10 Essential Cyber Security Tips for Small Businesses.

By <b>Evan Lipford</b>

By Evan Lipford

Defining an Attack.

Whether it is malware, ransomware, phishing, or any of the other plethora of techniques, a cyber attack is defined as the attempt to maliciously and illegally access a computer, electronic device, or network. Most cyber-attacks are monetarily motivated, with the end goal most often being achieved through selling the stolen data or holding systems hostage until a ransom is paid.

Although money is the most common motivator, it isn’t the only one, which leads to cyber attacks happening even more often than they otherwise would. On the economic level, we also see cyber attacks that are motivated by competition (attempts to steal intellectual property), and occasionally disgruntled employees. In 2022, an angry employee for Lianjia, a gigantic real-estate firm in China, was convicted for taking down 4 of the company’s essential databases after becoming angry due to being ignored by management when raising security concerns. Lianjia had to foot a $30,000 data restoration bill, which doesn’t sound terribly steep until you learn about the $6 billion dollars in capital that was lost as a result of the hack. In fact, the attack was so effective that it left Lianjia without the ability to pay tens of thousands of employees their earned salary for an extend period of time. $30,000 of lost data caused $6 billion dollars in damages.

On the international level, the motivation for cyber-attacks often cross over into attempts to gain political leverage, and although most small to medium sized businesses aren’t targeted this way, government contractors are always at risk. Cyber attacks can be defined in a variety of ways, which places the responsibility on the business owner to prepare. Now that we know how to define a cyber-attack, let’s look at a few of the most common methodologies used by hackers when attacking businesses.

3 Common Cyber Threats for Small Businesses.

There are various ways that hackers can gain unauthorized access to a network and relevant devices, but most of these methods fall into one of the following three categories.

1. Phishing.

Phishing is by far the most common, dangerous, and elegant way that a hacker can compromise a target. The process often times circumvents hefty security measurements taken by the business by targeting it’s weakest link; employees that use company resources but may not have the best background or training in OPSEC tactics (operational security).
Phishing is achieved by the hacker disguising themselves as a trust worthy contact and providing confidence to the employee, creating an environment where the employee simply hands over their personal data which is then used to access business devices and networks.

An example of a phishing attempt could be a hacker posing as a company’s IT department and requesting an employee hand over their credentials so the hacker can fix a proposed issue. Regardless of the angle, every phishing attack involves some degree of social engineering, which is the cyber security industry’s fancy word for manipulation.

2. Watering Holes.

Traditionally, watering-hole attacks haven’t been the most common due to the pinpoint accuracy of information that needed to be collected for an attack to be effective. The concept of a watering-hole attack is quite simple; a hacker will find a common interest amongst a target group and set a malware-ridden trap that attracts the group due to their mutual interests.

For example, if an important group of Google employees blow off steam by doing something like online gambling, a hacker can infect the gambling website itself, which will lead to the gambling website infecting the target.

Watering hole attacks are rising in popularity due to improvements in OSINT (open source intelligence) techniques, which is the process of gathering information on a target from public sources. We are even seeing a rise in cyber criminals setting water hole traps by building replica websites and running a Google Ad campaign so the infected website pops up first! Nefarious indeed, but watering hole attacks are here to stay.

3. Drive-by Downloads.

A drive-by download attack can be delivered in a number of ways, but at the foundational level it is an attack that focuses on injecting malicious files onto a target PC by piggybacking off of the users intended action. For example, the cybercriminal group Lurk launched a now infamous attack where they built a fake social media website that focused on sharing videos and dropped an xRAT trojan through a request for the user to update their “Adobe Flash Player” in order to use the website.

It is also common for drive-by download attacks to happen by attaching a malicious payload to a legitimate piece of software through bundleware, which initiates the download of malicious files that are disguised as secondary programs that claim to be “required” for the desired software to run correctly.

Although the most common cyber attacks ranging from malware to ransomware can fall into one of the above categories, there are also attacks that we did not mention such as man-in-the-middle attacks, SQL injections, denial-or-service attacks, and so many more. Now that we can identify some of the common techniques used by hackers to attack businesses, let’s take a look at the top 10 ways a business can defend themselves on the online battlefield that we call the internet.

The 10 Essential Cyber Security Tips for SMB’S.

At Jenta Tech, we heavily recommend that every small to medium size business integrate each step below into their standard operating procedures. Some of these steps are so important that failing to properly integrate them automatically renders a business as non PCI compliant, which leads to penalties ranging from $5,000 to $100,000 per month for companies that are required to stay compliant. Here are the 10 essential cyber security tips for small businesses:

1. OPSEC Employee Training.

Although every tip on this list falls under the category of being essential, the operational security of a businesses employees is without a doubt that gatekeeper to all things cyber security. A small business could personally contract the NSA and CIA to manage the security of their devices and networks and every ounce of cutting-edge technology can simply be bypassed if an employee accidentally clicks on a malicious payload.

According to a study cited by CNBC, 47% of executives and owners of previously hacked businesses said that the data breaches happened due to employee error. These errors included falling victim to phishing attacks, losing company devices, losing private company documents in public places, and even leaving mission critical company devices opened and unlocked.

We see this as a direct result of negligent management instead of negligent employee behavior. It is hard to claim that an employee should have better OPSEC techniques if management has never trained them on OPSEC!

2. Routine Hardware, Software, and Patch Updates.

On average, a company should replace their hardware somewhere around the 5-year mark. Keeping your hardware up to date will ensure that your devices have the capability to keep up with advancements in software.

Concerning software, it is imperative to keep software updated and patched with little to no delay. Software updates commonly included patches for security vulnerabilities that have already been exposed by hackers, which is why the company moves to patch the software. The correlation between how long it takes you to update your software and how long you spend being a sitting duck in linear.

