For small businesses wanting to get serious about security, there are two attitudes that need to change.
‘I’m too small to hack.’
The first is that your business doesn’t have information worth stealing. It’s not true. It’s important to recognize that even as a small business you have information that’s valuable to somebody. A payment processing company that might be a small player in the business. A local bank. They hold lots of important information.
Plus, while risk goes up if the data’s important to somebody else, it’s certainly important to you. Do what you can to protect your network. And not just from someone wanting to steal your data. While the headlines may be full of stories about people or groups that break into networks with criminal motivations, there are still plenty of hackers who want nothing more than to cause you problems or hold your network for ransom. They don’t care about your data necessarily, they just want your money.
And, honestly, you may not even be fighting a real person. You could become the victim of a computer that’s part of a botnet that is simply spewing information. Some of this information is malware that could get installed on your computers and your host.
In this instance, there wasn’t an individual in particular who compromised your network, but the damage is still done. All the other computer saw was an opportunity. It really didn’t matter how small you were or how important they thought your data was in that case.
‘Planning security is about keeping people out.’
OK, so the second one is a little counter intuitive, because, of course, you want to keep people out of your network. But planning for network security should start from the assumption you’re going to be breached, or that you already have. You start there, then prepare for the worst.
It’s called the “assume breach” mentality, and it’s one of the security mindsets we recommend be adopted by every company, big or small. Why? Because security moves too fast. Techniques for getting into your network change too quickly. There’s no way to cover all possibilities when new vulnerabilities emerging every day. You have to assume that someone will get the better of even your best efforts.
So what do you do? You start by having reliable backups and a solid disaster recovery plan in place. That way, if somebody does get in and they wipe a laptop, or you get infected with ransomware, you’re not spending three days getting somebody back up and running. And, look for security tools that allow more visibility of your internal network. Not necessarily ‘protection’, but ‘detection’, so you’re more aware of what’s going on.
Also, train your users to recognize social engineering scams. Make sure they know when they are part of a phishing scam. Teach them about proper password protocols and how to keep their network credentials safe.
A poorly secured network with untrained users is an easy target for all kinds of threats, some more sophisticated than others. And for a small company with an IT staff of one, malware like a Cryptolocker can be crippling.