Product reviews, deals and the latest tech news

How businesses can strengthen their defences without CISOs

These days, no organisation is safe from cyberattacks, no matter how modest in size it may seem. Think hackers won’t waste their time on small and medium-sized enterprises (SME)?

The fact that even small businesses today deal with sensitive information like customer and payment data makes them prime targets for hackers. There has been a rise in the frequency of assaults against small enterprises. In the first quarter of this year compared to the same period in 2021, the number of password-stealing malware assaults on small businesses climbed by over a third.

Due to the increasing frequency of cyb

erattacks, small and medium-sized businesses must make security a top concern. Small and medium-sized businesses (SMBs) don’t put as much money into cybersecurity as they should. About half of all companies with fewer than 50 workers don’t have a dedicated security budget. While smaller businesses must rely on internal resources, larger companies may afford to hire Chief Information Security Officers (CISOs) to develop and implement defensive measures. This task falls on the IT department in a small or medium-sized business. When it comes to the safety of the entire company, they must take a far broader view.

Everyone who uses technology has a role in ensuring its safety. Businesses of all sizes need to be prepared to invest in security measures. They shouldn’t let the lack of a chief information security officer (CISO) prevent them from enacting effective measures to safeguard the organisation.

Multi-factor Authentication Should Be Enabled

Through the use of SaaS, businesses have been able to move their workloads onto the cloud. Thankfully, the safety protocols of SaaS programmes have evolved for the better. Small and medium-sized businesses should make the most of this.

Multiple-factor authentication may often be enabled (MFA). To access a service or system after enabling multi-factor authentication, users must present a minimum of two different forms of identification. One-time passwords are a typical kind of multi-factor authentication (OTP).

An OTP is a one-time code that must be entered into an app in addition to a login and password. At login, users’ registered email or mobile devices get the OTP. In the event that an attacker obtains the login credentials for a SaaS application, this approach can block their access.

Passwords should be changed often, and access should be capped

Use long, complicated passwords to keep your accounts safe. Both the use of special characters and a longer password make it more difficult to decipher. Employees should also not use their personal email accounts or passwords for professional purposes, and vice versa. Information from several data breaches in the past is now in the hands of hackers. If a user with compromised credentials continues to use them, then hackers will have easy access to any other systems or applications that the person uses those credentials on.

Many business software include the option to mandate frequent password changes. Passwords for users can be set to expire, requiring frequent changes from staff members. In the event of a breach, the account’s exposure time is reduced. Encourage your staff to utilise password managers to aid in the management of sensitive information. They won’t have to memorise each and every one of their passwords, and they’ll be able to choose lengthy, complicated ones for the apps they use, as well as change those passwords automatically.

In order to avoid overwhelming workers with unnecessary information and features, simply provide them with access to the systems and apps they need to do their jobs. To restrict a user’s actions and data, you may simply assign them to a different role or group in most workplace systems. In this approach, the damage that a hacked account might do would be greatly reduced. We commonly call this “the principle of least privilege.”

Because of our fallibility, we are always going to be a potential security hole. Social engineering techniques like phishing are commonly used by hackers to take advantage of this hole. These phishing emails and websites pose as legitimate businesses. Their goal is to get users to divulge sensitive information or download and install malicious software on company computers. As an illustration, a social-engineering effort directed at an Uber employee was responsible for the company’s recent data breach, which was discovered in September of last year.

Small and medium-sized businesses (SMBs) need to foster a strong security culture throughout the organisation, which includes raising employee cybersecurity knowledge. Staff members need to be able to identify and report phishing emails and stop engaging in dangerous behaviours, such as inserting external storage devices (such as USB sticks) without first scanning them.

There is no shortage of materials that can be used to heighten people’s understanding of cybersecurity threats. For example, Amazon has made available to all of its employees its own in-house awareness training.

Recognize your level of safety

Small and medium-sized businesses (SMBs) should know the bare minimum about their cybersecurity health. Microsoft 365 and Google Workspace are two examples of productivity tools with built-in security features that may be used to assess your organization’s vulnerability.

Customers of Microsoft 365, for instance, have access to a security rating called the Microsoft Secure Score. When additional safeguards have been put in place to secure users’ identities, their data, their devices, and their apps, the score will rise. It measures more indicators, displays the results visually, and offers advice on how to raise the score.

Meanwhile, Google lets people check their own accounts for vulnerabilities. With Google’s Security Checkup, you can see exactly what gadgets, programmes, and services have access to your Google account, as well as whether or not security features like multi-factor authentication are on.

Lock down your gadgets and other electronics

Hardware and gadgets that access a small business’s data and infrastructure must be under the company’s strict management. Every one of these gadgets has to be locked down. Logins or other forms of device-access security should be enabled on all computers and mobile devices. Antivirus and firewall software must be activated.

There must be well-defined guidelines for how personnel are expected to make use of IT infrastructure. The only acceptable usage of a company-owned smartphone is for business purposes. Companies that allow employees to use their personal devices in the workplace should reevaluate that policy. If they can’t properly audit and safeguard employee-owned devices, they shouldn’t be doing it.

To be safe than sorry

IBM estimates that by 2022, the average cost of a data breach will have reached $4.35 million. Smaller businesses are particularly vulnerable to the devastating effects of a single hack. Small and medium-sized businesses (SMBs) must take precautions against cyberattacks because they are already commonplace.

These measures may seem elementary and even self-evident, but they are not a substitute for a thorough cybersecurity plan. However, it’s preferable to take preventative precautions now rather than later. These can form the foundation of a more robust cybersecurity plan and can be executed even in the absence of a full-time CISO.