The recent massive Equifax data breach involved the theft of personal information of 143 million Americans, 100,000 Canadians, and 400,000 Brits. It gives cyber criminals access to highly sensitive information like names, social security numbers, birth dates, addresses and numbers of some drivers licenses. The information that Equifax was supposed to protect is the most important and comprehensive financial data available about a person. Sadly, this breach could have been prevented if the company made cybersecurity a priority. What’s worse is that when a big data breach happens to a large company like Equifax, that collects so much valuable information, they are rarely allow fail and fines are small.
What would happen to a smaller company if they experienced a cyber breach affecting most of their customers? It would result is a possible closure or the very least a big hit to their reputation and revenue. This is because most customers would have somewhere else to take their business.
According to a report from VIPRE, “66% of SMBs would either go out of business completely or be forced to shut down for at least a day. Small businesses spend $690,000 to mitigate the damage after an attack, while mid-market companies are paying more than $1 million.”
There are 6 proactive steps small and medium-sized business can take to prevent a breach like Equifax.
1. Perform regular updates
All applications require updates to fix bugs, be more robust and stable, perform better and reduce security risks. One of the main failures in the Equifax breach was that security staff ignored an email to patch the Apache Struts vulnerability two months before the breach. Attackers breached the system on March 9, 2017, and Equifax did not apply the patch until July 29th, after the breach was discovered. The breach would likely not have occurred if they applied the patch when they first received it.
2. Make cybersecurity an organizational priority
No business is too small for a security breach. In fact, cyber criminals often target smaller firms, that do little to protect themselves. Every person in an organization from employees, to contractors to management should follow a cybersecurity policy. Such a policy defines and documents the set of behaviors regarding security in an organization. For the policy to work, employees must hold each other accountable and it must be enforced. There is no one size fits all regarding cybersecurity and preparedness. For an organization to succeed, it must be involved and adopt a top-down cybersecurity culture and mindset.
3. Education employees about cyber security and social engineering
According to one study, social engineering is the number one hacking method that concerns most companies. External attackers that gain insider access, can often remain undetected for months and do significant damage. The most popular type of social engineering is to use phishing emails, by tricking a lower level employee into revealing their password or guessing their password. Educating employees about phishing and appropriate use of company computers does help reduce the chance of a cybersecurity breach.
4. Practice Simple Security Best Practices
a) Change passwords regularly: Employees need to have complex passwords. They need to change passwords regularly and passwords should not be the same across applications. Investing in a password manager software for employees that remembers all complex passwords is a good idea.
b) Enable HTTPS instead of HTTP:
Websites with an https:// before the website name, add an extra security layer by encrypting the browser. It is especially important to use https:// with banking or financial transactions online. HTTPS ensures that all communication is securely encrypted.
c) Enable 2FA (two-factor authentication): Setting up this layer of security requires the person type their regular password with an additional prompt for a time-sensitive code when logging into an application. Extra training to teach employees the value of 2FA and how to setup would help safeguard a company.
5. Rewrite Internal Authentication Procedures
If personal sensitive information like social security, birthdate, driver license and address information has been compromised, then a business must update how users are authenticated internally. If a security question like what was your first car can be discovered with a public search, then it should not be used. Attackers will do anything it takes to impersonate an employee’s identity. It important for internal IT staff and external trusted partners to rewrite internal authentication procedures to minimize a breach.
6. Find a trusted external partner
If a breach happens to a small or medium-sized business, chances are they will not detect it immediately. Once they do, they probably won’t know how to fix it. If a small business uses a trusted third party managed services or security company, then employees can be educated on how to identify phishing, malware and other breaches. The third party company will also immediately with resolve the breach with minimal downtime and lost productivity.
In one story, the website of Hyannis Whale Watcher Cruises, was hacked in March 2016, one month before their season started. When the website manager called their hosting provider, she learned 100,000 pages had pornography on the website. Almost all of the company’s revenue comes from online ticket sales. She did not have a trusted third-party security company and frantically searched for one. After finding a security firm, they removed malware from the site over several days. The company estimates it took 6 weeks for visitors to return to the website to their normal level. This was a good outcome because everyone involved proactively worked diligently to solve a breach.