5 steps to lower your risk of data breaches

One less-obvious legacy of the pandemic is the legion of new fraudsters it trained. Having extracted more than $163 billion in fraudulent payments for in pandemic-era benefits, they’ve moved onto the private sector – and small businesses are a chief target. No business is too small.

Cybercriminals are targeting small businesses with tech-enabled cyberattacks, and their motives are often financial. They’re looking to compromise valuable personally identifiable information to commit identity or business identity theft – or to access a business’s financial accounts directly.

Cybercriminals are equipping themselves with technology to make their jobs easier – but an equal or greater threat are employees and vendors that unintentionally present gateways to intrusion.

Cybercriminals look for weaknesses

As technology advances, so do cyberattack methods, where cybercriminals delight in taking advantage of new tools at their disposal. Even the tools specifically designed to improve security are being abused.

External vulnerability scanners look through a small businesses’ applications, endpoints, and infrastructure to identify ports that can be accessed via the internet. Cobalt Strike, a powerful tool created for security professionals to assess vulnerabilities and conduct penetration testing, is one of the most popular tools used by hackers and ransomware gangs. While Cobalt Strike is a premium product that criminals have gone to great lengths to get their hands on, there are open source and free external vulnerability scanners that can make a hackers’ job even easier, providing a form of intelligence for places small businesses may be weak.

These kinds of attacks sound scary and difficult to defend against, but a small business can remain aware of the threats and effectively concentrate on the most-needed areas. Though sophisticated Cobalt Strike and similar attacks capture headlines, it’s often the “human attack surface” that poses the greatest threats. The majority of data breaches (85%) can be traced back to the compromise of company and vendor employees, in which their already-compromised identities provide easy access points.

5 Steps to Lower Data Breach Risks

The reality is that given enough time and resources, a dedicated thief can get around most security shields. But what they’re really looking for is low-hanging fruit, hoping to exploit common mistakes many small businesses make.

You can make your organization far less inviting by adopting five practical best practices.

1. Implement security patches ASAP. Cybercriminals are constantly looking to exploit the software vulnerabilities in applications and operating systems, which is why it’s vital to apply security patches when they become available. Some of the most viral cyberattacks were spread because an available patch had not been applied. Most small businesses don’t have a formal patch management process in place.

Five years ago, the WannaCry ransomware attack began crippling systems around the globe, spreading through a weakness in computers running Microsoft Windows systems. Organizations are still falling victim to the attack today.

Hackers used a “back door” to gain access to users’ files and encrypt them, demanding ransom payments. It is estimated to have caused $4 billion in losses worldwide. Perhaps what’s most painful is that a patch for the vulnerability was made available by Microsoft months before the attack, and many failed to implement it.

2. Make stolen credentials harder to misuse. Access to business systems is a pivotal step in a criminal’s efforts to gain access to company, employee, and customer data. They often achieve this using stolen credentials.

To make it harder for criminals to succeed, implement best practices at your business such as strong, unique passwords that are never reused and enable multi-factor authentication. Consider using a virtual private network to hide your online data.

3. Make employees your first and last line of defense. Employees have a critical role to play when it comes to protecting valuable business data and personal information. Education is critical for raising awareness of best practices and learning how to spot trouble. With more employees working from home, cyber training can help them become vigilant about protecting their own information, as well as company and customer data. Specifically practicing what to do in potential scenarios will prepare them to respond appropriately if the real thing happens.
4. Spot warning signs. The sooner a security or fraud event can be detected, the lesser the potential impact on your business. Don’t wait until there’s a serious problem on your hands.

An organization can proactively monitor the dark web to see if any employee data has been exposed. You can then determine whether that information can be used to access your systems and take appropriate mitigation steps.

5. If a cyber incident happens, get help from a trusted partner. In a best-case scenario, fraud and security issues will cause significant business interruption. But the worst-case scenarios are far more alarming, with ample stories of serious financial and reputation damage — some even resulting in permanent business closure.

It helps to have a trusted provider that can quickly guide you to limit the potential impact. Ransom demands, malware or data theft are often uncharted territory for small businesses, and with today’s high stakes, knowing which steps to take can significantly reduce stress and disruption.

Amid inflation, labor shortages, ongoing supply chain issues and an uncertain economy, few small businesses place cybersecurity at the top of their concerns. But unlike these other concerns, there are many constructive things businesses can do to evade the crosshairs of cybercriminals. Simple, concrete actions can be some of the most meaningful.

Al Pascual is the senior vice president of enterprise solutions for intelligent identity firm Sontiq, a TransUnion company. Learn more at www.sontiq.com.

Join our LinkedIn group, ALM’s Small Business Adviser, a space where small business owners can gather to network, have discussions and keep up with the trends and issues affecting their industries.

Related:

The new era of digital risks for small businesses

Small businesses are misjudging cyber risks & coverage options

Cyberthreats remain the top business concern, Travelers reports