National Small Business Week is underway, and the festivities didn't take long to address one of the most glaring and ever-present issues for small to midsize businesses (SMBs): cybersecurity. The Small Business Administration (SBA) is the US government agency dedicated to providing concrete help, training, and recommendations that small businesses can put into practice right away in their day-to-day operations. To that end, rather than just offer pie-in-the-sky security trends, today's SBA cybersecurity panel gave SMBs concrete tips, resources, and steps they can take to mitigate security vulnerabilities and put a comprehensive security strategy in place.
SBA Deputy Administrator Doug Kramer moderated the panel of security experts as they discussed the biggest security risks small businesses face, and the most important steps they can take to protect their infrastructure and data, cloud-based or physical. The panel included Bill O'Connell, Vice President of Global Trust Assurance at ADP; Stephen Cobb, Senior Security Researcher at ESET North America; Matt Littleton, East Regional Director of Cybersecurity and Azure Infrastructure Services at Microsoft; and Patricia (Pat) Toth, Supervisory Computer Scientist in the Computer Security Division of the National Institute of Standards and Technology (NIST).
The panelists talked about cybersecurity issues ranging from phishing, ransomware, and how to handle a breach to how small businesses should approach multifactor authentication (MFA), employee security training and policies, what to look for in a managed service provider (MSP) contract, and when to call in an IT security consultant.
It's not just about employee and customer credit card and banking info, according to Kramer, but the intellectual property data businesses harbor everywhere, from email to cloud storage, and the attack surfaces that could make a small business the weak link and an easy target in the supply chain. According to the SBA, Kramer said, almost half of all small businesses have been victimized by some degree by cybercrime, and the average cost of attack is approximately $21,000.
"Anyone who's starting a small business is working as hard as they can, with no extra time or money to deal with a cybersecurity challenge that might cost more than expected and mean life or death for a small business," remarked SBA's Kramer as the panel began. "The threat of cyber intrusion and theft is very real. Small businesses measure assets and inventory in different ways, but they sit on a treasure trove of information."
1. Cloud Security: Do's and Don'tsFor cost-effective and convenience reasons, all SMBs need to consider making a transition to the cloud, but the transition needs to happen carefully. The panelists discussed some of the most important considerations and hurdles.
- Do: Incremental Cloud Backup"The cloud has a lot of benefits and risks, but one thing SMBs should all be doing is backup," said ESET's Cobb. "Current backup of all files is the best protection against ransomware and a critical part of your cybersecurity posture and defense. You should still back up to a hard drive and store a copy somewhere safe in a separate location, but the cloud lets you back up constantly."
- Do: Pay for Premium Cloud Security"Small business owners are price-conscious, but other factors need to get the right amount of weight," said ADP's O'Connell. "Some things should cost more money for a higher level of service and security is one of those things. Don't just make a decision based on price."
- Don't: Just Sign the MSP Contract"Check that contract," said ESET's Cobb. "You can outsource storage or backup, but you can't outsource responsibility. If the SMB owner says the IT provider has all the customer and employee data—your data—you're still responsible.""When it comes to not just the contract but the data, do your research to see if there are any security issues," added ADP's O'Connell. "For an SMB, the contract is a good part of that line of defense. Check out the SLAs [service level agreements] and access tier data policies. How long do MSPs retain the data? What do they do with it?"
- Don't: Leave Unused MSP Infrastructure Features "If you step into a cloud environment, you can shift some of that responsibility. We're no longer in a platform arena where you have to be worried about not having the staff to respond to an issue or patch a server," said Microsoft's Littleton. "That's where the service provider can step in and handle that on your behalf. You need to understand what you're getting into from a contract standpoint and what services the cloud provider is offering."
2. Multifactor Authentication: Just Do It"From both a personal and a business perspective, MFA is something you can do immediately. Businesses have no excuse not to do this right away," said Microsoft's Littleton. "It's simple with the entire Microsoft product stack; same goes for Google, Yahoo, you name the email provider. Look at your security settings and require every employee to enter their cell phone number as a second factor. Then, even if I'm an attacker and I steal your password, I can't use it unless I steal your cell phone and know the PIN."
3. When to Call in an IT Security Consultant "There are going to be things you can't do alone as a small business owner," said ADP's O'Connell. "For very important contracts, you get outside legal advice. For annual and quarterly financials, you have an accountant. Same goes for security expertise. When you need to test a site to make sure it's web-safe, or conduct a risk assessment, it's money well spent it if you don't have the expertise to do it yourself. You're not doing the electric or the plumbing in the building yourself; it's about knowing when you need help."
