17 essential security steps for SMBs shared by 21 global experts
Essential Security for SMB shared by Global Experts
We have spoken with over 50 experts in the fields of IT Security, Law, Insurance, Business continuity as well as directly with some small businesses themselves to bring you the top 21’s advice and insights. This advice shows a number of key themes that align with expert advice from leading government organisations on cybersecurity such as NIST, ASD, and GCHQ in particular about the visibility of your network through vulnerability scanning and security monitoring as well as simple free steps around processes and planning.
“Security isn’t just for big companies, just because you’re a smaller business doesn’t mean that you won’t be targeted. And with the global average cost of a data breach standing at $3.62 million, ignoring your security is a risk that you can’t afford to take,” said Job Brown, Web Team Leader at Wooden Blinds Direct.
This is so true now but many solutions are out of reach for many small businesses to afford. We asked our experts for the essentials and often free steps they can take to protect themselves from being hacked. Small business needs to gain a cybersecurity awareness of their assets, threats, and controls to be able to effectively manage the business risk of Cybercrime. It is a war and SME’s need to be prepared by understanding what hackers are after and what their weaknesses are.
“If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
Currently many have not considered security and have no visibility of the threats or their own environment. We are trying to level the battlefield bring a number of these steps to businesses through our Cyber Safety Service.
1. BE PREPARED & AWARE
HAVING VISIBILITY OF THREATS TO YOUR NETWORK IS ESSENTIAL
Often the last thing that a small business will do is monitoring all the online connections of their business but this is a very valuable way to protect yourself. This is particularly important now in Australia with the new Mandatory Breach Notification and needing to understand what has happened and who has been affected. This has been often out of the price range of most small businesses as many suggest a Security Events and Incident Management (SEIM) platform which costs hundreds of thousands of dollars a year. These are often basic monitoring and missing the enhanced AI detection capabilities. We think this needs to change and are offering something for a hundredth of the cost which uses world-leading AI to detect security threats.
“While no single strategy ‘fits all’, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for a response, actively monitoring centralized host and networks, and including enhanced monitoring to detect known security, events is a must.” Braden Perry, litigation, regulatory and government investigations attorney states.
2. LOCK ALL THE DOORS
UPDATING ALL SYSTEMS AND SOFTWARE CLOSES THE DOORS TO CRIMINALS
Have you enabled windows update or automatic updating of all employees computers? Also, something to remember is all the applications being used like adobe reader so enable those updates. Using tools like Secunia PSI can monitor and help. Another good step is to a vulnerability scan regularly to see what is missed and what needs updating (our “Cyber Safety Service” does on your internal network regularly). This is also commonly a requirement for a Cyber Insurance policy.
Bob Herman is the Co-Founder and President of IT Tropolis says “Configure your Windows computers and servers to automatically install Microsoft updates as they become available. Occasionally an update from MS breaks a valid 3rd party software or their own software, but dealing with those occasional issues is a far better path then dealing with the results of security vulnerabilities, like the SMB vulnerability exploited by WannaCry and Not Peyta last year.”
3. PREPARE FOR THE WORST
ADD ANOTHER LAYER OF AUTHENTIFICATION
“I have six locks on my door all in a row. When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three.” Elayne Boosler.
Carl Mazzanti, Co-founder, and Vice President eMazzanti Technologies says “I am a raving fan of 2-factor authentication (2FA). It’s a mandatory tool for me and anyone I can educate about it! Not only can 2FA provide an extra layer of security for small business PCs and other devices, but it can store your passwords too.
In addition to your bank accounts, enable two-factor authentication for Facebook, LinkedIn, Twitter, Microsoft, Apple, and Google. Furthermore, use 2FA to protect any other accounts that contain personal or sensitive business information.”
