While 86% of SMBs see cybersecurity as one of their top five priorities for their organisation, more than half recognise they lack the in-house skills to address this evolving issue and are looking for cybersecurity vendors and service providers for advice.
Any small business owner knows that the range of options available can be vast and overwhelming. What many don’t realise, is that simply having a cybersecurity solution in place does not necessarily mean the business is protected from all potential threats. This is not only because of the broad range of threats now entering our workplaces and personal devices, but also because of the lack of basic cybersecurity knowledge most small business employees have.
Even the largest and most sophisticated technology companies, including Facebook and LinkedIn, have been recent victims to data leaks, leading to personal information and data being posted online for sale. Using these kinds of details, a cybercriminal leveraging someone’s personal information or simply their vulnerability during the pandemic can prompt one wrong click or download by an employee, opening the door wide open to cyber attacks. Running small businesses with a cybersafe mindset is critical to surviving, particularly as Australia’s SMBs prepare to emerge from the pandemic with a more digitally-driven hybrid workforce than ever.
Ensure employees know what is and isn’t a reasonable online request
Phishing emails, a tactic used by cybercriminals whereby they pretend to be someone asking for personal information, passwords, or credit card details, increased by 62% in 2020 in comparison to 2019. Although a single phishing attack could involve hundreds or thousands of fake emails, these are highly targeted activities, designed to catch that needle in the haystack – i.e. all they need is one employee to fall for the scam, and they have a way into the entire business.
Commonly, a cybercriminal will pretend to be a manager, business owner, or colleague casually asking for login details or some ID-related information so they can access a commonly used tool. A simple way to avoid the business falling victim to these attacks while also making it clear to employees on how they can help counter attacks, is to make a comprehensive set of rules of information that is and is not reasonable to ask over email, text, or online messaging tools.
For example, if all staff are aware that credit card information will never be requested over email, it becomes easier for staff to avoid these scams, as well as report them as soon as they appear. A simple list of ‘do’s and don’ts’ for internal staff could save the business tens of thousands of dollars. This is the kind of basic knowledge that should be shared and updated through internal cybersecurity awareness training on a regular basis.
Leave the front door closed – get passwords and authentication right
In the case where a cybercriminal does gain access to a critical piece of information, such as a password, it can be easy for them to then access a particular tool or system that could damage the business, as well as guess the passwords of other systems used by the business. This is where having multi-factor authentication and basic password hygiene can have a significant impact on mitigating cyber risks.
Multi-factor authentication (MFA) requires several pieces of information or data to grant access, rather than solely relying on a pin, card, or fingerprint. Two-factor authentication (2FA) is the most common type of MFA, where two pieces of the puzzle are required, such as a PIN as well as proof of identity.
Furthermore, passwords that can take less than a second to crack – such as 123456 – are still being regularly used. It may seem like a hassle for people to use passphrases and keep their passwords regularly updated, but in comparison to having this ‘hassle’ lead to a targeted company-wide cyber attack, the time required is an easily justifiable drop in the ocean.
Having the right cybersecurity technology in place, that is regularly and automatically updated, and also provides automated backups, is a critical piece of small business’ cybersecurity challenge that ties everything together. But it would be naïve for small business owners to think that the software is anything more than step one. Collaborating with cybersecurity experts to ensure your business has enterprise-grade cybersecurity software defences that don’t cost exorbitant amounts, coupled with an ongoing and proactive approach to building a cybersecurity-minded workforce, will be critical to keeping cybercriminals out, and your business running.