Cyberattacks are on the rise with more sophisticated attack methods and social engineering being employed against just about any entity with an Internet presence. According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, companies that were 250 persons or less were the target of 20% of all cyberattacks. A more sobering claim of the study is the roughly 60% of small businesses that close within 6 months following a cyberattack.
While cyberattacks are often in the news, many small-to-medium businesses (SMBs) just don't see themselves as a target. The fact is, if you are in business and have an online presence, you're already a target of attacks. Here are 3 common mistakes and how to avoid them businesses make in regards to their security programs, which when addressed can go a long way in securing a business' network.
1 Scanning only once a year
Some businesses make the mistake of scanning their network once a year, usually to meet annual compliance risk assessment requirements. In many cases, SMBs hand the responsibility for network security to an outsourced solutions provider who performs the scan, hands over a large assessment report for remediation and disappears until next year. The fact is the frequency of vulnerability scans and follow-up remediation is just as important as the scan itself.
SMBs should scan their networks more regularly throughout the year. Besides finding vulnerabilities faster thus reducing risk to the business, it would save money and time by reducing the amount of vulnerabilities an auditor would find and overall audit costs.
2 Scanning only critical network IPs
Cybercriminals are becoming more savvy in their attacks on businesses and are trained criminals looking for any vulnerability to exploit. That very vulnerability may be the weak link in an otherwise secure network that allows entry by hackers to pivot to other machines once inside. Scanning all IPs in your network, regularly throughout the year, will help to identify where the weakest links exist.
3 Not creating and enforcing a clear security policy
It isn't enough to merely scan and correct network vulnerabilities. To have comprehensive security a business must make a concerted effort to develop and enforce a security policy. This involves setting policies on hardware, including BYOD, as well as the use of cloud services like Dropbox, and the education of employees of this policy. The latter is very important because most security breaches occur due to employee action, such as opening a phishing email and other social engineering actions. With a rise of BYOD in the workplace, the need to secure these devices before they connect to the network becomes a necessity.
It doesn't have to be a complicated security policy. The most important aspect is that fits the needs of the business and is able to change over time as is needed. The policy needs to be communicated to employees clearly and regularly throughout the year. For businesses, it's critical that security solution providers work closely with businesses to get their feedback and understand their needs, and talk with them in terms that businesses will understand.