Cybersecurity: What businesses need to know

September 5, 2017|Steve Hyde

Small businesses are often targeted for cyberattacks. Take these steps to protect your business from hackers.

Small businesses, large target for hackers

When speaking with clients about cybersecurity, I have many small- to medium-sized businesses mention, “We’re not that big—there’s no way we’d be a target.” The organization’s size doesn’t matter when it comes to hacking attempts. In fact, smaller organizations are less likely to have the cyber defenses that a larger, more sophisticated organization might have.

Here are a few projects you may want to consider if you don’t feel you’re quite ready to defend against a cyberattack. 

Classify your data

The types of data that your organization processes and stores plays a large part in how big of a target you are. Perform a data analysis to determine the types of data that you store. Is there…

  • Personal Identifiable Information (PII)?
  • Healthcare information protected by HIPAA regulations?
  • Credit card information protected by Payment Card Industry regulations?
  • Tax return information?

Determine the types of data you have, where it’s stored, and how it’s protected and ultimately deleted. If you find areas where data isn’t protected, this should immediately become a priority for your technology strategy short-term plan.

Backup data strategies

Be sure to review your backup data plans on a regular basis. Is the data encrypted? Has the data been restored in the past few months? And are we sure that the backup data is free from malware or viruses? One of the best ways to defeat ransomware is to know for certain that your backup data can be relied upon should your current environment become compromised.

Patch management planning

Another area to beef up defenses is to review your patch management plan. Or, more likely, create a patch management plan! It’s often overlooked, but software companies release patches regularly to help combat vulnerabilities found with new security threats. Sometimes, these patches could be out days (or even hours) after a major vulnerability is found. Is your software patched? Does your IT team regularly look at the available patch releases to determine which ones are critical?

Segment sensitive areas

When it comes to technology, look for the best ways to segment sensitive areas so that malware cannot infect the entire network. Many security software vendors (from firewall to anti-malware/virus) offer tips for segmenting email boxes so that a user clicking on a malicious link only infects the single computer. This is typically done within a virtualized environment where the email boxes can be quarantined and “sandboxed” so as not to infect other users. Additional anti-malware software disallows the running of any executable file without an administrator’s authorization, making it harder for a user to unknowingly infect their computer.

Educate your users

The best policies, technologies and processes can all be thwarted by human error, so you need to educate the entire organization on the threats of ransomware and phishing. At Schenck, we used a tool called KnowBe4 to run internal phishing tests to see who would click on the links. The links (if clicked) take users to an educational page to learn more about how to detect malicious emails. I highly recommend performing internal scans like this on top of providing annual security education sessions.

Look for weak spots

While an internal phishing campaign may help point out problem end-users, an internal vulnerability scan and penetration test may help point out problem technology areas. The vulnerability scan looks for open doors within your network, and the penetration test determines just how far a hacker could go if they were to get in.

As you can see, there are many different areas you can strengthen to help thwart a cyberattack. The hackers are getting better and better at getting inside, and we have to remain vigilant to keep them from any sensitive data. A business’s sensitive data will always be a large target, but it doesn’t mean that it needs to be an easy one.

Should you have any questions on the projects mentioned above or cybersecurity in general, please feel free to reach out to our cybersecurity specialist, Steve Hyde, at 800-236-2246.

Steve Hyde, MS, MBA, chief information officer and director-information technology services, has more than 20 years of technology-related business experience including business process redesign, hardware/software assessment and implementation, PMO creation and project management methodologies, metrics/dashboard creation, and designing technology strategy and controls.