Businesses of all shapes and sizes confront cybersecurity risk each and every day, and the COVID pandemic has added a few challenges to the equation. Let’s look at what owners of small businesses need to understand to properly manage their cybersecurity risk.

Every single business has some level of risk that its business owners need to understand and manage in order to be successful.  There are risks related to financing, office space, staffing, supply chain, inventory, and physical security – just to name a few.  Cybersecurity risk is a subset of overall business risk, and in 2021, it can represent a significant percentage of all the risk that a business owner will have to understand and manage.

Owners and proprietors of small businesses today are often at a disadvantage when the topic of cybersecurity risk arises, for three very important reasons:

  • They are often unaware of all the areas of risk involved.
  • Risk management failures are often more devastating for a smaller business.
  • The pandemic has added computing challenges that also add cybersecurity risk.

Glossary of Terms

Before we start to describe some of the areas of cybersecurity risk that we would like to address, let’s take some time to define a few key words and phrases:

  • Risk Management – The practice of identifying and analyzing all the potential risks to your business, and taking steps to reduce (or sometimes accept) those risks.
  • Cybersecurity Risk Management – Risk management related to network, application, device and data security; data privacy; and regulatory compliance.
  • Assets – The computing devices and applications and platforms used and owned by your organization and its employees, in order to make your business run successfully.
  • User Credentials – The combination of username (often email address) plus a password, used to logon to a device or into an application.
  • Multi-Factor Authentication (MFA) – Adding some sort of token to a user credential in order to make access to a system more secure.  Mobile applications like Google Authenticator, or receiving a 6-character number sent via SMS, are commonly used as a multifactor.  This technology is sometimes referred to as Two-Factor Authentication (2FA).
  • Malware – Any bad/undesirable software that can allow an attacker to take control of a computing device and/or steal data and/or prevent the legitimate user from accessing or using the device.  Ransomware is a popular and particularly expensive and annoying type of malware.
  • Phishing – The act of tricking any person to take actions in an email (or via SMS/text) that result in that person inadvertently allowing or causing malware to run on their device which will steal data or take over their device.  Phishing is the primary means of getting ransomware into an environment.
  • Vulnerability – A weakness or defect in software that allows an attacker to take advantage of a computing device to steal data and/or prevent legitimate use of the computing device.  Any vulnerability that allows an attacker to take over a machine from a distance, and without having to first trick the user, is a very critical vulnerability.
  • Patching – Updating software on any type of technology asset, including mobile phones, in order to fix software defects or vulnerabilities in that device.
  • Breach – A security incident when an attacker is able to get past your network, systems or application defenses, and make it into your network, systems or applications; or is able to get data out from your technology assets.  If a computing device is stolen or lost, and someone is able to get access to the data stored on it, this is also considered a breach.
  • Insider Threat – Many problems that businesses face when it comes to cybersecurity are caused by people inside their organizations, whether current staff, or former staff.  Whether it occurs on purpose, or is the result of carelessness, as long as a breach is initiated by someone from your organization, then it is deemed an insider threat – unless they were tricked in some way, such as via a phishing email.

Who Has Cybersecurity Risk?

Many small business owners assume that they do not have similar concerns to larger organizations when it comes to cybersecurity risks, but the truth is that the internet levels the playing field in two keys ways.  First, it allows a business of any size to obtain the same maximum reach for customers as any other business.  Second, it exposes every business to all the same attackers as every other business.  And larger businesses usually purchase bigger and better tools, and have more staff to look at security issues than smaller organizations.  

(Bigger tools and more staff don’t automatically make a business secure, but they can be helpful in identifying and reducing risk.)

Here’s are some of the most common areas of cybersecurity risk that small businesses face:

  • “Need to Know”

o    Limit access to each person to what they actually need

  • The Tech Side of Security

o    Inadequate or non-existent device inventory

o    Non-existent backups

o    Phishing and Malware (including Ransomware)

o    Inadequate network security

o    Inadequate device security

§  PCs and Laptops

§  Tablets and phones

  • Convenience over security

o    Connecting to any random wireless network to work

o    Allowing everyone to have access to almost everything for flexibility

Need To Know

A lot of cybersecurity risk is related to technology, but not all of it.  There are also personnel aspects to this issue.

Need to Know” is one of the key principles, and it says that people should only have access to the accounts and systems that they actually need to be able to do their jobs effectively.  For instance, if someone is responsible for managing Human Resources (HR) data, but not Payroll data, then they should not be given account credentials that would allow them to access Payroll data.  Their credentials should only grant them access to the systems/applications that they need to do their jobs (i.e. HR), and if their job changes, so should their access.

