A Few Small Practices Can Have a Large Impact
By Mike Mosher, Director of Technology, Cinch I.T.
If you own a small or medium-sized business, you are a target of the majority of cyber security attacks. It can happen to you, it does happen to your peers, and more than half of all SMBs that suffer a cybersecurity attack never recover. Attacks against SMBs almost never make the news; those stories are reserved for the multi-million-dollar ransoms that takedown city governments, oil and gas pipelines, and hospitals. That doesn’t make them any less real.
As threatening as the cybersecurity landscape is for your SMB, there are a few small (and inexpensive!) practices you can implement to hopefully prevent but at least recover from a cybersecurity attack—time to get started.
Turn on MFA. Everywhere. Now.
According to Microsoft, MFA (Multi-Factor Authentication, sometimes called 2FA or Two Factor Authentication) prevents an estimated 99.9% of attacks on accounts. Human beings are terrible with passwords. We re-use them. We make them easy to remember, which also makes them easy to guess. When we change them, we add a 1 or a ! to the end of the password. Maybe your password is Summer2021 (that’s a “strong” password, by the way). MFA protects you from these bad habits.
MFA works a few different ways, but the basics are the same. After entering a username and password, you verify with an additional factor. This can be a verification code sent via text or email, a notification received through your phone, or a code in an authenticator app that rotates every 30 seconds or so. Requiring that additional factor adds just a few seconds of inconvenience but prevents a leaked password from compromising your accounts.
MFA is included with most applications and services now. If it is not already turned on, turn it on. We do not consider it an optional feature. You and every one of your employees needs it.
Implement and test your Business Continuity Plan
Do you have backups? Have you tested your backups? Are they separate from your primary environment? If your server closet had a flood or fire, how long would it take you to get back up and running? What if your entire server was encrypted? What if all of your devices were encrypted?
If you’ve never thought of these questions before, you probably don’t have a business continuity plan. Business continuity is all about continuing to operate your business in the event of X. A good business continuity plan will cover things from fire, flood, ransomware or other cybersecurity attacks, human error, or everyone is required to work from home because of a global pandemic.
Your business continuity plan should identify the most critical aspects of your business and include a plan of how to get them up and running again, or even make sure they never stop. If you’re furiously searching for a business continuity template right now, you’ll see two acronyms: RTO (Recovery Time Objective) and RPO (Recovery Point Objective). RTO is “how long until I’m up and running again,” and RPO is “how much data can I afford to lose.”
A good business continuity plan will cover the following areas:
- How frequently are they backed up? (RPO)
- Do you also have failover servers? (RTO)
- Line of Business Applications
- Are they hosted in-house? Are they hosted by a vendor? Can they be used remotely? How often is this data backed up?
- Office Network/Internet
- Do you have a failover internet line? Do you have a spare or redundant switch/firewall?
- If user computers needed to be wiped & reinstalled, would they still have their data? E.g., are they saving to server/cloud?
- Do you have spare workstations & laptops so a user can keep working while one is repaired?
- Cloud Services
- If you’re hosting data with third parties, are they backing up your data, or are you responsible for backups? (Hint: two of the largest cloud providers do not back up your data)
- People / Office
- If people can’t go to the office, can they still work? How? Is it secure?
Provide Cybersecurity Training for your staff
Your employees are the single largest threat surface for your company. An email mailbox can get all the malware and bad links in the world, but nothing actually happens until a person clicks on the link. Computers require a person to bypass warning prompts. Computers don’t initiate fraudulent wire transfers on their own. Your technology doesn’t leak information over the phone. Laptops don’t lose themselves. Your computer won’t call the fake IT support number in the popup and give away credit card information. All of those acts are done by poorly trained and educated staff.
As the business owner, it is up to you to ensure that you can trust your staff to handle your business’ information as well as information about your customers safely and securely. Cybersecurity training should be part of the employee onboarding process, as well as something that is reviewed at least annually to ensure that users are being kept up to date on current trends.
Ask for help
When was the last time you performed even a basic cybersecurity audit? Who handles your company’s IT? Is it an add-on to someone else’s duties? A lot of times in the SMB space, there’s a technically inclined person that can make things work. However, there’s a huge difference between making things work and setting yourself up for success.
We recommend to business owners that they meet with their IT team on a quarterly basis to make sure that the company’s future goals align with the company’s technology capabilities. Your IT team should be able to assist with compliance, security, business continuity, and even workflow improvements. IT is often considered a cost purely when it truly is an investment that can enable your business to succeed.
About the Author
Mike Mosher is the Director of Technology for Cinch I.T. He joined Cinch I.T., Inc. in 2015 to expand the technology roadmap for Cinch I.T.’s fastest-growing franchise. He started his career as a senior technician for a New England-based MSP and worked his way to Cyber-security Specialist and eventually the Chief Operation Officer. Mosher then went on to start his own MSP that was acquired in 2016. Mike has extensive expertise in managed services, business operations, and innovation.
Mike can be reached online at firstname.lastname@example.org and at our company website https://cinchit.com/.