4. I HAVE A VERY, VERY, VERY CUNNING PLAN
INCIDENT RESPONSE PLANS AND CYBER POLICY
Enough can’t be said about having plans in place for a cybersecurity incident, these help clarify steps and responsibilities as in a crisis emotions are high and this can affect people’s judgment. One key consideration is that Cyber incidents are a business risk, not an IT risk and as such the whole of business need to be considered and involved. Incidents have legal, privacy, reputational and business operations impacts as well as IT ones. As such it needs to be integrated into crisis plans if you have them. These need not be onerous or complex, in fact, they need to be flexible and succinct. We will be looking to add a free template for these and a future blog post on writing your own.
Braden Perry from KennyHertz Perry LLC “While no single strategy ‘fits all’, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for a response, actively monitoring centralized host and networks, and including enhanced monitoring to detect known security, events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.”
5. GET THE A-TEAM TO HELP
PARTNERING WITH SECURITY EXPERTS GIVES YOU ADVANCED CAPABILITIES
Job Brown the Web Team Leader for Wooden Blinds Direct has found that there are some specialist companies who help SMB’s with security capabilities on a subscription basis and very affordable. I am glad to say we are one of these companies. See our SMB Security AI Cyber Safety Service
“Thankfully though, there are a number of affordable ways for small businesses to cover themselves. The first thing you should do is find yourself a partner who has your best interests in minds. There are many IT support companies out there who specialize in ensuring SMBs’ are protected from cyber-attacks and most of these offer subscription schemes which don’t require any upfront cost. So, you can find one suitable for you, without having to pay out a large immediate sum. “
6. TRUST NO ONE
HOW TO VERIFY OFFLINE BEFORE MAKING A PAYMENT
Kyle White, Chief Executive of “VeryConnect” shared some insights to help small businesses avoid the ever-increasing scams people face every day.
“There are some easy practical tips you can follow to protect yourself against a range of frauds. An increasingly common threat is where people are sent the wrong bank details for a transaction that they may or may not be expecting to make to a new recipient for the first time. This could be a completely fraudulent invoice or fraudulent payment details to a new person who you are expecting to pay. To protect yourself, you should call the new recipient on a number you know is theirs (not necessarily the number on the invoice or email that was sent). Talk to someone you know and verify the amount and bank account details are correct. You can then rest assured for future transactions that they are the correct recipient.”
Justin Lavelle, Chief Communications Officer for “BeenVerified.com” also gives great advice in this space. Verifying the identity when there is a payment involved is very important, also worth validating that any invoice matches the original purchase order number.
“Invoice scams are invoices for goods and services you never ordered or received. These invoices may look genuine but are actually phony. Take the time to make sure that any invoice paid matches up to a purchase order or packing slip before paying. Limit A/P management to one employee that is well trained in how to close the loop. Issue purchase order numbers for all purchases and check all invoices against the original orders. “
7. IT'S EASIER TO FOOL PEOPLE THAN TO CONVINCE THEM THAT THEY HAVE BEEN FOOLED
BE WARY OF URGENT REQUESTS FROM ONLINE MESSAGES
Nine of our 21 experts talked about security awareness and education as important for small businesses to stay secure online.
Australia has a great website called https://staysafeonline.org/ which gives good strategies and current threats.
Robert Siciliano Identity Theft Expert with Hotspot shield gives his expert advice on this. One addition I would make is that the phishing emails although traditionally had spelling mistakes (on purpose to ensure better conversation rate) some more targeted attacks do not and have information about you or your organisation to instill trust.
“Small business should focus on increasing security awareness in the workplace, from the ground up and from the top down: We should teach workers how to handle data to minimize the potential of its falling into the wrong hands.
- After presenting information about security awareness, come up with a scheme to set up a situation where employees are given the opportunity to open a very alluring link in their email. This is called a “phishing simulation.” This link will actually take the worker to a safe page, but you must make the page have a message, such as “You Fell For It.” You should also make sure that these emails look like a phishing email, such as adding a misspelling.
- The people who fall for this trick should be tested again in a few days or weeks. This way, you will know if they got the message or not.
- Don’t make it predictable as to when you are giving out these tests. Offer them at different times of day and make sure that the email type changes.
