Since last year’s biggest cyberattacks did not spare big names such as Facebook and British Airways, you’d think that small- and medium-sized businesses (SMBs) would take more serious precautions against cybercrimes. Yet the opposite is true. Cybercrime rates continue to rise, with 58% of victims categorized as SMBs. And while this trend is due in part to the more advanced tactics employed by cybercriminals, the biggest factors to the success of cybercrimes are the counterproductive security practices that businesses cultivate. In this article, we will delve into the four common mistakes businesses make that leave them vulnerable to cybersecurity threats:
Mistake #1: Not training staff in cybersecurity Fix: Creating an engaging cybersecurity training program
Mistake #2: Weak BYOD policies Fix: Implementing a BYOD policy that works
Mistake #3: Relying on a single IT personnel Fix: Partnering with a managed IT services provider
Mistake #4: Not having a reliable disaster recovery plan Fix: Making disaster recovery a priority
Mistake #1: Not training staff in cybersecurity
Related article: Top 4 reasons you need to train your employees on cybersecurity
Reckless employees are your biggest liability when it comes to cybersecurity. In a 2018 study by the Ponemon Institute, 61% of the respondents pinned the cause of data breach to a negligent employee — an alarming 112.9% increase from 2017. Negligent behavior in this study includes interacting with unsolicited emails, visiting dangerous websites, and having poor password habits. To reduce the risk of employee-induced data breaches, security awareness training is essential, and here are several reasons why:- Employees are the first and last line of defense Training your employees on cybersecurity best practices creates a culture of accountability and ensures that your security policies protect you from human errors and vulnerable IT solutions.
- Compliance regulations demand it To remain compliant with industry and government regulations like HIPAA, it’s imperative that you train your employees how to handle customer data.
- Clients will trust you more When potential clients evaluate your business, one of their biggest concerns will be how you’ll look after their data. A major part of building trust among potential and existing clients is being able to prove that you, along with everyone on your team, take cybersecurity seriously.
- You’ll reduce downtime Network outages and crashed servers are telltale signs of impending problems, but if employees are trained to recognize red flags early, your IT support team can be notified immediately to prevent outages entirely.
Fix this mistake by: Creating an engaging cybersecurity training program
Related article: Best practices for a successful security awareness training program
A properly researched and well-executed security awareness training program can help lower the risks of data breaches caused by internal factors. But there are several things you must take into consideration to ensure the training is effective and meaningful.- Gamify your training Set up a reward system where people who display positive cybersecurity behavior are incentivized. People like it when they are recognized for their efforts, and the positive experience will encourage them to be vigilant.
- Make it natural If you do cybersecurity training once or twice a year, it becomes an event, and might get perceived as a standalone matter that begins and ends within the training period. It’s better to build a culture of security in your business instead: include cybersecurity training in your onboarding process and encourage employees to incorporate the habit of reading modules about spam, phishing, and social engineering before they begin their daily work.
- Do it often Continuously review and revise your training materials and objectives to make sure that they are still up to date and accurate. It's a good idea to vary up your content by focusing on the latest tactics cybercriminals are using.
- Encourage employee engagement Make people feel integral to the process of keeping your data secure. Let their knowledge and limitations help you identify the weakest links in your security and guide you on how to fortify them.
- Make it real Simulate cyberattacks to get everyone prepared for the real thing. This involves conducting “live fire” training, where you deliberately try to phish people in your company and test password strength. Intelligent business solutions specializing in security training can help you achieve this goal.
Related article: Creating an engaging cybersecurity training program
Mistake #2: Weak BYOD policies
Related article: BYOD security risks every business owner should know about
While bring your own device (BYOD) policies have opened employees up to more flexible working options and remote work possibilities, they have also brought about security risks, such as:- Increased exposure to external attacks Personal devices are vulnerable because they do not have the same firewalls and sophisticated security systems as company-owned devices. Moreover, employees bring their devices with them when they leave the office premises, and they may connect to unsecured Wi-Fi networks.
- Data leak because of lost devices When mobile devices are misplaced or lost, they risk falling into the hands of criminals capable of breaking their rather flimsy security and accessing critical and sensitive business data, like customer information and payroll details.
Fix this mistake by: Implementing a BYOD policy that works
Related article: 5 Tips for implementing a secure BYOD policy
When allowing employees to use their own devices for work, make sure you:- Establish security policies for all devices
Build your security policies around the guidelines and compliance requirements for your industry. For example, healthcare or finance companies that store sensitive data will have far more restrictions than a small startup. Decide on things like the minimum required security controls for devices, data encryption and password requirements, and what gets stored on employee-owned devices versus local storage facilities.
Related article: Password policy requirements to help companies avert attacks
- Define guidelines for acceptable use Acceptable use policies define what sites and company-owned assets (emails, calendars, documents, contacts, etc.) users can access on their device. It also outlines what policies will be implemented to ban employees from storing or transmitting illicit materials or engaging in outside business activities on their personal devices. This restriction prevents malware from entering your system through unsecured websites and apps.
- Use mobile device management (MDM) software MDM makes it easy to contain threats and minimize damage quickly in the event of a breach or attack. MDM software lets you monitor, manage, and configure all BYOD devices from a central location. It allows you to roll out security updates across all company-registered devices, perform vulnerability scans, block devices with potentially compromising apps from the network, and wipe lost or stolen devices remotely.
