Cyber Threats

Is Your Business Protected From Cyber Threats?

Many small business owners mistakenly believe that they are too small to be targets for cybercriminals. However, the National Cybersecurity Alliance says otherwise. Their experts say that cybercriminals are opportunistic and often see small and medium-sized businesses as prime targets due to a perception that they will have weaker cybersecurity defenses. Even if you’re not all that concerned, the people you do business with are—your clients, vendors and employees. 

As a small business owner, you may not think that your cybersecurity matters to anyone other than you. However, the increase in attempted breaches, the likelihood of human error and the increasing risk of third-party vulnerabilities means that we’re all at risk more than ever before. Moreover, it only underscores the need for comprehensive cyber protection for businesses—even small ones.

 

Cyber Protection for Business

The consequences of a cyberattack can be devastating for small businesses because even a seemingly minor compromise can entail significant financial losses, reputational damage, legal liabilities and operational disruptions. Small firms can find recovery after a major attack challenging because the costs of restoring data, compensating customers and resolving legal issues may exceed their financial capabilities. 

According to “Cost of a Data Breach Report 2024,” an annual report by IBM, 70% of organizations experienced a significant or very significant disruption to business resulting from a breach. In fact, only 1% described their level of disruption as low.

To mitigate these risks, small business owners really do need to invest in proactive cybersecurity measures. While cybersecurity experts recommend a number of actions, the real goal is to foster a culture of cybersecurity that overlays every part of an organization—from its people and software to its operating systems, equipment and physical parameters.

 

1. Foster a Culture of Cybersecurity

Ensuring that every member of the organization—from leadership to entry-level staff—understands their roles and responsibilities in safeguarding all digital assets is vital to constructing a company culture of cybersecurity. Owners and managers set the tone of any organization, and they can actively promote and model safe cybersecurity practices. 

This can be as simple as emphasizing the importance of security in meetings and communications or as advanced as making cybersecurity a priority in budgeting and hiring. Creating a culture of cybersecurity isn’t doing just one thing. It’s doing all of the things and strengthening what might otherwise prove a weak link.

 

2. Educate and Update Employees and Leadership Regularly

Secure practices are worthless if only a portion of the workforce in an organization is aware of them. If leadership is security-conscious but entry-level employees, for example, aren’t cognizant of the risks, that leaves an open venue of attack. Likewise, if employees are security-conscious yet leadership or upper-level management engages in risky practices, that too leaves an open venue of attack.

Consistent, engaging training can educate all members of an organization on threats. The Verizon 2024 report findings demonstrate just how important the human element’s recognition of a threat is. For example, “68% of breaches involved a human element,” and “The median time for users to fall for phishing emails is less than 60 seconds.” Meanwhile, core social engineering tactics are constantly present and evolving.

  • Pretexting—using a fabricated story or scenario—accounted for more than 40% of incidents.
  • Phishing—using deceptive communications to elicit a click on a malicious link—accounted for 31% of incidents.
  • Attacks via email, text and websites continue to be a threat. However, artificial intelligence has brought new threats with deepfake-like technology.

Ultimately, all techniques are looking to initiate an interaction that will allow a malicious actor to gain access to systems. One particular statement within the Verizon 2024 study stands out: “This is probably cliché at this point, but we’re believers that the first line of defense for any organization isn’t the castrametation of their systems but the education of their key staff, including end users.”

 

3. Maintain Clear, Enforceable Cybersecurity Policies and Procedures 

The policies need to be not only written but also easy to access for clarity and consistency throughout an organization. At a minimum, documents should outline key working guidelines that will get business done yet maintain the integrity of a business’s systems and data.

  • Acceptable use guidelines should specify how company devices, software and networks should and should not be used. Having guidelines in place not only keeps employees vigilant about their online actions but also ensures that an organization takes reasonable steps to protect information by outlining expected security behaviors.
  • Password standards should mandate strong, fresh passwords and periodic updates. Some systems update passwords monthly and require completely new passwords to counter attack strategies like credential stuffing—leveraging combinations of known usernames or passwords harvested from previous breaches to gain access.
  • Reporting and response procedures should define how employees are to respond to suspected threats or breaches. Immediate reporting can ensure that threats are detected and allow for effective response measures that can mitigate damage and improve the chances of a quick recovery. Established reporting and response procedures are also critical for assessing valuable lessons learned, identifying vulnerabilities and making improvements to prevent future attacks.