To minimize this risk, make sure that every employee is using separate, unique credentials.  Also make sure that the credentials needed to access different types of applications is different.  If the same credential is used for Payroll, HR, Accounts Payable, and Sales, then it is very likely that a breach of one system or application will result in the breach of all the other systems.

Asset Management

Many organizations – especially smaller ones – ignore two important items.

  • Systems and Application Inventory
  • Systems, Application and Data backups

If you don’t know what assets you have or use, it will be difficult to track them, secure them, patch them, or back them up.  If you’re not backing them up regularly, then ransomware attacks or other malware attacks can be especially damaging to your business.

The task of tracking asset inventory has been made much harder due to the pandemic.  Even company issued laptops or tablets might be used by staff at home for non-company purposes. Alternatively, your staff might be using their own computing devices to connect to company resources.  Both of these scenarios can open up your company data to inadvertent risk, by making it easier to get malware or experience data loss, if the computing devices are not kept secure, or otherwise up to date.

If you are issuing company assets to your staff, then make sure you are running inventory software and security software, and have communicated policies for how the assets can be used. And make sure you have a plan for backing up your critical data.

Network Security & Asset Security

Your network needs to have good security and configuration. 

This includes your WiFi. If your WiFi is not secure, then other people nearby might be able to connect to you network and gain access to your critical data that way.

If your network gateway is not configured securely, then other people might be able to access your network from across the internet (from anywhere in the world), and probe your network for vulnerabilities.  Billions of networks are scanned each and every day, as attackers search for vulnerabilities in software or configurations that they can exploit to steal data and run malware.

Your assets need to have good security software installed. 

In addition to the protection provided by your network security device, you need to ensure that every computing asset also has good security software installed on it, to protect against various forms of malware.  Every layer of defense is important, especially when you have mobile assets which might not always be behind the protection of the network security gateway.

This is important enough to repeat: Make sure that any assets that connect to your network or applications in any way, are kept up to date, and properly inventoried and patched. 

Lastly, your staff need to be trained to recognize security threats. 

Security Awareness training is vital for helping your employees understand how security attacks occur, and teaching them to adjust their behavior to minimize their risk of falling for an email phishing attack or a social engineering attack over the phone.

Good defenses on each asset can prevent breaches or limit their scope from all your assets to just a single asset.

According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), there has been a significant increase in reported ransomware incidents through July 2021, as compared to the same period in 2020.   

Understanding Cybersecurity Risk -- Small Business Edition

The risk of being infected by ransomware is not limited to large organizations.  Any company that is connected to the internet could be hit by a malware attack, especially if they fall for phishing emails, first. 

Be Careful with Convenience

We all want things to be more convenient for us, especially if we have to perform specific acts several-to-many times a day.  But convenience can be a two-edged sword.  What is easier for you, is also easier for an attacker.

Using the same credential everywhere makes it easier for you to logon to multiple systems.  But it makes attacks easier, also.

Using the default passwords and configurations make it easier to get setup and running – both for you, and for your attacker.

Connecting to any random WiFi network in an airport or coffee shop makes it easy for you to get your work done wherever you are.  But all of these things make it easier for your attacker, too.

To reduce your cybersecurity risk, you are going to have to do things a little bit harder, in order to make it a whole lot harder for any attackers that come your way.

  • Limit yourself to using only known, secure WiFi connections and hotspots.
  • If you choose to use strange WiFi connections, be sure to also use a Virtual Private Network (VPN) to secure your access.
  • Use multifactor access, especially for sensitive systems and applications.
  • Don’t give everyone in your organization access to everything, just because it is easier in an emergency.  Plan to have a limited number of people with access to specific systems, that they need to run your business successfully.
  • When people leave your business, make sure you change everything they had access to.
  • Be careful where you download your software from, and what you install on your assets.
  • Remember: if it is too easy for you to access, it is even easier for your attacker to do so.

In Summary

Cybersecurity risk are not just technology based.  Inventory, backups, patching, network device configuration, account credentials, multi-factor, and anti-malware software are all important parts of managing cybersecurity risk.

But there is a people side to cybersecurity risk as well.  It is important to address security awareness training, policies for what is acceptable to do on your network, and strategies for how your staff will access and manage applications and data.  Most important is understanding the “need to know” standard for your organization.

Small business owners can begin to get a better handle on their cybersecurity risk by getting themselves acquainted with the items outlined above, and beginning to evaluate and implement the recommendations provided. 

Andrew S. Baker is the president and founder of BrainWave Consulting Company, LLC where he provides consulting services for the SMB/SME market in the areas of Cybersecurity, Compliance and Information Technology Operations.