Protecting SMBs from Current Cybersecurity Threats
A Few Small Practices Can Have a Large Impact on Your Cybersecurity
By Mike Mosher, Director of Technology, Cinch I.T.
If you own a small or medium-sized business, you are a target of most cybersecurity attacks. It can happen to you, it does happen to your peers, and more than half of all SMBs that suffer a cybersecurity attack never recover. Attacks against SMBs rarely make the news; those stories feature the multi-million-dollar ransoms that target city governments, oil and gas pipelines, and hospitals. That doesn’t make them any less real.
As threatening as the cybersecurity landscape is for your SMB, there are a few small (and inexpensive!) practices you can implement to hopefully prevent but at least recover from a cybersecurity attack—time to get started.
Turn on MFA. Everywhere. Now.
According to Microsoft, MFA (Multi-Factor Authentication, sometimes called 2FA or Two Factor Authentication) prevents an estimated 99.9% of attacks on accounts. Human beings are terrible with passwords. We re-use them. We make them easy to remember, which also makes them easy to guess. When we change them, we add a one or a ! to the end of the password. Maybe your password is Summer2021 (that’s a “strong” password, by the way). MFA protects you from these bad habits.
MFA works a few different ways, but the basics are the same. After entering a username and password, you verify with an additional factor. This factor can be a verification code sent via text or email, a notification received through your phone, or a code in an authenticator app that rotates every 30 seconds or so. Requiring that additional factor adds just a few seconds of inconvenience but prevents a leaked password from compromising your accounts.
MFA is included with most applications and services now. If it is not already on, turn it on. We do not consider it an optional feature. You and every one of your employees need it.
Implement and Test Your Business Continuity Plan
Do you have tested data backups? Are they separate from your immediate environment? If your server closet had a flood or fire, how long would it take you to get back up and running? What if you encrypted your entire server? Can you encrypt all of your devices?
If you’ve never thought of these questions before, you probably don’t have a business continuity plan. Business continuity is all about continuing to operate your business in the event of X. Maybe your office is out of commission because of human error, or everyone needs to work from home because of a global pandemic. A good business continuity plan will cover things from fire and flood to ransomware and other cybersecurity attacks.
Your business continuity plan should identify the most critical aspects of your business and include a plan of getting them up and running again or even making sure they never stop. If you’re furiously searching for a business continuity template right now, you’ll see two acronyms: RTO (Recovery Time Objective) and RPO (Recovery Point Objective). RTO is “how long until I’m up and running again,” and RPO is “how much data can I afford to lose.”
A good business continuity plan will cover the following areas:
How frequently are they backed up? (RPO) Do you also have failover servers? (RTO)
Line of Business Applications
Are they hosted in-house or by a vendor? Can they be used remotely? How often is this data backed up?
Do you have a failover internet line? Do you have a spare or redundant switch/firewall?
If user computers needed to be wiped & reinstalled, would they still have their data? E.g., are they saving to server/cloud? Do you have spare workstations & laptops so a user can keep working while one is undergoing repairs?
If you’re hosting data with third parties, are they backing up your data, or are you responsible for backups? (Hint: two of the largest cloud providers do not back up your data)
People / Office
If people can’t go to the office, can they still work? How? Is it secure?
Provide Cybersecurity Training for Your Staff
Your employees are the single largest threat surface for your company. An email mailbox can get all the malware and bad links globally, but nothing happens until a person clicks on the link. Computers require a person to bypass warning prompts. Computers don’t initiate fraudulent wire transfers on their own, your technology doesn’t leak information over the phone, and laptops don’t lose themselves. Your computer won’t call the fake I.T. support number in the popup and give away credit card information. All of those acts are the result of poorly trained and educated staff.
As the business owner, it is up to you to ensure that you can trust your staff to handle your business’ information and information about your customers safely and securely. Cybersecurity training should be part of the employee onboarding process. Review your onboarding at least annually to ensure that users are up-to-date on current trends.
Ask for Help to Manage Your Cybersecurity
When was the last time you performed even a basic cybersecurity audit? Who handles your company’s I.T.? Is it an add-on to someone else’s duties? Many times in the SMB space, at least one technically adept person can make things work. However, there’s a huge difference between making things work and setting yourself up for success.
We recommend that business owners meet with their I.T. team every quarter to ensure that the company’s future goals align with its technology capabilities. Your I.T. team should be able to assist with compliance, security, business continuity, and even workflow improvements. Business owners often mislabel I.T. as a cost when it truly is an investment that can enable your business to succeed.
About the Author
Mike Mosher is the Director of Technology for Cinch I.T. He joined Cinch I.T., Inc. in 2015 to expand the technology roadmap for Cinch I.T.’s fastest-growing franchise. He started his career as a senior technician for an I.T. managed services company, worked his way to Cybersecurity Specialist, and eventually became the Chief Operation Officer. Mosher then went on to start another MSP that Cinch I.T. acquired in 2016. Mike has extensive expertise in managed services, business operations, and innovation.
About Cinch I.T.
Since 2004, Cinch I.T. has been providing customer-focused I.T. services for businesses of all sizes. Whether you need on-site support or a reliable cloud computing office, our computer support offers the fastest and friendliest service in the industry. Cinch is one of the nation’s fastest-growing I.T. support franchises with 10 locations and counting. To learn more about the I.T. services company, visit cinchit.com. For more information about I.T. franchise opportunities, visit cinchfranchise.com.
Click here to find your nearest local Cinch I.T. services company: