The answer may surprise you
There’s an adage in IT circles that people — both you and your employees — tend to be the weakest link in the cybersecurity chain. But that’s not entirely true.
Attacks actually come from a variety of places, with 72 percent perpetrated by outsiders, 27 percent involving internal actors, 2 percent involved partners and 2 percent featuring multiple parties, according to the Verizon 2018 Data Breach Investigations Report (DBIR).*
So, does this mean small and medium business (SMB) owners can relax? That you don’t have to worry about your employees triggering a potentially serious data breach costing your business time, money and stature with customers? Not by a long shot.
The plain fact is that, while employees may not initiate attacks, they can still be a major contributor to them if their devices are not adequately fortified or if they don’t follow proper security protocols.
With U.S. SMBs losing an estimated $75 billion each year to ransomware and 1 in 5 businesses closing their doors within months of such attacks, small businesses simply can’t afford to ignore cybersecurity.
Every SMB needs to have an active and effective security strategy. Such strategies should not be limited to purchasing a piece of software or installing a firewall. Rather, businesses need a “multi-layered” approach blending security tools and policies — because cyberattacks never come from one direction.
Here are 5 measures businesses should evaluate as part of their security strategies:
1. Train the staff
The most important countermeasure against cyberattack is a smart and committed workforce. Few employees want to be the reason for a problem, but employee negligence is the leading cause of data breaches for small businesses across America.
As such, arming workers with the knowledge to help keep the business safe should be your first step toward countering potential problems.
Some businesses hang posters around the office encouraging employees to exercise basic precautions, such as regularly changing their passwords, locking down their machines while away, and not leaving confidential documents sitting on printer trays. Others establish mandatory annual training courses to indoctrinate employees (including executives) in current security policies and procedures. Implementing routine phishing email testing is another alternative to improving understanding and visibility.
Such efforts don’t have to cost anything. For example, the US Small Business Administration has a free online course that business owners and staff can take to learn more about safeguarding their networks.
2. Secure endpoint devices
For years, most cyberattacks targeted operating systems and software. As vendors became more adept at patching or eliminating security holes in code, hackers began shifting their attention to less secure endpoint devices, such as printers, smartphones and laptops.
Every time a business buys a PC or printer, it should be viewed as a security decision. It’s no longer enough to buy a device and then a software package, like antivirus. You won’t be adequately protected. Fortunately, manufacturers are starting to build security into the hardware. For instance, HP printers come with a variety of built-in security features to stop attackers from introducing malicious code. They protect data in transit and provide instant notifications of suspicious activity on a network. In addition, these advanced printers make it easier to have uniform security settings for each device and ensure they’re all updated regularly.
HP PCs are similarly equipped with stronger security and optional features like HP Sure View and HP Sure Click among others.
Before buying any connected device, read the fine print. Determine what kinds of embedded security features are included. All endpoint devices are not equally secure.
3. Protect those passwords
Passwords are easily the worst security measure ever invented. They are too easy to spoof. And most of us choose ridiculously weak passwords involving the names of someone we know and a few numbers. The trouble with this is that hackers have access to software with built-in directories of the most common names, which lets them crack these passwords in mere minutes. What’s more, many of us don’t want to be bothered with passwords, so we thoughtlessly plug in something like “123456,” a password so easy to guess that it accounted for 17 percent of 10 million compromised passwords in 2016, according to Keeper Security.
All of this said, it’s unlikely we’ll get rid of passwords anytime soon. We’re too accustomed to them, and most organizations haven’t found that killer apps to replace them. Indeed, password use is expected to increase threefold to around 300 billion instances by 2020.
So, it behooves every organization to have an effective password policy in place. This policy should require employees to change their password at least once every three months. It should also mandate the use of strong, lengthy passwords combining a series of characters, symbols, numbers and cases.
Also consider making password vaults or managers available to employees. They will make it easy to have a complex password that you do not share across web sites. Encourage employees to have unique passwords for each Web site or application they frequent.
4. Add fingerprint scanners
Passwords are all about granting people access to network resources. Since hackers don’t have much trouble cracking them, companies must reinforce what they have with other identity and access tools.
Consider fingerprint scanners, for example. They are more secure than passwords, and are widely available today in many endpoint devices, such as business laptops and smartphones. Yes, the feature might cost a bit more, but the added protection it offers is well worth the small investment.
5. Prioritize pull printing
Pull printing is a newer technology that allows organizations to make sure only authorized users have access to the print jobs that are meant for them, ensuring that no print job is accessed by any person other than the intended recipient.
Is this really a problem? Well, recent Quocirca research indicated 61 percent of large enterprises admitted suffering at least one data breach through insecure printing. Yet, there remains a misplaced level of complacency around print security compared to other IT endpoints. Any security strategy, therefore, should address the risk of documents being intercepted during transmission or forgotten in printer trays.
With cybersecurity incidents increasing in frequency and severity — and targeting both large and small businesses equally — it’s critical to be vigilant. By implementing some or all these best practices, you can help protect your business from a potentially devastating data breach.
* Not intended to add up to 100% due to multiple parties involved in incidents.
used with permission from HP Tech@Work