Best Cybersecurity Practices for Small Businesses
Digitalization revolutionized the way we do business. While digitalization improves efficiency and productivity, it also makes businesses more vulnerable to cyberattacks.
Cybersecurity threats are not just of great concern to large businesses. Large, medium and small businesses alike are at risk of cyberattacks.
A report from Better Business Bureau (BBB) – a nonprofit organization focused on advancing marketplace trust – found that only 35% of small businesses could remain profitable for more than three months if they permanently lost access to essential data as a result of a cyberattack, while more than half would be unprofitable in under a month.
“Profitability is the ultimate test of risk,” said Bill Fanelli, one of the authors of the BBB report entitled “2017 State of Cybersecurity Among Small Businesses in North America” and chief security officer for the Council of BBB. “It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident.”
According to the BBB report, one out of five small businesses reported it has been the target of a cyberattack. The report also showed that larger small businesses – in terms of the number of full-time employees – are more likely to report having been a target of a cyberattack.
One possible reason offered by the BBB report why smaller businesses are less likely to report a cyberattack is that they may be unaware that they have been attacked. About 10% of the respondents of the BBB study could not tell if they had been a target of a cyberattack.
Here are some of the top cybersecurity best practices that your organization can implement in order to protect your organization’s valuable data:
1. Backup Your Data
According to a Google-led study, only 37% of users backup their data. Cybercriminals in recent months saw this failure of users to backup their data to launch cyberattacks via ransomware. The Google-led study found that from the first quarter of 2016 to second quarter of 2017, over $25 million was paid by ransomware victims to cybercriminals.
Ransomware is a malicious software that locks out users from their own computers. Attackers typically leave a ransom notice on the locked computer monitor, demanding that certain amount should be paid for the computer to be unlocked.
Paying the ransom does not guarantee that your locked computers can be unlocked by ransomware attackers as exemplified by WannaCry ransomware where criminals cannot unlock computers as they cannot determine who paid the ransom; while other ransomware like the NotPetya ransomware is in all likelihood is a “wiper” – a malicious software that is meant to wipe out all corporate data – and not a ransomware where profit is the main purpose.
By backing up your data ransomware attackers will have no leverage against your organization. Backing up your corporate data will help your organization survive data loss, not just as a result of cyberattack, but also data loss as a result of human error, hardware failure and natural disasters, including fire and flood. If your organization has more copies of your valuable data, losing one to cyberattack or other causes of data loss will have no catastrophic effect on your organization.
2. Keep Operating System and Software Up-to-Date
Another important cybersecurity practice is to keep your operating system and all software updated. Recent major worldwide cyberattacks are a result of the failure of organizations to update their operating system and software.
An operating system or software update, also known as patch, is a piece of code that is added to the system or software to fix one or more security vulnerabilities. Updates are released by the operating system or software creator once security vulnerabilities are discovered. Failure to apply the update or if the software creator stops providing an update will leave your organization’s operating system and software vulnerable to cyberattacks.
The massive cyberattack on Equifax affecting millions of Americans and a number of residents in Canada and the UK was attributed to the failure of the company to apply a software update. According to Equifax, the vulnerability in the “Apache Struts” in its US online dispute portal web application caused the massive data breach.
Apache Struts is an open-source software for developing web applications or apps. This software is used by a significant number of organizations for developing publicly-accessible web apps.
The Apache Software Foundation – a non-profit organization that creates and manages Apache open-source software projects, including Apache Struts – said that the update for the vulnerability in the Apache Struts referred to by Equifax was already made available to the public months before the massive hack.
“Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is,” the Apache Software Foundation said, “establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons.”
“Best is to think in terms of hours or a few days, not weeks or months,” the foundation added. “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
At GenX our security best practice services include:
- Careful and thorough threat analysis reports to determine the most pressing issues regarding your company’s I.T. security
- The centralization of company security systems, streamlining and tightening security operations
- Update of employee computers to more secure operating systems, and installation of antivirus software
- Destruction of unwanted or sensitive data, through physical means or software deletion
- Continued security services, including 24/7 monitoring services, and ongoing security assessments
Implementing these top cybersecurity best practices is even more important with the upcoming implementation of the Digital Privacy Act, a law that amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Under the Digital Privacy Act, cyberattacks cannot anymore be swept under the rug as all Canadian organizations are required to do the following in case of a data breach: notify the Privacy Commissioner of Canada, notify the affected individuals and maintain a record of the data breach. Failure to notify the Privacy Commissioner of Canada and affected individuals, under the new law, could result in a fine of up to $100,000.