How vulnerable is your business to cyber threats? And if you do have any vulnerabilities, how would you know?
You might have some safeguards in place, such as a firewall and anti-virus software, but today’s threat environment is much different than it was even a few years ago. Attacks such as ransomware and phishing target your company’s employees — effectively bypassing the firewall to gain access to your network.
Don’t assume your small business is safe
Many small business owners don’t concern themselves with cybersecurity because they believe hackers wouldn’t waste their time on a small fish when they could go after a much larger one. But that’s not the case. Small businesses are becoming more coveted targets, precisely because they often don’t have a sophisticated approach to security and therefore are easier to breach.
Symantec’s 2016 Internet Security Threat Report suggests that one in 40 small businesses are at risk of being the victim of a cybercrime (compared to one in two large businesses, which are targeted multiple times per year with a cyberattack). It also found that phishing campaigns targeted small businesses 43 per cent of the time in 2015, which is up nine per cent over 2014.
Your critical data is at risk
Hackers are looking for anything from customer records and contact lists to banking information and credit card numbers. Their methods include everything from malware to botnets, malicious insiders, denial of service attacks, phishing and social engineering attacks. In a four-week study, the Ponemon Institute found that 100 per cent of participating small businesses experienced viruses, worms or Trojans.
That means it’s not a matter of if, but when, for most small businesses. But there’s no need to panic…
Knowing what you’re up against is half the battle. By understanding the threat landscape, rather than burying your head in the sand, you can seal any cracks in your security infrastructure, better protect your organization against potential attacks and have the capabilities to swiftly respond if you are attacked.
Keep in mind that no security solution or risk reduction strategy is capable of preventing all security related incidents. However, a properly designed, managed and monitored environment can provide the necessary tools to minimize the risk and maximize your visibility to any potential threats.
Do you need a security specialist?
If you don’t have a security specialist on staff — or IT staff that handles security — then this becomes another task on your to-do list. That’s why companies of all sizes (not just SMBs) are calling in the pros to help them beef up their security.
“We provide threat risk assessments, vulnerability assessments and penetration tests, and that gives us a holistic view of the enterprise — how it’s set up, what security controls they have in place, if any,” said James Morris, Senior Manager of Communications and Security Solutions with Epic, a division of MTS.
Usually, he finds that customers have the basics in place like firewall and anti-virus software, but they don’t have anyone internally to take care of security. Likewise, they are often missing the necessary controls to provide full visibility to what is going on within the IT environment.
Guidelines for beefing up your security
Morris recommends starting with the federal government’s Public Safety Canada and Get Cyber Safe websites, which provide a number of tools and resources to help businesses of all sizes get a handle on cybersecurity.
“It’s not the be-all-end-all, but it’s a good place to start,” James says. “The guidelines themselves will provide you with information on what you should be doing.”
That includes educating employees on cyber threats, creating stronger cyber safety policies, promoting device security and putting mechanisms in place to protect your organization from an attack (such as backing up strategic data and changing passwords on a regular basis).
The biggest concern for small businesses right now, as James explained, is ransomware and phishing. Ransomware encrypts files on your network and demands a ransom payment to decrypt them (check out the enlightening video below from Cisco on the anatomy of a ransomware attack.) Phishing emails masquerade as a known entity — a bank, or even someone in your organization — to trick users into giving away sensitive information such as passwords and credit card details.
Eliminate the threat
“We implement a combination of training, policy and technical controls. Between those three it can help to significantly reduce the problem,” James explains. That includes building out zoned environments that are classified and secured based on their value to the business. Sensitive data, such as customer records or financial information, would go into a high-security zone, for example.
But you also need procedures in place in case any of those are bypassed, such as backup and emergency response. “We know it’s going to happen — we need to contain the battle in order to win the war.”
To learn more about protecting your business or to schedule a cybersecurity assessment, visit Epic's Security Services page.