Small-to-medium-sized business (SMBs) owners are struggling with how to address IT security. On one hand, SMBs realize that IT security is an important topic for their business. Owners and executives are seeing daily breaches that generate fines, lose business opportunities, and hurt business reputations. On the other hand, there’s the reality that tight budgets and a lack of resources make it difficult to execute any formidable security strategy. More and more, SMB business owners are facing large bills to address IT security deficiencies.
SMBs are Primary Targets for Cyber Attacks
According to the 2018 Cyber Claims Study by NetDiligence , 85% of the cyber insurance claims made from 2013 to 2017 came from smaller business, and 80% were the result of criminal involvement. The top four sectors affected by cyber incidents were as follows:
- 17% Healthcare
- 20% Professional Services
- 12% Financial Services
- 10% Retail
- 41% All Others
TABLE
Just as there isn’t a silver bullet for growing a business, there isn’t a single turnkey, no-cost solution to security for SMBs. However, the good news is there are prudent steps available that SMBs can take quickly, easily, and cost-effectively to dramatically reduce the risk of an IT security event, and even to work towards compliance for those that are subject to statutes such as PCI, GDPR, HIPAA, and others.
Of course every organization is unique and faces different challenges, but SMBs should consider leveraging core best practices to address IT security. So, where does it start? By creating layers of defense—from protecting the network on the outside all the way into the core, made up of end user identities. It’s no secret that compromised user identities are the number one method for hackers to breach an organization.
Best Security Practices for SMBs by Core IT Area
Below you’ll find six core activities that SMBs can execute to dramatically step-up their IT security.
1. Network – Enforce Unique Access & Segment Resources
Most SMBs are leveraging WiFi networks to connect to the Internet, but the truth is that shared access to WiFi networks is an open invitation to be hacked. There are two steps to increased security here for your network: a) enforce unique access to the WiFi network through RADIUS integration, and b) segment the network to keep the most critical resources secure. Your IT admin or MSP will be able to walk you through how to do this without too much hassle or cost.
2. Systems – Lockdown Computers and Servers
Lock down all of your PCs and servers by ensuring that only the right people have access to each system, the systems are constantly patched, you have anti-virus/anti-malware software, and that you have strong policies in place (e.g. the computer screen locks after 2 minutes). Bonus points for those that are willing to enable multi-factor authentication (also called MFA or 2FA) to login to the PC or server. The right tools here can do virtually all of this without significant cost.
3. Applications – Enable MFA
MSPs have an obligation to protect their clients, and all MSPs take this responsibility incredibly seriously. A hacked client can be catastrophic for an MSP’s reputation, so implementing strong controls is critical. Identities are the number one attack vector within any organization, and MSPs know this firsthand. By leveraging a modern approach to identity management, MSPs can build a strong foundation of security within each client’s organization.
4. Data – Implement Full Disk Encryption (FDE)
Compromised data is at the heart of the most expensive breaches. If you have credit card data, user or customer data, or health care data, you are at risk. The number one step to take in this category is to enable data at rest encryption wherever possible and especially on your laptops and desktops that can access that confidential data. The software to do this (BitLocker on Windows and FileVault on macOS) is free, but is complicated to manage. A simple tool to manage FDE (full disk encryption), as it is called, will simplify the task and help ensure you won’t lose any data.
5. Identities – Enforce Password Complexity & MFA
At the center of what you are trying to protect is a user’s identity. If an identity is compromised, it can bypass virtually all of the safeguards you have just put in place. The two most important steps to take in this key section is to a) tightly control access to everything possible with long passwords and b) implement MFA to require a second factor to validate a user is who they say they are. Both of these are possible and inexpensive with a solution called a directory service.
6. Employees – Conduct Regular Security Awareness Training
Educating your employees with in-depth security training has been shown to be a powerful method to increase security at organizations of all sizes. Users have a tendency to act on curiosity and convenience without considering the underlying risks and negative consequences at hand. By teaching employees how to identify phishing emails and practice secure browsing and password management habits, you can significantly minimize the risk of experiencing a data breach.
Learn More About Security for SMBs
Implementing security for SMBs doesn’t need to be hard or expensive, but it does take some time, commitment, and resources. In order to follow through, SMB owners should consider asking their internal IT person or an external MSP to help support their efforts. With a little focus on these high impact items, an organization can quickly become significantly more secure.
If you’re interested in learning more about modern security risks and implementing best practices that can be used to build up your organization’s defenses, watch the webinar below detailing how to train your employees to be security conscious, or check out this in-depth report on identity security.If you’d like to talk with a JumpCloud support specialist, please feel free to drop us a note.