SMB low hanging fruit
By Eric Stump VP S3 Industry Corp
Small to medium sized businesses are easy prey for hackers. In the past large corporations was the focus of hackers backed by organized crime organizations. Today’s fact is large corporations are now spending millions of dollars to protect their IT infrastructure leaving the focus now on small to medium-sized businesses. Like bank robber’s cyber criminals not only want to go where the money is but they also want to be sure that they can get it.
Small and medium-sized businesses are an easy target. There is a huge fallacy in the small to medium sized business infrastructure that they are too small to be a target to cyber criminals. If an attacker can get into your system, they can probably get money out of it one way or the other. Customer information along with employee information such as social security numbers, date of birth, addresses, e-mails, bank account information and tax information are all huge profit makers for cyber criminals.
Take a look at your own systems and evaluate how much personal identifiable information is on a human resources computer or better yet the accounting department. Even systems that don’t have any valuable information doesn’t put you in the clear 9 out of 10 times once a hacker gains access to your system they will be destructive in nature. We’ve seen several cases where breached systems were completely destroyed with unrecoverable information. We have also seen instances where systems were being utilized for clandestine cybercrimes. Malware and Bots can sit dormant for months waiting for the right moment to strike. Hackers can utilize your system resources to attack other computer systems. Cyber criminals can launch Denial of service attacks, SQL injections and data mining from your system slowing your network and system resources to a crawl.
How can you start protecting your IT infrastructure?
Lockdown your endpoints: That means securing every desktop, laptop, smart phone, or tablet that accesses your network. If they contain company data, that data needs to be encrypted – no exceptions.
Secure every connection: Remote access is the primary way attackers get into your network, so you need to closely monitor every log-in to make sure it's legit.
Check for compliance: If your business accepts credit cards, you'll need to follow the PCI-DSS standards or face the consequences. Even if you're in an unregulated industry, you may sell to a larger company that has strict security rules you must follow. If you are a healthcare facility, doctor’s office, accountant or any company that deals with customer information such as social security numbers you need to be HIPAA and HITECH compliant. Encrypt employee information on human resources computers or servers. Encrypt stored information on accountant’s computer or server containing credit card or banking information.
Penetration testing: Hire an IT security company they can perform penetration tests on your network and identify your weak spots.
System Access: Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
Passwords and authentication: Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account
Backups: Regularly backup the data on all computers and servers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible or at least weekly and store the copies either offsite or in the cloud.
Secure your Wi-Fi networks: If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Anti-Virus: Install a robust business class Anti-Virus program or consider a SaaS (Software as a service) such as AVG CloudCare that can provide Anti-Virus, Content filtering, Anti-Spamware, Anti-Malware and Anti-rootkit on a pay as you go service.
Train your employees: All of the above will be useless if your employees are duped into opening the door for cyber crooks.