Why 2020 could be a bad cybersecurity year for SME’s

SME’s are a prime target for cybercrime.

They have reduced expertise, minimal money, and an attitude, we are too small to be a target, that leaves them wide open to a cyber event.

Our industry, the people who know and think we understand the bad guys have been pushing for an attitude change for the last 10 years. In a large number of ways, we have failed, especially in the SME space.

In some, we have failed significantly.

By the time we get called in, after a cyber event, it is way too late.

To late to recover, too late to respond and definitely too late, in a number of organisations, to get back to business as normal.

Most SMEs, after a cyber event and especially after a ransomware attack, have but 3 choices,

  • pay the ransom,
  • recover from backup and hope you have a decent backup (a decent, tested backup is vital, no matter the situation)
  • or go out of business.

Here are 3 cybersecurity strategies that every SME should implement to be more secure and avoid that devastating cyber event.

Training users

Increased awareness of business security in a workplace is vital in today’s business world.

Not many businesses know where to go to get that training.

Training needs to be done as an ongoing process.

Once or twice a year is inadequate. But training and education has to be easy, bite-size pieces, easily digested, easily implemented and easily followed.

In addition to ongoing training, you also need to incorporate business security into your onboarding process to instill the required cultural elements into new people on staff.

Want some free cybersecurity training, here is something that will definitely help
https://wizer-training.com/partner/caremit

Risk management and gap analysis

SME’s have a limited understanding of the new risks delivered to the business via our digital components.

The game has changed significantly in the last 10 years and we, as small and medium businesses, are constantly playing catch-up.

We are significantly hampered and handicapped by the impact and scale of our digital usage.

It is everywhere, used in every component and used all of the time.

To understand the risks without understanding the systems you need some help.

Here is some help for you.
Https://CareMIT.scoreapp.com

With the report, you can now implement a gap analysis and work out what you need to do to increase security around your organisation.

The report also ties in well with:

Implemented a framework

If you are looking for a better way to manage security within your Organisation, you need to look no further than a framework.

A framework is a documented system that allows an organisation to follow the bouncing ball and tighten up the security in a regimented way.

The more the components of the framework are implemented the more secure and mature the organisation.

Frameworks are easy to follow and implement and the one I recommend is the National Institute of Standards and Technology (NIST) cybersecurity framework.
https://www.nist.gov/cyberframework

Answer the 98 questions, honestly, and you now have a road map to implement cybersecurity in a significant way.

The NIST cybersecurity framework also gives you a number.

Between 0 – 4, it can be used as a comparison between businesses, supply chain components, and government departments so you can do business with like-minded organisations.

What can SME’s do?

It is not too late to implement any of these strategies. The bad guys are getting more and more clever, so time is running out.

They are targeting everyone who is connected to the digital world, the internet, with more sophisticated systems, a number of them are now fully automated.

Some of those automated systems have minimal human involvement after the initial set up.

From initial social engineering attack, all the way through to payment of ransom everything is automated and driven by machine learning.

Every SME should be implementing a training and education process, doing a risk and gap analysis and implementing a cybersecurity and business security framework.

With that everything else will follow.

The business will be more stable, the culture of the organisation will change and getting back to business as normal after an attack can be significantly easier.

The impact of a cyber event for an organisation implementing these 3 components or not is significant.

If you haven’t implemented these 3 strategies in the last 12 months, 2 years or 5 years then 2020 is going to be a bad year.

But it’s not too late.

Encryption and Backups are your fall back position

When it comes to business security there are 2 systems that will save you after the impact of a cyber event.   The first is a good backup and the second in encryption.

Neither of them is as foolproof as business owners think.

Understanding the importance of backups.

The whole point of a comprehensive back up regime is to be able to get back to business as normal as fast as possible.

A good backup will help you achieve that.   So will a good disaster recovery plan, a decent business continuity plan as well as building in as much resilience as possible into the organisation itself.

Like any plan or solution it has to be tested, it has to be stressed and more importantly, everyone in the organisation needs to know what to do, where information is and how to implement those plans.

Failing to test or improve from the experiences of real-time tests and war-games is usually where an organisation fails.

You cannot improve a system unless it is tested regularly.   Once tested you can rectify issues discovered during the testing.

