Cybersecurity: What Is At Risk And Where Do We Start
There are a handful of key business tasks that are top of mind for many small business owners. Generating revenue, keeping customers satisfied, complying with regulations, making payroll, are just a few. One blind spot for many businesses, however, is the security of their business documents, equipment, and employee/customer data. “Is it working? Ok then let's worry about that another day.”
In reality the risk is growing, and it is significant. We are storing more information every year. The vectors to access our data grow daily and become more complicated. The value of our data also increases over time.
Business owners put more thought and time into physically securing their buildings and property than they do their software, business information, and key digital assets. Those digital assets, such as point of sale systems, servers, email, and more are typically mission critical for the business.
How bad can it be?
Getting hacked may shut your business down. There may be penalties to pay and legal exposure as well. Customer trust and loyalty may be lost. Your secrets may become public, and your funds may be transferred. In short, it can be devastating. The best case scenario is simply a big expense of time and money to fix the problem. Much like not maintaining your car will lead to much more expensive if not disastrous outcomes down the road, maintaining your systems, procedures, and training will save the typical business owner considerable time and money as well.
What Kind of Threats Are There?
While there are many types of threats, here are some of the most common threats featured by Mainstay Technologies:
- Social engineering: This is the most popular way for a business to be compromised. Your employees, team members, staff and users are your No. 1 attack surface. This happens through a phishing email, a phishing phone call (also called vishing), or through in-person manipulation. There is a 91% chance that if your information is compromised, it will have started as an email link that someone shouldn’t have clicked, or a document they shouldn’t have opened.
- Ransomware: This technique relies on an employee clicking on an email link or downloading a file that looks legitimate but is not (phishing). Once that link is clicked, or the file is downloaded, the hackers will render all data on the system useless (through encryption) and demand a payment to provide you the decryption key so that you can have your files and access back. If you choose not to pay, your system will need to be rebuilt and restored from a back-up in order for you to continue working.
- System compromise: This could manifest in a variety of ways, from compromising your email system and sending phishing emails through your account to taking control of your servers and most things in between. We have seen, firsthand, the compromise of email systems, exfiltration of data, the redirection of invoice payments, the interception of critical documents and the loss of servers, data and money that can occur when your system is impacted by unauthorized access.
What Can Be Done?
Identifying risk starts with understanding your environment: Where are the gaps in your security, what vulnerable data are you working with and who has access, how are your vendors protecting customer data, what are some physical, technical, and administrative security controls?
Identifying potential threats: Where to be vigilant, what to look for, and how to respond.
Increasing your team’s security and awareness: By utilizing email phishing tests, cybersecurity training, and ongoing education.
While you may identify someone in your business as responsible for cybersecurity, remember that it requires thoughtfulness and training of all employees to be successful.
Coming up: We will be focusing on identification of risks and threats on our upcoming webinar with Mainstay Technologies on May 17th, and managing threats using the Data Assured program and the Cybersecurity Workbook on May 6th. Register here.