Don't Open That Attachment: 4 Common Data Protection Mistakes for SMBs
Wake up and smell the breaches. In an era where it appears nothing is private and cyber crime happens daily (actually, every 39 seconds on average), data security is of utmost importance. There is no getting around it anymore. So, please, stop using that same old password already.
Here are four common data protection mistakes that small and midsize businesses (SMBs) make and how to rectify them:
1. Not having a contingency plan.
So the thinkable, yet undesirable happens -- you get hacked. The next steps you take and the time spent implementing a failsafe or response can mean everything.
In the year 2016, Barclays reported in the results from their cybercrime survey that at least half of UK SMBs surveyed experienced a cyber attack in the past year, mirroring much of the internet connected world. And, with ransomware consistently on the rise and exhibiting a 195% increase already in the first quarter of 2019, it’s unfortunately “safe” to say that number of SMBs experiencing other types of attacks is holding steady or increasing as well. The Barclays survey found that less than 20% of the companies that experienced attacks reported that they were only incentivised to review their cybersecurity protocols in the aftermath of the breach.
Some cyber attacks can even lock you out of your system or cause crashes, making extensive down time possible. Having backup servers and systems can help limit the impact a breach has on your company by allowing you to continue operating through a system restore. However, this needs to be coupled with having proper barriers and monitoring operations already running to mitigate the attack.
If you don’t have a full contingency plan in place, you may not only experience down time, but levels of data that could have been protected by having a few simple failsafe protocols in place will be exposed to prying eyes. Working with your IT team to see that they have the budget to put possible extra layers of protection in place like Virtual Data Rooms, as well as monitor breaches via threat maps, are good first steps. If your company’s data is particularly sensitive, having a cyber security specialist or a whole team of specialists on board would be even better. Even if your data does not contain state secrets, getting a consultation from a security specialist can at least help you identify weaknesses and give you a good jumping off point.
2. Not using a password manager or 2-factor authentication.
Nothing is more annoying than being forced to create a 20-character password complete with no recognisable words, requiring a change every month, or having to wait for a text message code on your phone. But, what if that extra security step could be the difference between protecting and not protecting your client’s vital information and/or losing hundreds of thousands of dollars in damages? Well, in Verizon’s 2017 databreach report, 81% of breaches occurred as a result of weak or stolen passwords, and 25% of employees from Open VPN’s 2018 survey of SMBs admit to regularly using the same password for multiple accounts. That number, in reality, is most likely much higher.
It’s so easy to slack on password security, but it also equally as easy to find a solution: a password manager. Now these systems, like Last Pass for example, use encryption and random generators to help you keep your passwords safe. Working with multiple clients and juggling their passwords as well? This could help you store those passwords and prevent them from getting lost, even if you need to change computers.
But, it is also important to note that Password Managers are third parties, and once again open you up to potential “out of our hands” breaches in the future. 2-Factor authentication is another level of protection over passwords and is becoming increasingly recommended as the default method of login from security experts.
3. Not having your remote team using a VPN.
Public Wi-fi can be a dangerous place for businesses. If not properly guarded with something like a VPN, these wireless hotspot areas make your remote team easy targets for hackers, loggers, and other lurkers including even governments and third party data miners.
Encryption is often the first step businesses take towards security, particularly in emails. However, if the data is not encrypted to at least the FIPS 140-2 benchmark, the encryption is nothing more than turning the data into a plain text file. Also, simply encrypting your email with TLS is not enough. Your entire system, from end-to-end should be encrypted as well.
The best way to achieve this is by using a local server VPN.
Some VPNs can also be set up to encompass remote, yet secure, data portals which mirror your company’s local servers. With this, remote employees need not keep sensitive data files on their own personal computers which are much more vulnerable.
4. Failure to train/enforce employee security protocols .
Security protocols are best explained by two axioms: 1) An ounce of prevention is worth a pound of cure. 2) You’re only as strong as your weakest link. While your employees may be strong, well-educated individuals -- their knowledge of data security might not be up to levels needed today. According to reports completed by identity theft expert, Identity Guard, 1 in 8 workers accidentally installs some form of malware or a virus each year. If your team’s working security knowledge, knowledge of current cyber crime methods, and knowledge of company contingency strategies is low, you’re opening your business up to a world of trouble. With an increasingly busy and technology-orientated world, online communication has quickly become the preferred method of B2B and B2C contact. However, this online contact, and email in particular, are extremely open to attack. In fact, 92% of malware comes through email and many of the attack plans are extremely complex.
Scenario: You receive a relatively blank email with an attachment from a client. You correspond regularly with this client and thus think nothing of it, but still decide to check. You reply back to the email and they respond saying it’s okay to open. You’re in the clear, right? Wrong. Malware automation has gotten so good that this reply is actually cleverly disguised fraud.
Also, remember the password issue? Barclays’ survey also showed that 65% of businesses don’t enforce their password policies. Simple lack of enforcement could be the reason your company experiences a devastating breach.Proper training and instructions can not only limit employee mistakes and raise awareness for situations like these, but can also encourage them to report breaches caused by human error. In their paper on correcting and managing employee mistakes, experts in Business management Bin Zhao, Todd Doyle, and Brenda Lautsch encourage talking about the different ways mistakes could occur through genuine human error and expressing the benefits of reporting for employees. Promoting these qualities may increase the likelihood of an employee reporting a breach that they may have caused. However, this should also be coupled with a positive company culture that doesn’t necessarily normalise mistakes, but instead minimises fear for reporting. No one likes to admit a mistake, particularly one that could cost the company lots of money and clients, not to mention their own job. Employees are likely to wait less to report a security compromising error if the company has created a culture of openness and responsibility.