approaches that you can easily implement to reduce the risk of being hacked through weak passwords.The first is introducing password management software. This works by generating strong passwords that are unique to every account. They’re stored in an encrypted environment so they can’t be hacked and automatically entered when you log on to the corresponding site for ease of use.
The second is multi-factor authentication. This involves an extra verification step to access business accounts, often a passcode sent to a mobile device or an email address. These are great because they can be used alongside password management software and they stop attackers accessing the account, even if they guess a password.
"Use the principle of least privilege," added Paul Morse. "There are lots of free auditing tools that will tell you who has permissions where. Prune out old or dead user accounts. There really is no argument for giving users Local Admin permissions these days."
Problem two: Employees want to save time
Why is this a problem?
If your security apps are outdated, competing with other security software or installed on older computers, it can lead to slower loading times. Employees will soon disable them if they’re slowing down other tasks, like video calls.Then there’s the issue of delaying software updates which can be time consuming. And for staff who like to have multiple tabs open, it can be frustrating to be forced to restart, so updates often get ignored.
What can be done?
The best approach here is to ramp up education. Running a staff workshop on common cyber security traps like this will help them understand the consequences if they don’t keep software up to date.Make sure your IT protocol supports this too. If the software is creating a lag in performance, find out why and optimise their computer or try out alternative software.
"People are and always will be the weakest link; humans are only human and lean more towards trust than don't trust. Great for society, not so great for digital security. Prepare for that. Train and re-train your users on good cyber hygiene; sensible password practices, how to spot a phishing scam, a fake or insecure website, a fake phone call, how to be secure online, including on social media," advised Paul Fenwick, senior sales engineers at Avast Business.
Problem three: Many of your employees are working remotely
Why is this a problem?
With more and more of us working remotely at least some of the time, businesses have a more difficult job than ever of keeping tabs on computer security.The problem arises when employees use public WiFi points to log into company laptops, or personal devices to log into work accounts at home.
This can put your data at risk as many public WiFi networks are unencrypted, making the information sent between the device and the wireless router easier to access.
Attackers can place themself between the device and the connection spot, increasing their ability to "eavesdrop" on your information and even add malware to the device.
The other potential issue with public WiFi is accidentally connecting to rogue hotspots that appear to be the public place you’re visiting. Once you’ve logged in, it’s easy for them to access your information.
What can be done?
If your company is flexible about home working it’s worth introducing a device management policy across the whole company.Provide a Virtual Private Network (VPN) for home workers and install end-point security software on all personal devices.
It’s also worth providing a separate WiFi network for people using their personal devices in the workplace.
Problem four: Employees having access to sensitive information
Why is this a problem?
No matter how trustworthy your staff are, there are always instances when human error can play a part in cyber security.Sitting in a public place reading sensitive information that can be seen by someone on the neighbouring table might sound far-fetched, but it isn’t unheard of. Similarly, talking about work or sensitive information in a public place can be a big risk.
It’s also worth asking yourself:
- Do any employees have access to data, files and systems that they don’t need?
- Have past employees still got access to sensitive information, like confidential log-in details?
What can be done?
This can be a tricky one and these situations are impossible to 100% mitigate against.Start by establishing a baseline of normal IT activity so you’re able to notice any unusual behaviour and investigate straight away when things don’t seem right.
Auditing staff permissions and privileges is another worthwhile task. Then you can remove any unnecessary permissions. And, make this issue a routine part of your employee exit strategy, disabling their access and making sure that saved passwords have been made inactive when they leave the company.
