Guest post by Matt Bunker from ARX Risk.
Developments in technology continually improve the way business is conducted. Improvements to bandwidth, connectivity, remote devices, and mobile accessibility have enabled the transfer and management of information. These advances have transformed the way in which small to medium businesses (SMB) interact with their specific markets, both in terms of delivery of services and operational agility.
While improvements to technology have enabled SMB, they have also been a source of significant risk. Australian SMB owners have long thought that they have been immune to cyber breaches, either because they were too small or that they are less of an attractive target. However, statistics show this to be quite the opposite with the 2019 Verizon Data Breach Report highlighting that 43% of cyber breaches affect SMB. In 2017, Norton reported that 516,380 Australian small businesses were the victims of cybercrime and, unfortunately, this figure has continued to rise. Research shows that 60% of SMB that have a cyber breach go bankrupt within 6 months. So, its no longer an option for Australian business, regardless of the size to do nothing about protecting themselves and the information they hold.
While the majority of statistics and data portray a grim outlook there are some significantly positive ones too. The Economist Intelligence Unit highlights that a sound cyber security strategy can reduce the likelihood of a breach by up to 53%. Other statistics show that 71% of SMB, which are leveraging technology effectively have a clear competitive advantage and that businesses with strong cyber security measures will increase consumer spending by 20%. However, without the actionable intelligence or skills and experience, knowing where to start is often left up to guess work.
A cost-effective solution
Implementing the latest technical controls can be time-consuming and expensive, and requires a clear strategy. Furthermore, it requires resident subject matter expertise to facilitate. When there is no strategy and a lack of understanding as to why a technical control is implemented, it becomes little more than a stand-alone procedure open to exploitation. It is critical that organisations take a proactive approach to protecting their critical assets. However, being proactive doesn’t mean applying expensive technical controls in a scattered “catch-all” approach. By following some simple, cost-effective steps, SMB can significantly improve their resilience to cyber threats. Here are ARX Risk’s top ten tips for SMB.
- Benchmarking Many security and risk management companies provide this as an affordable measure. It will identify where existing vulnerabilities are, and the current state of cyber security maturity within the organisation. Without a benchmark, it is difficult to measure improvements.
- Understanding Conduct a working group to determine what information is most critical to the organisation. Then identify where that critical data is located, who has access to it, and how it is accessed.
- Culture The executive team must implement a security strategy, communicate that strategy, and then empower the workforce to manage and drive it.
- Encryption All critical data should be encrypted. Especially sensitive and personal information. Organisations found not to have taken reasonable steps to protect sensitive and personal information will face large fines and significant reputational damage. There are numerous free encryption tools available.
- Multi-factor authentication (MFA) More often than not breaches occur through weak password policies. MFA is an absolute must.
- Device hardening Develop an inventory of all devices connected to the internet, configure those connections by implementing application white-listing, secure browsing, virtual private networks, password management tools, and restrictions to Wi-Fi and Bluetooth.
- Privileged access management Not everyone needs privileged access. Control the access tightly and actively monitor who has accessed what data and when i.e. monitoring and logging.
- You are only secure as your weakest link Third parties such as managed service providers (MSP) need to be held accountable. The Australian Cyber Security Centre has a list of questions on their website that organisations can ask of their MSPs. If they can’t or won’t answer them, then it’s time to find a new provider.
- Staff awareness training A cyber breach is more likely to be caused by human error than by a technical issue. A comprehensive training program will significantly mitigate both the chances and impact of a breach.
- Rehearse, rehearse, rehearse Having a regularly tested plan in place is critical to limiting the effects of a breach such as regulatory fines, damage to reputation and financial losses.
SMB are under constant attack from criminals and insiders looking to exploit valuable, sensitive information. More often than not they provide easy wins for criminals or act as a stepping stone to larger enterprise. It is not a matter of IF a breach is going to occur but rather WHEN. Therefore, all SMB must enact more robust measures that proactively secure critical data, mitigating identified risk with a clear strategy, which is supported by an educated workforce and security controls that have been implemented in the areas that matter most to the organisation.
This article was written by our friend Matt Bunker who is the managing director over at ARX Risk. For more information on how you can secure your business and the valuable information you hold, why not drop them a line?