You DO NOT want to have the cyber event as the first test of system failure and recovery.

What to do with backups.

When it comes to a backup it needs the following items in place.

  • A copy of all critical and non-critical data stored in another location.
  • A copy of that information only connected to the system when it is doing a backup
  • A process that has no human requirements except to check it has happened and fixing it when it fails (immediately)
  • A system that is regularly tested and improved.  In business everything changes, the systems and data need to be tested but the people involved as well.

Protecting your encryption keys

The second component is encryption.   Seen by many as the silver bullet of data security, it is just another deterrent.   If your data is stolen then encryption will ensure that the data is unreadable, unless the bad guys have the keys.

The most important component of encryption is the security of those keys, if the keys are stolen or get out the encryption is useless.

So protecting those keys is more important than protecting the data the keys are securing.

When it comes to SME’s, not for profit organisations and charities we often find the security keys, especially for securing websites, just lying around a system.   Usually, they are saved in a folder called certificates with no added security around those files.

Protecting your encryption

There are many ways of using encryption and all of them cannot be discussed here so here are a few ideas.

  • Make sure your encryption key is not hardcoded into the applications using it.
  • Make sure your encryption key is your property and not owned by a third party.
  • The encryption keys should never be stored on or in the same system using them.
  • Make sure there is an audit trail in their use.
  • Only use one administrative account to encrypt data, record that account and the password in an out of band location, only used for that specific role.
  • Your keys can be encrypted!
  • Cryptographic keys change regularly, create a policy, process and procedure around that requirement.
  • Back them up.   The keys can be stored on an encrypted thumb drive and stored in a secure location. IE – a safe (part of the policy?)

To stop a cyber event instead of just recovering from one you also need to implement other components.   To survive the onslaught of cybercrime, follow and implement the best practices documented all over the internet.

A plan B is important, just like insurance is important.   When everything else fails your recovery is critical.

The CareMIT Security Methodology will help you secure your systems, people and data.

Why you need an off-site backup

Off-site, secure, out of band backups are your only hope for recovery in a cyber event

Ransomware, the scourge of today’s business, is literally a click away from crippling your business and organisation.

Attackers can reportedly execute the malware and begin encrypting most file types and removing all local backups. It is still unclear how much the demanded ransom is, but researchers have found that TFlower doesn’t append the encrypted files’ extensions.” Connor Madsen webroot. https://www.webroot.com/blog/2019/09/20/cyber-news-rundown-tflower-ransomware-exploiting-rdp

A determined crypto-virus attack on your organisation can reduce the organisations chance to make money, it can impact your reputation and can cause problems for months if not years.

Even an accidental infection, most result from an accident, can cause similar effects.

In the event of a crypto-virus attack, especially for small and medium enterprises, you have 2 options.

  • You pay the ransom – you may get your data back, you may get some of it back or you may get none of it back, we are after all talking about a criminal organisation that is holding your data to ransom.
  • You recover from your backup.

Paying the ransom is up to you, most security and ICT companies will say not to pay.

If you have a security or ICT company, or someone in your organisation that does the job they would have told you to do a backup.

Your back up has to cover the following:

  • It should be regular – depending on your requirements for the data and access to the data a back up should be completed every 24 hours.   A better solution is to have an incremental backup every 15 minutes.
  • It should have no human intervention – the backup has to run no matter what.  If you are backing up to a hard drive, connected to your device and you require someone to change drives then human error comes into it.   The old adage that the backup will fail the same day you need it is true.
  • It should be off-site – As in totally away from the business but also not connected to the business except when it is doing a backup.
  • It should be secure – all the data, no matter where it is stored should have encryption wrapped around it.   It should be encrypted at rest (stored on the location), it should be encrypted in transport (getting there and back) and it should be encrypted if you are going to use it.  This stops the information being stolen but also being accidentally accessed by the provider.
  • It should be tested regularly – you have done a backup and that’s all I have to do.   No, you need to test it regularly.   Do a regular restore to test that it works and also to ensure that you are backing up ALL of your essential data.   You do not want to be in a situation where a failure is your first test.

Achieving all of these components is difficult.   Try talking to us or a reputable ICT and security provider concerning your options!

Click here for your free trial of a secure, out of band off-site backup solution.