Small to mid-size businesses around the country are considering how to maintain data security in the aftermath of one of the largest data breaches in history at Equifax. How can you ensure that your business has critical patches covered while still staying focused on operational effectiveness?
Recent national news regarding big data breaches in organizations such as Equifax has small business owners scrambling to understand what went wrong — and how it can be prevented at their organization. The reality is that the potential of a data breach can’t be eliminated completely from your organization, but there are plenty of ways you can minimize the threat and make plans to come back up to full speed quickly after a breach. Possibly the worst thing that you can do is start looking around in all directions in the hopes of shoring up your defenses. See how data security can become part of your ongoing strategic technology planning so you can skip the scramble.
Small Business Impact
Small businesses are every bit as vulnerable as enterprise-scale businesses to hack or data breaches, and sometimes even more vulnerable. The thought of having the personal and financial data of 143 million Americans stolen is enough to cause any business owner to get a bad case of the hives. Equifax’s security was violated due to the failure to correctly install a software patch, something that many small business owners can relate to as their internal IT departments are increasingly stretched in a variety of different directions. Installing patches and keeping software up-to-date is one of the first lines of defense for organizations attempting to reduce the possibility of a cybersecurity attack.
Dealing with Long-Delayed Issues
Many business owners find that there are hidden pockets of issues that could be exploited by cybercriminals, such as that one workstation that didn’t get updated from Windows XP or a proprietary platform that kept system administrators from applying a Windows patch, for instance. These risks may not seem significant by themselves, but allowing them to continue simply compounds the issues facing security professionals. Small businesses rarely have access to the same level of technical support as a larger enterprise, leading them to lag behind in both learning and application of ever-changing security principles. Unfortunately, this doesn’t stop cybercriminals from targeting small businesses — a recent Verizon survey indicated that more than 60 percent of the breaches that occurred in 2016 happened in organizations with fewer than 1,000 employees.
Staying focused on patching potential security breaches is challenging with IT departments in a constant state of damage control due to user needs and other ongoing, operational issues. This split priority provides the ideal breeding ground for security problems in businesses of any size. When there are not enough staff hours available to focus on creating a truly secure infrastructure and data privacy policies — along with ongoing training for business users and technology teams alike — businesses can find themselves in trouble. When IT teams shift their focus to security for the near term, they are often able to catch up on critical patches but will take heat from internal business units and leaders who feel that the technology team isn’t pushing forward critical business initiatives. It’s literally a lose-lose situation for understaffed mid-size business technology teams.
Nearly everything today is an endpoint for your network: cell phones, laptops, tablets and WiFi hotspots are all crucial parts of your network as well as being at risk of infiltration by nefarious parties. While security concerns around these items are nothing new, the complexity of ensuring that you grant appropriate access to individual devices is growing as BYOD (Bring Your Own Device) becomes a more widely accepted practice. Endpoint security solutions continue to morph and grow, with a great deal of misconceptions and misunderstandings surrounding best practices. Any smartphone that can attach to your corporate network is essentially an endpoint, and must be secured — and that is true for VPN access from unsecured devices as well. The true danger of endpoints is not necessarily the technology; instead, the problem often lies in the lack of training, policies, and procedures being followed by business users. Simple antivirus and anti-malware protection are no longer enough.
Training around endpoints isn’t the only required training for business users. Every employee in the organization needs to be explicitly shown the dangers of clicking on links in questionable emails or online and how these actions can open the organization up to malicious actions. This proactive security training has been shown to reduce the risk of malware and ransomware being introduced by employees or contractors — which is important as phishing attacks are often launched on internal assets in an effort to get business people to click on a link or provide personal information. Simulated phishing attacks run within the organization may not get your technical team any popular votes, but they are incredibly effective in demonstrating how truly legitimate attacks can look in today’s world.
Backup and Disaster Recovery
Having a proactive training and patching plan in place are solid first steps, but a truly holistic strategy includes backup and disaster recovery plans that you can trigger instantly in the event of an attack or physical harm to your location such as fire or flood. As Equifax has shown us, even the largest enterprise organizations can be caught off-guard and make decisions that later come into question during an emergency stop-gap situation. Having a backup and disaster recovery plan in place can allow your business to quickly react to a negative situation, minimizing the impact to customers and employees alike.
Ready to learn more about protecting your Nashville organization from cyber attacks? Contact Kraft Technology Group today at (615) 600-4411 or via email to firstname.lastname@example.org. Our cybersecurity team will walk through your current data security plans and see where we can make adjustments to shore up your overall security strategies.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.