Hackers do not discriminate based on the size of a business. In fact, some of the smallest businesses contain the most sought after Personally Identifiable Information (PII) – treasure troves about their customers’ homes, cars, boats and financial investments. Even businesses like car washes and restaurants aren’t immune from hacking – after all they are using customer data for monthly mailers and store promotions to market their services, not to mention having transaction data from point-of-sale systems.
If any business, small or large, believes they are immune to cyber security attacks, data loss, and financial penalties due to insecure systems, they are wrong. Home-based business all the way up to enterprises need to take note of some very basic security practices to ensure they are not a victim of the next cyber security breach.
Cyber attacks are increasingly targeting small businesses
According to Small Business Trends, 43% of cyber security attacks target small businesses. Tactics range from phishing and drive-by browser attacks, to web application flaws. This means that hackers are not specifically targeting your business like a named bank or insurance company, but rather using opportunistic, automated techniques to trick individuals into allowing malware into your environment and informing them that a new compromised asset has been added to their manifest. After it is “0wned”, anything from surveillance, data extraction, or ransomware is possible based on the attacker’s motives. Considering most small to medium size businesses do not have full-time information technology staff (let alone part-time security staff), security gaps appear in assets that are not properly identified, documented and remediated in a timely fashion. This leaves them a high risk compared to enterprises simply based on a lack of resources and processes to mitigate evolving threats.
Basic Security Practices to Mitigate the Risks of Cyber Attacks
So what are small and medium businesses supposed to do? First, follow basic security best practices that can mitigate the bulk of the risks:
- Change all default or blank passwords. This stops automated threats that can log in and install malware. This is most common on infrastructure and IoT
- Remove administrative rights from all desktops and servers (when possible). This prevents the installation of malware and unauthorized applications.
- Rotate passwords when there is a transition of employees. This helps prevent insider threats and problems from former employees.
- Identify missing security patches and apply them on a regular basis. This helps prevent exploits that target easy, “low hanging fruit,” like Flash and Java.
- Provide basic security training on the handling of sensitive information. Teach users not to make simple mistakes like clicking on unknown links or opening strange files that may contain malware.
Second, realize that there are tools in the marketplace for small to medium size businesses to accomplish these recommendations with minimal additional resources. BeyondTrust recognizes that paper-based recommendations are great when a company has resources to implement them (large and enterprise) but when dealing with small to medium size businesses, they need some help and the solution needs to be simple, easy, and cost effective.
BeyondTrust’s PowerBroker Privileged Access Management (PAM) and Retina Vulnerability Management (VM) solutions are considered best-of-breed technology that can operate completely standalone for a small to medium size business, or integrate into the BeyondInsight IT Risk Management Platform (via software, cloud, virtual or physical appliance) to scale to the largest of enterprises worldwide. Clients can manage administrative rights to applications simply by having an Active Directory domain with PowerBroker for Windows or assess for missing security patches using the Retina Network Security Scanner. As the business grows, these solutions can be linked together to provide additional value and streamline use cases.
It is not often you find a company that can provide solutions for everything from a small business all the way up to an enterprise. It is not often you find a company that understands the challenges small and medium size businesses have. BeyondTrust can help with both and make the recommendations for security best practices a reality in your organization. For more information, contact a BeyondTrust representative for a one-on-one strategy session or demo.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.