The Biggest Security Threat to Small Business and How to Fix It
What is the biggest security threat to small businesses today. I will let you know right now that most business owners believe it is getting hacked. In a sense that is true. But often the idea of being hacked is misrepresented in our minds as some guy in a hoodie behind a laptop writing code and scripts to break into an enterprise network or government system. I will tell you right now that is not an accurate image for 90% of businesses, especially SMALL businesses.
For Small Businesses the biggest and most common threat never breaks through a firewall. It simply uses the front door.
That is right. Your businesses biggest threat just walks in. They unlock the frond door, turn on the lights. Some of them will make coffees, others will bring doughnuts for the office.
Its your employees.
Most business owners implicitly trust their employees and that is a good thing. They have to. And it our HUMAN nature.
As an employer, you need to be able to trust your employees. Not just because of the time and financial investment you have in hiring and grooming them, but to also create a cooperative and healthy work environment.
Why are they such a threat
So now you know what the biggest threat to your business security the question is why are they such a big threat. I know that getting past the trust issue is the biggest hurdle. Your employees would never do anything that would harm your business. Right?
For the most part that is true but we do have to consider that there are disgruntled employees. Fortunately those are not common and the ones that would have the ambition and knowledge to take action against your systems are even fewer.
Then why are the employees the biggest security threat.
The answer is not easy and so straight forward. It is usually a simple mistake of clicking on a link on a website or email or downloading a movie on their lunch break. Like i said earlier the problems do not present themselves in a malicious manner. It is generally innocent and often happens because of lack of training and ignorance. Other times however they are simply coerced by a threat or what is being presented to them as a legitimate authority figure in need of their assistance.
There is a way to fix it which is relatively simple and inexpensive but requires ongoing effort.
One of the biggest things you can do to turn your employees into the strongest first line of defense is effective training and monitoring. It is fairly easy to get buy in from employees when you take is seriously from the top. Be transparent and explain why you are doing this and where you are starting from. Be open about your own mistakes. If you have done these things let them know and also let them know you are promising to follow the rules that will be implemented. Some people will go so far at to sign a contract with their employees. Being the first one that signs is important because it shows you are leading the effort and take it seriously. Then get all the employees to commit as well by signing as well.
Other things we advise clients to do is implement a bonus program for cybersecurity. Depending on the size of your company you can incentivize your cybersecurity program with rewards for successful trainings like $100 per quarter for passing all the tests, a free lunch, gift certificate or even a day off.
Training programs will generally consist of a brief on-boarding session followed up with bi-weekly or monthly training sessions as well as randomized phishing simulations. The training sessions will generally consist o fa short, 3 to 5 minute video with a 2 or three question quiz. We suggest that the trainings and phishing simulations be randomized throughout the company so that they cause a minimum disruption of workflow.
I also mentioned that continuous monitoring. Obviously I am a proponent of continuous monitoring. So much so that it is part of every cybersecurity offering that we provide. I have heard IT professionals who do not think that dark web monitoring is necessary and believe you never need it. I equate that with not believing you need gauges on your car dash board. While most of the time you will never need to worry about what the gauges are telling you but i guarantee if something does go wrong you will be happy that the gauge warned you of an issue before your car actually dies. It is a lot easier and cheaper to add a quart of oil than it is to replace an engine.
The same theory applies with Dark Web Monitoring. On the initial scan we do, there will likely be a lot of compromise information with historical data that can go back as far as 10 years. As you can imagine this could be a lot of data. You may feel this is unnecessary because it is so far in the past. I feel it is valuable and here is why.
A colleague shared the following with me recently.
When this colleague went to a client with his initial compromise report, the CEO and HR VP were there and so was the Director of the Accounting division. It was fortunate that the new Accounting Director was there because as she scanned over the report she saw something that looked familiar. She paused a minute and then gasped. She saw a password that she recognized as the same password that was used to access several bank accounts. The HR VP then investigated a little more and discovered that the email address associated was that of a previous Financial Director who left the company 3 years ago. The additional PII that was in the compromise were usernames which were also still being used. The bank accounts that the username and passwords were connected to had access to over $5 million in cash.
There have been many times where user accounts are still active within the company. Often the people had access to credit cards, billing, Payments or even employee or client data.
Not addressing this issue is no longer an option
Now this is probably way too involved for you to take care of on your own or even to ask your in-house IT dept or IT provider but it can be done. The fact is those people usually have pretty full plates and is where I have seen the most push back from. I feel this push back is out of lack of knowledge, being over whelmed with what they are doing already or they are not trained in cybersecurity. All of these can be threatening to your current IT personnel.
Fortunately that is where we focus our efforts. We are not interested in replacing your current in-house IT or outsourced IT partner. Our vision is to enhance their abilities by taking a large analytical and administrative burden and providing you and them with a roadmap to a more secure business and the documentation required as proof for cyber insurance and compliance. In short we deliver Enterprise Calibre Cybersecurity Solutions to small businesses affordably.
If you have questions or need assistance please let us know. We will do everything we can to assist you.