3. Passwords & Multi-Factor Authentication.

Password management is a core OPSEC requirement to ensure a safe working environment. We often hear that a password should be “strong”, but very seldom is there an explanation of password strength and more importantly why it matters. A password is considered “strong” based on it’s predictability, which is referred to as password entropy. The less predictable a password is, the lower the chance of getting hacked. It is recommended to create a new high-entropy password every 90 days.

Some businesses feel like this is overkill, but we consider it the bare minimum approach. What really drives this point home for business owners and executives is when they learn about the methodology that hackers use to crack passwords. Hackers don’t just sit and take their best guess. They write scripts that automatically try millions of password combinations at the press of a button.

It is important to note that these combinations aren’t just random, most hackers starting point is the rockyou.txt password list. A collection of 14,341,564 of the most commonly used passwords that have been used in 32,603,388 accounts. A Pentium 100 CPU from 1994 can try over 10,000 password combinations per second, while a supercomputer from today can try over 1,000,000,000 (1 billion) password combinations per second. It is safe to say that the average hacker isn’t using a 1994 Pentium 100 powered computer, nor a super computer, so that leaves an account with a password from the rockyou.txt password list safe for about the length of time it takes someone to eat lunch!

Passwords can be cracked, and often are, so requiring your employees to use Multi-Factor Authentication for their accounts is imperative. MFA does what it suggests, requires an additional authentication method on top of the password, drastically increasing security. MFA often requires physical access to a secondary device to authenticate, rendering a lot of hacking techniques ineffective. A good password manager can solve all of the problems above in a streamlined and team-based manner, making it easy to manage from an administrative stand point.

4. Deploy an AV or EDR Solution.

Viruses continue to grow at a rate that is arguably exponential in nature, and there are NO signs that this process will slow down. Every business needs to be running some sort of Anti-virus (AV) or End Point Detection and Response Software (EDR) on any device that is associated with the company network, including employee devices that are taken home.

Proper AV or EDR configuration requires professional installation and monitoring, so reach out to an MSP that you trust to take the next steps in this process.

5. Secure Your Network.

An unsecure network can result in the easy penetration and spread of malware, ransomware, and other viruses. Properly securing your network, especially if you happen to have publicly available wi-fi or on premise servers, is essential to ensure your business can handle everyday operations without being taken down.

Having a data breach is a terrible situation to go through, but inviting consumers to use your unsecured wi-fi while a bad actor steals all of their data is something that can ruin your businesses reputation forever. A knowledgeable  IT consultant, MSP, or network engineer is needed for this step, but it is not something that you want to skip out on.

6. Use Virtual Private Networks.

Due to their recent rise in popularity, VPNs are widely misunderstood, but nonetheless remain an essential part of security for businesses that require remote access for any portion of their operations.

VPNs aren’t a magic solution to hide all of your interactive activity for any bad actor with a mission to hack you, but in a business capacity they do serve as a very secure way for your employees to access your company network from anywhere in the world.

VPNs work in the business world by restricting access to your company network to a specific IP Address, and creating a strong authentication process needed to access said IP address. This means that a bad actor could have all of the credentials to every device on your network and still not be able to penetrate it because everything is hidden behind a VPN. No VPN access, no network access. Quite an elegant solution if done right!

7. Routine System Backups.

There is a saying that has been around for awhile that goes something like “old ways do not open new doors.” While this is true, when it comes to cyber security, sometimes the best methods are behind old doors that we tend to forget to open ourselves! Routine system backups protect data through duplication, ensuring that in the worst case scenario (your entire network explodes), you can get up and running again in a matter of minutes.

Although backing up your systems on a routine schedule does not do anything to prevent a hacker from accessing your network, it does everything in terms of rebuilding that network if it is taken down. A big reason why ransomware is so effective is because businesses often find themselves with one source of a data, forcing them to pay a ransom or discontinue operations. Keeping safe offline backups is the best way to combat this.

8. Routine System Backups.

Third party penetration tests or network audits are one of the most essential aspects of maintaining a secure system. Having a cyber security company audit your network can not only provide peace of mind, but it also provides an opportunity for you to receive multiple expert opinions your network security, preventing you from having to trust the work of a single person or company.

Penetration testing and network audits are not just for large Enterprises.

9. Prevent Physical Access to Devices.

Although some motherboards allow for administrators to lock down physical ports and disable buttons on a device, a large percentage of the time this makes the device unusable for a company’s use case. The landscape of cyber security is a war that takes place over the internet with software being the battlegrounds. This means that even the best security can simply be bypassed if someone has physical access to your devices.

For example, there’s no real need to have the login credentials to a device if someone can just take it apart and take the hard drives with them. Because of this, physical access to company devices should be extremely limited. The best firewall in the world cannot do anything about someone popping in a USB drive and copying all of sensitive data that their heart desires. We recommend professional IT consulting to help you create permissions and standard operating procedures around the rules concerning who has physical access to your company devices.

10. Get Professional Help.

There are two ways to look at this list of the top 10 essential cyber security tips for business owners.

  • Number one: You have a lot of homework to do to ensure that you can learn the ins and outs of cyber security so you can incorporate these steps into your business yourself.
  • Number two: You hire a professional and pay them to do the homework for you.

Whatever the choice, simply not doing anything cannot be an option! If you would like to learn more about cyber security best practices, email us at sales@jentatech.com

We would love to help!

Written By
Evan <b>Lipford</b>

Evan Lipford

Subscribe & Grow.

Subscribe to the Commerce Puzzle Cannabis Outlet for updates and free tools for growing your business in the cannabis industry.