- Communicate BYOD policies to all parties BYOD policies are only successful if they are communicated to all parties involved. This way, participants understand their responsibilities and the consequences of their actions. Make sure all users sign an agreement acknowledging that they have read and understand your BYOD policy. This will protect you from liabilities associated with employees who engage in illegal or inappropriate behavior on their BYOD devices.
- Set up an employee exit plan At some point, employees with devices on your BYOD platform will leave the company. Failure to remove their access to company networks and data can lead to security issues down the line. Make a BYOD exit checklist so you can be sure to have disabled company emails, wiped company-issued devices, and changed the passwords to all their company accounts.
Mistake #3. Relying on a single IT personnel
Related article: Managed IT vs. in-house technician: Which is best for your business?
By relying on a single IT personnel to manage security issues, businesses are creating a single point of failure. Below are some problems an establishment may get into if they keep depending on one person alone:- High costs Having in-house IT personnel is expensive. According to Glassdoor, a website that allows employees to review companies they work or have worked for, the average cost of hiring a regular on-site IT personnel in Chicago is $45,000 per annum. On top of this, you’ll have to pay for employee benefits and their training and development. And if they don’t fit your company, you will have to go through the rigorous process of hiring and training all over again, incurring more expenses. There are also costs associated with purchasing network security tools and software, which can be expensive if you run on a tight budget.
- Unreliability Your data is safe while your IT personnel is there; but what if a cyberattack happens during their days off? What if they suddenly call in sick? You will be left with no cybersecurity support, leaving your data vulnerable. You need an IT support team that will watch over your system 24/7/365.
- Limited expertise Technology is broad and evolves very quickly, and it’s impossible for one person to know everything about it. For example, he or she might be well-versed in common network security concerns but lack knowledge in dealing with the latest threats like ransomware and advanced persistent attacks. That’s why you need IT support that has both the depth of knowledge and breadth of experience to address all your security concerns.
Fix this mistake by: Partnering with a managed IT services provider (MSP)
Related article: 7 Signs of an exceptional managed services provider
Managed IT services providers function as outsourced IT departments. They have teams of security experts who can monitor your network for threats and keep your data safe and sound.- MSPs are cost-effective For starters, MSPs provide security experts and use their own equipment to reduce your exposure to risk, so there's no need to spend money on training in-house IT personnel and purchasing special security tools. Instead, you only pay a fixed monthly fee for robust cybersecurity services.
- MSPs give you round-the-clock protection and service The managed services model gives you a team of dedicated professionals who will look after your data around the clock seven days a week. This means they can address your most pressing security issues at any time. If necessary, your local MSP can provide remote support and even do an on-site visit to help you with your IT needs.
- MSPs are as knowledgeable as they are experienced The best MSPs have served clients in various industries, and have dealt with a wide range of IT risks throughout the years. Be it network security, social engineering, or malware, MSPs have the knowledge to protect you from all manner of threats. When implementing new solutions, they will also test the technology on their own systems first to make sure that deployment goes without a hitch.
Mistake #4. Not having a reliable disaster recovery plan
Related article: Disaster recovery statistics business owners need to know
Failure to implement a solid disaster recovery plan (DRP) is another common issue among businesses. Its two key points — data backup and business continuity — minimize the impact of data breaches, ransomware, and unexpected downtimes. Unfortunately, the state of businesses when it comes to DRPs does not look good.- Only 25% of small businesses have a DRP The remaining 75% have none. This is alarming because if you're unable to recover your data and systems after a major cyberattack, your business is at risk of closing its doors for good.
- The cost of recovering from data loss can be staggering Data loss can cost you a fortune in downtime, compliance penalties, and reputational damage. To break it down, the average cost of downtime across industries can be as high as $5,600 per minute, or $300,000 per hour. On the other hand, indirect costs don’t have equivalent monetary value but can lead to your doors closing forever when clients lose faith and trust in your business.
Fix this mistake by: Making disaster recovery a priority
There is a myriad of things to attend to when running a business, but keeping the business running should be on top of your priority list. Having a disaster recovery plan is simply non-negotiable, and here are some steps you can take to ensure that your business stays afloat when a crisis hits.Related article: How to pick a disaster recovery plan that aligns with your business needs
- Assess your cyber risks and identify your most crucial assets When a cybersecurity attack hits your business, you have to be able to keep your organization functioning. Conduct an assessment of your facilities and processes to know which data, applications, and hardware need to be protected to keep the business operational. They should have the toughest security and would take priority during backup and recovery.
- Back up your data in multiple locations Your data should have at least three copies, so backup and recovery doesn’t become a problem in the event of a data breach. For example, you can have a physical copy of a contract, its soft copy in your local hard drive, and another copy in the cloud. In the event that malware infects your device and corrupts the files in your hard drive, you still have access to other copies.
- Develop a communication plan to warn customers and stakeholders about the breach Apart from the fact that your customers and stakeholders have the right to know that their data might have been compromised, transparency can also lessen indirect costs by keeping the concerned parties’ trust in your company intact, since you are not keeping anything from them.
- Train employees and test your recovery procedures Further damage can be mitigated if your employees know what to do during a cyberattack. If a device has been held ransom, for instance, your staff should know that they should not pay for it to be unlocked. It is a smart idea to do a dry run of your recovery procedures, and get your employees involved, so that they will have a clearer picture of what to expect and how to act in case your system suffers from a data breach.
DOWNLOAD THIS BLOG AND INFOGRAPHIC
Enter your email address below to receive a PDF version of this blog with the infographic