- Consider hiring a professional who will attempt to get your staff to hand over sensitive business information over the phone, in person, and via email. This test could be invaluable, as it will clue you into who is falling for this.
- Quiz your staff throughout the year, to allow you to see who is paying attention.
- You want to focus on educating your staff, not disciplining them. They shouldn’t feel bad about themselves, but they should be made aware of these mistakes.
- Make sure your staff knows any data breach could result in legal, financial or criminal repercussions.
- Schedule workstation checks to see if employees are doing things that might compromise your business’ data, such as leaving sensitive information on the screen and walking away.
- Explain how important security is to your business and encourage staff to report any suspicious activity.
- After training your staff and testing your employees, make a full list of all of the important concepts that they should understand. Examine this list frequently and then re-evaluate the list to see if any revisions are required.”
Nick Santora of Curricula shares what is a security awareness training program. “You have employees interacting with online accounts all day. Emails, logins, passwords, you name it. A security awareness training program helps educate your employees on how to identify cyber threats. The education should teach them what the risks are and how to protect themselves from those risks. Simply putting together a few emails that say don’t click suspicious links is not enough to build a security culture among your employees. A true security awareness program is constantly engraining security in your employee’s days work so that it becomes part of your company culture.”
8. ONE PASSWORD TO RULE THEM ALL
PASSWORD MANAGERS MAKE COMPLEX PASSWORDS EASY
Darren Guccione is the CEO and co-founder of KeeperSecurity, Inc. “Considering more than 80 percent of data breaches occur due to weak or poor password management, adopting a password manager is a cost-effective and powerful tool that substantially mitigates the risk of a cyber breach. We are in a cyberwar. More than 55% of businesses reported breaches last year. On average, 30,000 websites are hacked each day. The question is no longer what should I do IF I get attacked and breached. Instead, the question is how do I prepare myself WHEN I get attacked and breached?”
Nick Santora CEO of Curricula said “Password managers are a great tool for your employees to manage multiple sets of difficult passwords for all the systems they log in to. Think about all of the passwords that your employees use every day. Most employees have access to over 30 different online accounts, some of them are including your work accounts. Did you know that over 50% of employees reuse their personal account passwords with their work accounts? This is alarmingly high and to think that a breach of one of your employee’s personal accounts, will most likely impact your business. Having a policy on this is important but discussing the risk with your employees is the more important factor for prevention.”
9. BREAK IN CASE OF EMERGENCY
USE A GOOD BACKUP SYSTEM AND HAVE A BUSINESS CONTINUITY PLAN
Another hot topic for our experts and this is no surprise as using backups is a very good mitigation to one of the largest threats to small biz which is ransomware. Everyone knows that most antivirus is not effective against this (if not see our blog on antivirus fails SMB) though some are leading in this space such as Malwarebytes for Teams. As such using a good backup solution is key.
Bob Herman, the Co-Founder and President of IT Tropolis, “Small businesses should ensure they’ve implemented a proper backup and disaster recovery system that is monitored and tested for recovery on a regular basis. Knowing you can recover your data after a breach, such as falling victim to ransomware, will allow you to sleep easier at night!”
Ian McClarty, CEO, and President of PhoenixNAP Global IT Services.
“One of the first things we ask all of our clients is what their pain threshold is for catastrophic data loss. Many small business owners have never even considered the possibility of devastating data loss from phishing, malware, viruses, or even natural disasters. The reality is it happens every day. Hackers are targeting small businesses, as they are low hanging fruit, easier targets.
Small business should implement a data protection plan that includes offsite storage, ideally cloud storage. Cloud storage means merely when you back up a file; the file goes to multiple locations around the world.
Your critical data should be kept in multiple physical locations separated by significant physical distance. The cloud provides this level of duplication and redundancy by distributing your stored data across multiple different data centers in multiple locations. The cost for such services have come down significantly in the past few years, and this service once only reserved for large companies is very affordable for small business owners.”
We think that using a quality backup service provider is essential and there are many excellent choices, we have found that Acronis have an excellent solution for small businesses to backup their computers.
