Small organizations often assume they can fly under the radar and avoid cyber threats. We typically hear, “We are too small to be a target for cybercriminals,” which is not necessarily true.
For example, Withum serviced a small non-profit organization that shared this sentiment and became a victim of ransomware. The attack shut down their agency for a month while they worked to recover systems and files. Eventually, they recovered 90% of what was lost and did not have to pay the ransom because they had cyber insurance. It covered the cost of legal counsel who appropriately advised them on the event and a forensics team to help them get back on their feet. Those fees, combined with the equipment that needed replacement and required tools to increase their security, were well over the actual ransom demand.
So, what does a small business with limited resources (e.g., finances and human capital) do to protect itself? You start with the basics – and you do them well. Here are 10 effective ways a small organization like yours can become cyber-secure:
- Use a business-class firewall. A solid firewall will cost around $1,000 plus an annual subscription cost for updates. You need to ensure this is properly configured to protect your organization.
- Keep your systems updated. What does this mean? Hackers are constantly looking for ways to break in through your operating system (Windows or Mac) or through the software that runs on them (i.e. Google Chrome, Adobe Acrobat, Microsoft Word, Excel and QuickBooks are examples of software that run on your workstations). With hackers discovering new holes daily, modern operations systems and software manufacturers develop patches that plug those holes. Therefore, it is critical to install those updates or patches in a timely manner. Over 60% of breaches are the result of unpatched systems. This is not just turning on Windows updates; you must ensure that every application and system you use is regularly updated. This includes your firewall, printers, wireless access points, workstations and mobile devices (and servers if you use them).
- Use multifactor authentication everywhere that you can. This is especially critical for your online banking and cloud accounts (including Office 365, Google Workspace, QuickBooks Online, Box and any others used in your organization). It increases cybersecurity with third parties and helps meet regulatory requirements.
- Change the default system or application password. Many systems come with a default password to use as you set them up. Passwords are one of the most important security features used today, so take a minute to change yours for maximum security.
- Limit user permissions to what is needed to perform the job. System administrators should use a regular non-admin account for daily work. Just because you own the company does not mean that you should be using an admin-level account to do your daily work. Keep admin accounts separate and only use those for admin tasks.
- Encrypt workstations, servers, and mobile devices. Encryption is the process of making the contents of your hard drive unreadable without the key to unencrypt them. It sounds complicated, but the good news is there are built-in tools to enable this feature on your workstations. This makes it a simple, streamlined process for users.
- Train everyone on cybersecurity. Training should be a top-down priority for leaders. This may sound like a no-brainer, but if they do not think that cybersecurity is important, their teams will not either.
- Use a next-generation endpoint protection product that is properly configured. We previously relied on antivirus software to protect our workstations, but these threats have become more complex and extend way beyond just viruses. Next-generation endpoint protection utilizes artificial intelligence (AI) to monitor, analyze, and respond to threats or potential threats. They often have the ability to restore a workstation to a specific time before a potential attack impacted the system.
- Back up your data and store it offline. These measures protect against hardware failures, virus attacks, human errors, natural disasters and ransomware attacks.
- Password hygiene is an industry term for suggesting strong password creation, ongoing maintenance of those passwords, and keeping the passwords safe and protected. Here are some common password hygiene practices:
- Use long passwords of random characters or passphrases of at least 16 characters.
- Do not use the same password on more than one account or application.
- Do not use a password if it is on a compromised password list.
- Change your passwords frequently and never reuse that old password on anything.
- Do not let your web browser remember your passwords.
- To make the actions above easier, use a password manager to keep track of your passwords since every application you use should have a unique password. Most password managers will even generate strong passwords that are unique.
Only two of these ten recommendations will require any financial investment. These tangible, practical tips only begin to scratch the surface. Withum can assist you in understanding where you currently are and how to quickly improve your small organization’s cybersecurity. Our Cyber and Information Security Services team is here to help you explore potential risks and build a customized approach to your cybersecurity needs.
Author: Julie Tracy, Executive Cybersecurity Advisor | [email protected]
Contact Us
For more information on this topic, please contact a member of Withum’s Cyber and Information Security Services Team.