4. Security is Part of Everyone's Job"You can't just rely on one person in a 10-person company; everyone needs to have a good understanding of cybersecurity and what the risks are for the organization," said NIST's Toth. "If they don't, their job could be in jeopardy if there's a breach and the business can't recover." "Make security a part of each person's job," added ADP's O'Connell. "The person who runs financials—what do they need to do every day? On the physical side, who's the one locking the door at night? Everyone needs to know the components and how their role fits into the business's overall security."
5. Don't Be the Weak Supply Chain Link As SBA's Kramer explained, there's no division anymore between SMBs and enterprises. Small businesses either want to grow and scale, or they're plugging into an enterprise supply chain for software and services. The problem is, the SMB's security policies may not be up to par with a supply chain company with whom they're looking to partner. "When an SMB is getting their first big contract with a large company and they ask to see your security policies and awareness program, you shouldn't be scrambling to check everything off the checklist," said ESET's Cobb. "Supply chain risk up and down is a great concern. If an SMB is interacting digitally with a supplier, check them out. You need to have security policies and training in place so it doesn't become an obstacle."
"No business is too small to be targeted in the cyber arena, particularly from supply chain management," said Microsoft's Littleton. "Many breaches don't start at the top; they start somewhere in the supply chain and attackers work their way up to the ultimate target."
NIST's Toth said in the next two years, you'll see government agencies begin to publish rules for accessing supply chain systems. In the meantime, she said SMBs need to have a plan in place.
"Planning is invaluable to know what's really important; that one thing you need to protect, and how your business would operate if it wasn't accessible," said NIST's Toth. "SMBs needs to have plans, polices, and procedures in place. Not a big governmental approach; it can be as simple as policies in your employee handbook saying what they can and can't do on the internet, how to spot a phishing attack, and when to open and not open links and attachments."
6. Treat Email like a Postcard, Not an Envelope "The first thing to do as a small business with email is think about what's in it. If I'm going in to hack someone's company info, their email often has all the good stuff," said ESET's Cobb. "People often aren't thinking about what they're leaving in there. Look at the Sony hack; people were saying things over email they shouldn't have been. Email is a postcard, not a sealed envelope. Keep that in mind."
"It's also becoming more about the ability to control the data," said Microsoft's Littleton. "It may be worth the money to use an encrypted email service with inbound filtering that reduces your attack surface. If you left your credit card number in an email, the service would ask whether you really want to send that, and then automatically encrypt not only the number but the entire email. As the industry advances, these services are becoming more reasonable and commonplace."
7. Always Report IncidentsSBA's Kramer explained that, when a small business is breached or hit with a phishing scam or ransomware request, they need to know who to call. ESET's Cobb said if small businesses don't report this to police for fear of law enforcement not possessing the resources to investigate, the cycle will perpetuate.
"We have an unfortunate cycle where law enforcement gets funding based on crimes reported, but people aren't reporting crimes because they don't think the police have the resources," said ESET's Cobb. If no one reports, the police will never have the evidence to equip themselves with the resources to address these cybercrime issues."
"Most municipalities have cybercrime units and will respond," added NIST's Toth.
8. Have An Incident Response Plan in Place"You don't try to put your seatbelt on in the middle of an accident," said Microsoft's Littleton. "You need a plan laid out of how you will respond before a breach happens."
"You're not in this completely alone either," said ESET's Cobb. "Security services you buy off the shelf come with increased protection in the cloud or in accessing the supply chain. They may be providing detection and prevention services at a base level. When putting together your plan, make sure you're not leaving security services on the table offered by your MSP or security service."
9. Don't Leave Loose Ends"One problem area we see—if and when an employee leaves or is fired—their system access isn't immediately terminated," said ESET's Cobb. "Small businesses work with people they trust, and a lot of people who come and go. Sometimes they don't go under the happiest circumstances. If a former employee with a grudge still has access or even still has their multifactor authentication enabled, that's a big insider security problem that's painfully easy to address."
10. Government Resources and TrainingThe government is taking major steps to address cybersecurity. The White House released a cybersecurity framework earlier this year, and President Obama's 2017 budget proposal seeks a 35 percent increase in funding (to $19 billion) to deal with cybersecurity attacks. SBA's Kramer and NIST's Toth pointed to free government resources such as the SBA's entire page of cybersecurity resources for SMBs, including cybersecurity tips and tools, a collection of courses, trainings, and webinars. Some of the most useful resources are:
- SBA's Top 10 Cybersecurity Tips
- SBA Online Course: Cyber Security for Small Businesses
- Cyber Resilience Review (CRR) Assessment Tool
- The Small Biz Cyber Planner
- SBA, NIST, and the FBI's joint Small Business Workshops
- The SBA's YouTube channel
- NIST's Computer Security Resource Center
- COMPTIA's certifications and education programs to learn MSP security protocols