10. A ROSE BY ANOTHER NAME
AVOID USING PREDICTABLE EMAIL ADDRESS NAMES
Cindy Murphy a veteran expert in the field of digital forensics and incident response, president and co-founder of Madison, Wisconsin-based Gillware Digital Forensics gave some simple yet effective advice on choosing your staff email addresses.
“Contrary to what pop culture might have you believe, hackers do not have magic powers. What they do have is the same thing every con man and swindler has: a good grasp of peoples’ psychological weak points and common blind spots, including our tendency to trust authority figures.
One of the lesser-known, but most-powerful tools you can have to protect your business from ransomware and hacking rests in the Administrator account on your network. Is your Admin account named “Admin?” If so, you could have a security hole in your network.
Imagine a hacker wants to sneak some ransomware onto the network at a small business called “Jim’s IT.” They do this by guessing some of the employees’ emails (since, for example, John Doe at Jim’s IT probably uses “[email protected] or “[email protected]”). Then, they have to make it look like their dodgy link is coming from a trusted source.
Of course, who’s more trusted than the network administrator? The hacker makes their email look like it’s coming from “Admin,” and might even go so far as to set up a vanity address and send the email as “[email protected],” or something that looks similar at first glance.
But Jim was smart. He didn’t name his administrator account “Admin,” he named it “Elongated Muskrat,” or something else unintuitive, and the administrator email is “[email protected]” And he had the good sense to make sure all of his employees knew that. John Doe takes one look at the fraudulent email he’s received from “Admin” and tosses it in the trash, because he knows what areal email from the real admin account would have looked like, foiling the would-be hacker.”
11. A DIAMOND IN THE ROUGH
DIGITAL ASSETS IN YOUR COMPANY ARE HIGHLY VALUABLE TO CYBER CRIMINALS
Often missed in advice about security is the value in understanding your businesses key assets, often these are not what you think of as it’s not always money but often something they can monetize like personal information which criminals can sell or blackmail you with Isaac Kohen, the founder, and CEO of Teramind shares some insights on this.
“Here’s the best thing a small business owner can do to protect against a hacker: identify your ‘crown-jewel’ data and double-down on investments to protect this data. Data is gold to hackers – whether it’s your intellectual property, employee personal data, customer information, or bank account information. Every small business needs to take the time to identify its most valuable data, where the data resides on the network or in the cloud, and who has access to this data across both employees and partners/vendors. Then, take the following steps to protect the data: restrict access to those who need the data to do their jobs, use strong authentication methods to control access, and monitor activities (like downloading and printing) to catch a potential breach early.“
12. ACCESS DENIED
LIMITING YOUR USERS' ACCESS TO WHAT THEY NEED GREATLY REDUCE RISKS
“Limit Access to Consumer Data — employees at an SMB should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission. Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hard copies.”Mike Baker, Founder and Managing Partner, Mosaic451
13. KNOW YOUR ENEMY - SUN TZU
UNDERSTIMATING THE THREATS AND MAPPING SECURITY TO THOSE ARE CRITICAL
“Constant vigilance and thoughtful, prudent, proactive security measures will keep users safe not just from ransomware attacks, but all cyber attacks. Users should keep their fingers on the pulse of cybersecurity and look for new exploits and threats to be aware of.” Adnan Raja Vice President of Atlantic.Net.
Mapping your threats to your assets and understanding what security controls you have to protect yourself is key to being able to manage your cyber risks. This is something we offer as part of our “Cyber Safety Service” along with vulnerability scanning and security monitoring.
14. THE CLOUD - SOMEONE ELSE'S COMPUTER
PUTTING YOUR DATA AND APPLICATIONS IN THE CLOUD DOES NOT OUTSOURCE YOUR RESPONSIBILITIES AND SECURITY NEEDS
“Never assume public clouds, such as Azure or AWS, are safe because they’re owned by trusted brands. Cases abound online where sensitive private data was exposed due to misconfigured S3 buckets on AWS. At a minimum, your data should be encrypted at rest, whether on or off the cloud, on every endpoint which stores your data.” said Eric Schlissel, CEO of GeekTek
Chris Byrne from Sensorpro gave us these 3 gems.
