Why Is CyberSecurity So Important?
Quite the question! Indeed there is no greater every day threat to the modern business or individual to have their lives turned upside down than to have a serious cyber security breach. Even the big companies aren’t safe. Think of the banks, retailers, financial institutions, and oil companies (all of which have budgets in the tens, or hundreds of millions for technology and Cybersecurity) that have been hit. Prices and privacy are sacrificed for us when when someone else gets hacked. Oil prices skyrocket, you get a notification in your email or your phone that your passwords and username have been compromised. The effects ripple out through the modern world. Like a digital nuclear bomb, nobody on the planet is left untouched by the effects. How much more impactful is it when you are hit directly?
Some take solace in the idea (or as you will see, the fallacy) that they are too small to get hacked. This is the equivalent to thinking the bully won’t take someone’s lunch money because they’re small. A bit harsh, but allow me to illustrate.
To understand the importance of CyberSecurity for the Small Business, we first have to understand the motivation of the modern hacker. Here’s the thing with modern hackers; they don’t usually target anybody unless it’s for political reasons or to exact revenge. Most businesses do not fall into these categories. So how do SMBs get hit? Hackers do not care about your business or you. Cold but true. Fundamentally hackers are highly, highly competent thieves. The best hackers are some of the most talented people in the world. Some can be a bit lazy relative to their potential, which is all the more reason they will take down anyone who can be taken easily even if the rewards seem relatively small from our perspective.
Let me take you through a quick scenario to get you inside the head of a hacker. Put your trench coat on and place yourself in the mind of a thief in the physical world. You’re walking down the street looking for some cash but you don’t want to get caught. Two vehicles catch your eye, one is an armored car with who knows how much money inside, large enough that the rewards could be HUGE, or they could be minuscule, and you could find yourself in jail. Risky business! The other car is a 20 year old sedan in the dark with the windows rolled down and a $50 bill in the backseat. Which do you pick?
Most will pick the Sedan. Some may pick the armored car if they’re an expert thief, they have time to plan, and they want the challenge. But most will pick the sedan to stay out of jail and collect some quick cash for minimal effort and risk. Here’s the thing, most small business are the sedan, big companies are the armored car. If someone robs the armored car it makes the news, if someone takes $50 from your backseat, you may get a consoling word or two from a friend.
This is exactly the same situation the modern hacker finds themselves in. Only on the internet they send out dozens, hundreds, or thousands of automated “thieves” to case your business and decide if it’s easy enough to get some quick cash. If it’s not, they’ll likely move on (unless your business qualifies for revenge, or political retribution, which again most do not). Or they’ll jot down some notes to take you down at a later date when they need the cash or they’re bored.
So how do you protect yourself? Truth be told, the best place to start is to apply at minimum three layers of security
1st layer,
Antivirus and firewall: Put simply these will prevent most of these virtual thieves from seeing your “car” to figure out whether or not it’s easy enough to rob you
2nd layer,
Email security and anti-phishing tools: Email is still one of the most widely used forms of communication in the world, and it’s where most companies get duped. Often times email attacks involve impersonation. Think things like payroll checks being stolen by hackers pretending to be an employee, asking for direct deposits to a new bank, fake invoices from companies that look like a customer/supplier, and fake IT support teams looking for your passwords.
3rd layer,
Backups!!: Backups backups backups. Why do we need backups if we have other security functions in place? Great question. Did you ever see those old LifeLock commercials? The ones that guaranteed their identity theft protection was so good that they put the CEO’s social security number on the side of an 18 wheeler and drove it around the county? He got his identity stolen, and lost a fair chunk of change (Side tip: do not challenge hackers, they’re insanely competent, they do not need to be motivated to do harm.) The moral of the story is no matter how good your security is, mistakes (or in this case bad decisions) are made by employees, employers, sub contractors, you name it. And if it hits the fan, you want to be back up and running ASAP.
The first two are not too difficult to implement, and the cloud makes the 3rd easier all the time. They could hypothetically be implemented at a basic level by a semi-technical person. This is to say nothing of the level of complexity that those 3 layers can reach, but those are the bare minimums if you don’t want to gamble your business on a regular basis. The following layers require an expert.
4th layer,
Patching: Remember that 20 year old Sedan? It wasn’t just attractive because the windows were rolled down. The poor thing is very likely missing several modern security features. The same thing happens to your computers, servers, email, software, etc. By far one of the easiest ways for a hacker to find their way in is if you are still running infrastructure and software with known vulnerabilities. That’s child’s play to any hacker. A sharp teenager could pull it off if they wanted to. Unfortunately this process is far too labor intensive and technical for most businesses, or even a small IT team to manage.
5th layer
Application and geographic based blocking: We’re getting a bit technical here, but basically this means having the ability to block certain applications (software) that have no purpose to be running in your environment. Similar logic applies to geo-blocking. If your business only serves customers in say, the San Francisco Bay Area, why would you ever need to connect with somebody in Asia? Similarly to patching, it’s just too intensive for most SMBs to handle on their own
6th layer
Restrict Admin Permissions And Web Browsing: This one can be unpopular, but it’s absolutely essential. It’s powerful because it’s significantly more difficult to get hacked if permissions for installing software and applications is restricted to only one or two accounts. Why don’t more small businesses do it? It’s impossible for a small business to manage on its own. Can you imagine having to approve every piece of software that gets installed? Every website that is considered ”ok” to visit? This can also become a political issue in the office. You do not want to be the one who blocks YouTube and then Tammy from HR can’t watch her cat videos anymore. It’s much easier to enact a policy like this when a 3rd party is involved. “Sorry Tammy, the IT security guys locked down YouTube, here’s the email to ask them about it.” A much nicer conversation to keep the peace in the office, to be sure.
To avoid making this article longer than it is, we’ll stop there. There’s a lot more to security, and why it’s important even for small businesses. If you’re curious, go ahead and reach out. If not, I’ll catch you on the next post.