Since both technology and cyber threats are constantly evolving, policies and procedures regarding them need to be revisited and updated regularly. More, sharing information regarding emerging threats and changes to policies and procedures should be an ongoing part of educating organization members.

 

4. Create Layers of Security Across the Business 

Layers create redundancy and more chances to catch a threat before it spreads throughout an organization’s operations. Each layer addresses a specific vulnerability so that even if an attacker is able to bypass a firewall, for example, encryption ensures that they can’t read your data. <

Or, even if an employee falls for a phishing attack, multi-factor authentication prevents the attacker from accessing the system with just a password. Layering helps to distribute security responsibilities while also making them real for all of an organization’s members.

  • Physical security is an important step in blocking physical access to critical systems. Locks, cameras and keycards can limit physical access to offices, servers or other devices. Laptop and mobile device privileges may come with requirements that users store devices safely and maintain control of them at all times.
  • Network security keeps sensitive systems safe from unauthorized access. Measures like firewalls, intrusion detection and prevention systems, access controls, network segmentation, security information and event management, encryption and regular vulnerability scanning are all elements of network security that work together to monitor, detect and prevent unauthorized access to sensitive data and systems.
  • Endpoint security focuses on preventing devices like laptops, desktops and mobile phones from being entry points for attacks. Antivirus and antimalware software is key for detecting and removing malicious programs, but so are device management tools to ensure all devices are updated and compliant with current company policies. Zero trust principles ensure users have access to only the resources and data that they need and are continuously authenticated and monitored to prevent unauthorized access.
  • Application security addresses practices to minimize software vulnerabilities. Keeping up with regular updates and patches keeps operating systems and applications up to date. If you develop custom software, ensure security is a priority during coding. Not all employees need access to every app for their job. Restrict which software employees can download and run.
  • Data security protects sensitive information through tools like data encryption, access control and regular backups, for example—measures that dovetail neatly with network, endpoint and application security measures.
  • Identity and access management uses strong identity verification to ensure that only authorized users access systems. Multifactor authentication, password management tools and role-based accesses are key elements.
  • Third-party risk management addresses other vendors and contractors who may have access to your systems. Limit third-party access to only what is needed to perform duties, and include cybersecurity requirements in contracts.

Layering security is also known as a defense-in-depth approach as each layer complements the others. The idea is to use interconnected measures to form a comprehensive safety net.


5. Conduct Regular Cybersecurity Audits 

With threats constantly evolving, regular audits to evaluate compliance and reveal weak points will help to keep your business and all of its systems up to date. Audits are a good time to recheck employee training and education and solicit input about where improvements might be needed. It’s also a good time to partner with an information technology provider to identify gaps in defenses. Time passes quickly, and without regular updates and scheduled replacements, obsolescence can become a venue for threats.

 

Work Smarter with Coburn’s

At Coburn’s, we want to make the best of our business partnerships. If you’re looking for quality commercial and residential plumbing, electrical, waterworks and HVAC products, visit your local Coburn’s today for support you can depend on. 

 

 

References:

https://www.staysafeonline.org/aboutus 

https://www.staysafeonline.org/articles/8-biggest-small-business-cybersecurity-misconceptions 

http://verizon.com/dbir (preferred link to use for PDF below according to document terms of use—requirement, exact quotes) 

https://www.verizon.com/business/resources/reports/dbir/?cmp=knc:ggl:ac:ent:ea:na:8888855284_ds_cid_71700000082349844_ds_agid_58700006959928990& utm_term=verizon%20data%20breach%20report&utm_medium=cpc&utm_source=google&utm_campaign =GGL_BND_Security_Phrase&utm_content=Enterprise&gad_source=1&gclid=CjwKCAiA0rW6BhAcEiwA QH28IluShZj4gnFoVK-g_wLs0FKbJ4-WbWix7Za4cpUwYye2KRrcYdJ0cxoCIbgQAvD_BwE&gclsrc=aw.ds direct quotes from pages 7, 8 

https://global.ptsecurity.com/about/news/positive-technologies-cybercriminals-can-penetrate-93-of-local-company-networks-and-trigger-71-of-events-deemed-unacceptable-for-their-businesses 

https://www.sba.gov/article/2024/10/03/entrepreneurs-need-stay-aware-cybersecurity-threats-may-directly-impact-bottom-line 

https://www.staysafeonline.org/press/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic why i did not use 60% of businesses fail within 6 months 

https://www.ibm.com/downloads/documents/us-en/107a02e94948f4ec IBM Cost of a Data Breach Report 2024, page 24