“Here are 3 things about internet security that every small firm should know:
- Get a security certificate for your website, it sends a message to customers that you care about their security. And Google is now penalising sites without it.
- Ensure that SPF is set on your domain so that bad actors can’t spoof your domain and trick employees into clicking links in phishing emails.
- For larger firms consider encrypting data at rest. For consumers, try and use services that have this as an option.”
15. HOPE FOR THE BEST - INSURE FOR THE WORST
WE ARE NOT ABLE TO FIX AND PREVENT EVERYTHING AND INSURANCE TO MANAGE RISK CAN BE A GREAT APPROACH
“Invest in cyber liability insurance. Hacks aren’t 100% preventable, so it is best to be prepared. Very few businesses have cyber liability insurance, which is why so many go bankrupt and close after a hack. This insurance helps cover the steep legal and technical costs businesses may see after a hack.” Keri Lindenmuth from KDG, a tech solutions company.
16. TRUST BY VERIFY
ALWAYS CHECK AND HAVE GOOD PROCEDURES
Justin Lavelle is the Chief Communications Officer for BeenVerified.com
- “Be wary of any email requesting an urgent wire transfer. To verify its legitimacy, call the person who supposedly sent the email to verify whether it’s legitimate. The FBI says that companies should also carefully look at emails to see if they are authentic and use multi-level authentication.
- When it comes to making payments/wire transfers, hold customer requests for international wire transfers for an additional period of time to verify the legitimacy of the request, confirm requests for transfers of funds by phone verification as part of the two-factor authentication using previously known numbers (not the numbers provided in the e-mail request), know the habits of your customers, including the details of, reasons behind, and amount of payments, and carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
- Never assume a call requesting documentation or renewals are authentic. Some of these services are already offered for free, always check your certifications to see when renewals are due and realize many of these calls are not legitimate.
- If you think you or your business has been scammed, call your financial institution immediately and your local FBI agency.”
17. IDENTITIY CHECK ON EMAIL
USE TECHNOLOGY TO PREVENT CRIMINALS IMPERSONATING YOUR OR YOUR STAFF
One way to prevent spoofing is to add DKIM and SPF and finally DMARC. DKIM is a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify the message is from you. Learn more about DKIM. Not all mail servers support the DKIM standard so it’s useful to set up SPF, or Sender Policy Framework records, too. These allow recipient servers to verify that messages addressed from your domain indeed come from a valid server.
This may all seems difficult but your email provider can help with Google and Microsoft having very simple and clear instructions to do all of these.
“Small businesses can protect themselves against cyber attacks by investing in clean email services that work in conjunction with cloud email providers like Gmail or Microsoft. These companies front end your corporate cloud mail services and filter out SPAM, Phishing and malware before it enters your email system. The second step is to install strong endpoint protection software that can stop ransomware from being installed. This software not only protects against like viruses but can block suspicious behavior on your endpoints before it can cripple your business.
A DDoS appliance protecting the Internet connection is the first line of defense. Appliances from vendors such as Fortinet or Radware are placed on customer premise as close to their Internet edge as possible. These devices can help identify and block most DDoS traffic. However, this solution falls short, with a DDoS attack that attempts to flood Internet circuits. The only way to protect against this type of attack is to have a device at the service provider or in the cloud. Infrastructure Access Control Lists (IACLs) can also be installed in routers and switches to detect suspicious network traffic patterns. Many companies believe they can hide behind a firewall, which can be easily hacked. A firewall is important, but not a panacea. DDoS attacks will continue due to the ease of execution. Companies must be prepared, constantly monitoring the network, and have a game plan to deal with attacks. With foresight, it is possible to both thwart an attack and defend against future ones.” Mike Baker, Founder and Managing Partner, Mosaic451
Braden Perry is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC. Mr. Perry has the unique tripartite experience of a white-collar criminal defense and government compliance, investigations attorney at a national law firm; a senior enforcement attorney at a federal regulatory agency; and the Chief Compliance Officer of a global financial institution.
