Small Business Cybersecurity
Posted on 06.27.16
By Chris Moschella, CPA CISA, Risk Advisory Services Manager
Hard Times Cafe, a Washington Metro area restaurant chain with 11 locations was forced to shut down their Rockville restaurant for nearly two weeks  after a ransomware cyber attack crippled their computer systems. Hard Times had the choice to either pay a $10,000 ransom to recover their data, or rebuild their systems from the ground up.
Despite having an unrivaled Chilimac, Hard Times is not incredibly unique. Large companies obviously make great targets for cyber attacks because they frequently have huge caches of data that can be sold to identity thieves and other criminals. But Hard Times is perfect, if unfortunate, evidence that no business, regardless of size, is immune to these threats. Worse yet, the pain for small businesses that suffer cyber attacks is frequently more acute than those felt by large companies. Over 30 people went without pay while Hard Times' doors were shut as they worked to recover from the attack. 
Small Businesses are Underserved and Frequently Improperly Served in Cybersecurity
Cybersecurity encompasses a lot of topics and expertise, and the technical jargon intimidates many small businesses from doing much of anything to protect themselves. Other small business owners are duped into buying expensive technology and services that they simply don't need.
But, there is good news. Just as you can do a lot to secure your home without an expensive security system, there is a lot you can do to improve your cybersecurity posture without breaking the bank. And even better, taking these steps will help to inform your future cybersecurity spending decisions.
1. Good Cybersecurity Starts with Governance
It might seem counterintuitive to think that cybersecurity starts with what is essentially paperwork and ceremony without actually doing anything concrete to protect systems. But governance is critical to an organization's cybersecurity. It demonstrates to the workforce that cybersecurity is important to leadership, which creates a more security conscious workforce. It is also provides authority to the IT and business managers to ensure that systems are hardened and staff are properly trained and educated.
Governance is the combination of the corporate tone and leadership with the policies and procedures that assign responsibilities and require compliance. A company with a more mature governance framework might also mandate internal assessments to verify controls and procedures are being executed in accordance with policies.
For example, suppose your business uses a self-hosted, web-based scheduling and payment software, and the vendor issues an update to the software to address a critical security flaw. Without polices that assign responsibilities to specific IT staff to patch vulnerabilities, the exploit could go unpatched, and an attacker could exploit that flaw to gain access to your website and do all sorts of terrible things, like installing viruses on your customers' computers or stealing their information.
This begs, the question -How do I get started? One of the best resources to learn about the most common cybersecurity controls that should be formalized into policy is promulgated by the Center for Internet Security, called Controls for Effective Cyber Defense.
2. Identify Your Cybersecurity Footprint
Everyone reading this article knows where all the doors and windows in their homes are. And I'm sure that most of you keep your windows locked and check to make sure your doors are locked before you go to bed at night. And some of you may have security systems with automatic intrusion detection and emergency services built in.
When it comes to cybersecurity, the fundamental process is no different. First identify all the different "cyber doors and windows", and then you lock them. But, identifying your cyber doors and windows itself can be intimidating. So what are some of the common examples of these access points and how can you secure them?
- IT Inventory: Maintain an inventory of the hardware and software on your network. Applications installed on your computers should be kept up to date, especially when those applications are connected to and used to open files from the Internet, such as Microsoft Office and Adobe Acrobat Reader. Hardware on your network should also be kept up to date, for example printers. This is surprising to many, but most of the hardware in your office has updatable software called firmware. When patches are issued, they should be applied since they usually have important bug fixes and security updates. As you are performing your inventory, it is also critical to identify hardware and software that comes with default login credentials and configurations. These login credentials should be changed, and if the product is insecure by default to ease installation, it is a good idea to alter the configuration to a secure mode.
- Company Internet Connection: Your Internet connection connects your company network to the rest of cyberspace. But your company has private data that you don't want others to see. So, it is important to have, at a minimum, a barrier to protect that data. A properly configured and updated firewall to insulate your network from the outside world is the first step. If you have a wireless network, the traffic should be encrypted using the latest encryption capability offered by your router.
- E-Mail: Arguably, the most porous part of any company network is E-Mail for a couple of reasons. First, attackers are constantly finding new ways to defeat virus scanners and spam filters. For example, the anti-virus industry has lagged behind the ransomware attacks, and are still struggling to catch up. Second, many attacks rely on social engineering, that is, using the helpful nature of a company employee to accidentally release information or perform an action that gives a hacker access to your systems. Regular education of staff about email threats, and implementing spam filters and virus protection are the minimum most companies should do to mitigate E-Mail borne threats.
There are plenty of other cyber doors into your business e.g. employee mobile devices, internet-of-things devices, and others. But before you can lock these doors, you need to know that they exist.
3. Keep Extra-Important Data Extra Secure
Not all data is created equally. The cat pictures your coworkers email around are not nearly as important as your customer data, accounting records, and intellectual property. Critical data should receive commensurate protection. Just as with the cybersecurity footprint, step one is to inventory your critical data and determine where it is located. Step two is to protect it. The type of protection is going to depend on the type of data and where it is located. For example, if you use a web-based customer relationship management application to manage your customer data, your provider may provide most of the protections you need. But if you are self-hosting, then you will want to ensure the database is backed up. Personal information, such as social security numbers, might be saved in an encrypted file, so that even if the data was stolen, it would be useless to the thief, and you have a much better story to tell your customers. If you store credit card data or health data, then there are specific requirements that you are required to follow, namely PCI and HIPAA, respectively.
4. Backup Backup Backup
Suppose that the worst case happens and you've been hacked, ransomware propagates across your network, or an ill-willed insider destroys critical records. You need to be able to recover and quickly. After all, your customers are waiting, and you are in the business of providing your product or service, not spending days or weeks rebuilding your systems.
With a robust backup system in place, recovery from these attacks can be a relatively painless procedure. A good practice is to start creating backups of your most critical data and systems first, and periodically practice restoring those systems to make sure you are able to restore them when the day arrives that you need to. Backups should be segregated from your network. If your backup is compromised during a security event, it isn't going to do you much good.
Two friends are out hiking, and a grizzly bear crosses their path. They froze in their tracks and stared at the bear and the bear stared right back at them. One says to the other -Don't run, it’s impossible for a human to out run a bear. The other begins to run and says -I don't need to out run the bear, I just need to out run you!
Cybersecurity is an incredible challenge for small businesses. And it's true that you'll never have perfectly secure systems. Someone with enough talent and time will likely find a way into your systems. However, by starting to take the steps in this article, you'll have a much better chance of making yourself an unattractive target for an attacker, and sending would be attackers searching for easier prey.
Need assistance with cybersecurity for your small business? Contact your Keiter representative or 804.747.0000 | Email