[BreachExchange] Standing Your Cyber Ground: What SMBs Need to Know to Stay Secure

[Audrey McNeil]

http://www.information-management.com/news/security/
standing-your-cyber-ground-what-smbs-need-to-know-to-
stay-secure-10029821-1.html

It’s not surprising that small and medium businesses (SMBs) are becoming
more aware of cyber threats. High profile breaches make the headlines every
day and “small time” incidents are becoming more and more successful
against SMBs.

Even so, a recent survey shows that 60 percent of SMBs do not consider
cyber-attacks to be a big risk to their organizations and 44 percent don’t
consider strong security to be a priority. Yet, a recent study shows that
over 50 percent of SMBs surveyed (sized 100-1,000 employees) reported a
cyber-attack or data breach in the past year.

Cyber-attacks can cause considerable financial damage to a business since
the average cost of a cyber-attack for an SMB was over $8,000 in 2015.
However, that cost does not include intangibles, such as down time, loss of
business, remediation and so forth, meaning that the actual cost to an SMB
is possibly far greater – some even estimate it at an additional $10,000.

With the rise in accessibility for hackers to start using malware and
ransomware services, businesses need to be aware of the risk they face.
While SMBs are not necessarily at any higher risk of attack than larger
enterprises, the concern lies in the availability of resources as well as
employee education.

SMBs must make themselves completely aware of risks at hand. With this
understanding, businesses can ensure that the correct focus is being placed
on the areas in which they are most at risk.

With limited IT budgets and a shortage of skilled resources, SMBs should
concentrate their spending on systems featuring as much automation possible
or move to systems managed by others. This decreases the need for in-house
human intervention and specialized training, allowing for higher levels of
security without spending the money on large cumbersome systems.

The last thing an SMB needs is a complex security solution that draws
heavily on its limited manpower, which could still result in sub-par
security due to the vast majority of IT staffers lacking cybersecurity
knowledge.

But even with an automated and managed security system, a business is still
not risk free. To ensure the business has a lower risk level, education is
key. SMBs must educate their employees about the possible risks they will
face, an increasing difficult task as hackers make their scams more and
more realistic.

The best place to start is email safety, since email is the place an
employee is most likely to receive an attack. Employees should be taught to
be wary of emails from unknown senders, as well as odd requests from known
senders.

Hackers are able to create increasingly realistic looking email address and
messages, so if the employees feel unsure about an email, they should not
be opening it at all. Next, employees should be careful as to which links
and attachments they interact with. Hackers often take advantage of links
and attachments to spread their malware. One wrong click and the company is
infected.

In 2015, Microsoft Office documents were the most popular attachments to
leverage, accounting for over 70% of the Malicious File Attachments in
email according to a Symantec report. This is not surprising given the
popularity of Office within the SMB and corporate world.

There are also several other popular entryways for attackers. Unsecure
websites are often used for attacks. These sites possess similar threats as
do email attacks, especially through links or downloads.

Another popular attack comes through USB devices. Employees should be
taught to carefully monitor their own USB drives and to keep an eye out for
any new or unfamiliar USB drives. Another less known way attackers work is
through notification pop ups disguised as updates. Updates should be
regulated through IT and employees should be skeptical of update
notifications they receive on their computers, especially from
non-authorized applications.

If an employee believes that their computer or device is compromised, they
should immediately bring it to IT’s attention so they can evaluate the
situation. If an employee has any suspicion, even a small one, they should
immediately stop work on the computer and bring it to be evaluated. It is
better to have a false positive than an actual outbreak on the computer or
within the organization.

SMBs face many challenges that larger enterprises will not, especially in
regards to security, but that doesn’t mean that they deserve any less
protection. Following these steps will ensure that SMB employees are
educated and that SMBs are protected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160920/b05bae40/attachment.html>