Bob Herman is the Co-Founder and President of IT Tropolis. He is an engineer with over thirty years of professional working experience. His areas of expertise include managed IT services, data protection, cybersecurity, cloud computing, technology implementations, project management, IT operations, business continuity, network topology, and virtualization technologies.
Carl Mazzanti is the Co-founder and Vice President of eMazzanti Technologies, a premier IT security consulting firm throughout the NYC Metro area and internationally, and a frequent business conference speaker and technology talk show guest.
Job Brown is the Web Team Leader and backend engineer for Wooden Blinds Direct. He is responsible maintaining the cyber-security of all nine sites under the Interior Goods Direct brand. He graduated with a first class degree in Software Engineering from the University of Huddersfield.
Kyle White is the CEO & Co-Founder of VeryConnect – Membership Management Software, and has a PhD in Computer Science from the University of Glasgow, Scotland. Kyle has worked in New Zealand, the East and West coasts of the USA and in mainland Europe in technical and project management roles.
Justin Lavelle is the Chief Communications Officer for BeenVerified.com, a leading source of online background checks and contact information. It allows individuals to find more information about people, phone numbers, and criminal records in a way that’s easy and affordable. BeenVerified.com helps people discover, understand, and use public data.
Keri Lindenmuth is the marketing manager at KDG, a tech solutions company that serves higher ed, nonprofits, and small businesses. The award-winning team at KDG has kept hundreds of clients safe from data breaches.
Nick is the CEO of Curricula a cyber security training company that teaches organizations how to not get hacked. Nick is a Cybersecurity expert leading the Curricula team with their story based cyber security awareness training program. Helping organizations across the world change and improve their cybersecurity culture with engaging content and simulated phishing training program.
Darren Guccione is the CEO and co-founder of KeeperSecurity, Inc.creator of Keeper, the world’s most popular password manager, and secure digital vault. Keeper has more than 13 million customers and the business solution protects more than 4,000 organisations worldwide.
Eric Schlissel is the CEO of GeekTek, an LA-based managed IT/cybersecurity firm. With clients in law, medicine, manufacturing and cannabis GeekTek designs and implements IT solutions for rapidly scaling businesses. Possessing 20 years of entrepreneurial and investment experience, Eric is also a travel addict, aspiring bourbon connoisseur, and foodie-wannabe.
Ian McClarty holds an MBA from Thunderbird School of Global Management. He has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services.
Cindy Murphy is a veteran expert in the field of digital forensics and incident response. As the president and co-founder of Madison, Wisconsin-based Gillware Digital Forensics, Murphy deals with ransomware intrusions, data theft, phishing, and hacking incidents affecting clients large and small on a regular basis.
Mike is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure. This year Mosaic451 was ranked No.376 on Inc. Magazines annual Inc. 5000 list and ranked No. 6 in the Security category.
Adnan Raja is the Vice President of Atlantic.Net, a trusted web hosting solution who offers HIPAA-Compliant, Dedicated, Managed and Cloud hosting. We’ve been around since 1994 and are experts in cyber threats and how to handle them.
Co-founder of Sensorpro: The Customer messaging & feedback platform to grow your business.
ROBERT SICILIANO, CSP, the #1 Best Selling Amazon.com author and CEO of IDTheftSecurity.com, may get your attention with his fun engaging tone and approachable personality—but he is serious about teaching you and your audience fraud prevention and personal security. Robert is a security expert and private investigator fiercely committed to informing, educating and empowering people so they can protect themselves and their loved ones from violence and crime in their everyday lives, both in their physical and virtual interactions. Robert, a Certified Speaking Professional with a “tell it like it is” style, is a favorite source for dozens of major media outlets, leading corporations and organizations looking for the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Robert is accessible, professional, and ready to weigh in and comment with down-to-earth insights at a moment’s notice on breaking news that affects us all.
Demo Video https://goo.gl/PhF2L1