How companies without CISOs can build their defenses

There is no such thing as “too small” to be a target for a cyber-attack anymore. If you think hackers wouldn’t bother targeting small to medium sized businesses (SMBs), think again.

Today, even small businesses process valuable data, such as customer and payment information, making them a profitable target for hacking. In fact, the number of attacks against small businesses has increased. The number of password-stealing malware attacks against small businesses has increased by nearly a third from the first quarter of 2021 to the first quarter of this year.

Considering how widespread cyberattacks have become, SMBs should prioritize security. Unfortunately, SMBs don’t invest as much in cybersecurity as they should. Almost half of companies with fewer than 50 employees do not have a separate budget for security. Larger enterprises, on the other hand, have the luxury of hiring Chief Information Security Officers (CISOs) to lead their defensive strategies. In SMBs, IT teams must take on this responsibility. They even need to take a broader perspective when securing the entire organization.

Security is a shared responsibility of all technology users. Therefore, companies, including SMBs, must be prepared to invest in security. The lack of a dedicated CISO should not prevent them from implementing robust security strategies that significantly reduce their risk of falling victim to malicious cyber attacks. Anyone can start applying basic security practices.

Here are several tactics that security teams can implement that will immediately impact the security posture of SMBs.

Enable multifactor authentication

Businesses are moving their workloads to the cloud through Software-as-a-Service (SaaS) enterprise applications. Fortunately, SaaS apps have improved their security measures. SMEs should benefit from this.

Most have options to enable multi-factor authentication (MFA). When MFA is enabled, users must provide at least two forms of credentials to access an app or a system. A common implementation of MFA is one-time passwords (OTP).

Aside from a valid username and password combination, an app requires the user to enter an OTP. Users receive the OTP at the time of login in their registered email addresses or mobile phones. This mechanism usually prevents unauthorized access in case a hacker gets their hands on a username and password combination for the SaaS app.

Enable password rotation and restrict permissions

When securing accounts, use strong passwords and complex passwords. Special characters and length make it harder to crack. Employees should also avoid reusing their personal emails and passwords for work and vice versa. Hackers can now access credentials from many previous data breaches. So if a user continues to use compromised credentials, chances are hackers can easily gain access to systems or apps using the same credentials.

Normally, you can require password rotation in your business apps. User passwords can expire, forcing employees to change them. This limits the time an account is exposed if it is ever compromised. Let employees use password managers to help employees keep track of their login information. They can use long and complex passwords for the apps they use and can even continuously update their passwords without having to remember them all.

When granting access to systems and applications, only allow employees access to the bare minimum of data and functionality they need to function. Most business apps allow you to customize user roles and create user groups, making it easy to limit a particular user’s access and capabilities. This way you can further limit the risks associated with a compromised account. This is often referred to as “the principle of least privilege”.

Humans are prone to error, making us a weak link in any cybersecurity equation. Hackers like to exploit this weakness by using social engineering attacks such as phishing. These bogus messages and websites pose as trusted services and companies. They attempt to trick users into providing private information or downloading and installing malware on office devices. For example, the recent Uber data breach reported last September was accomplished through a social engineering attack targeting an Uber employee.

SMBs need to develop cybersecurity awareness among their employees and build a strong security culture across the company. Employees must be able to identify and report phishing messages and break risky habits such as connecting external storage devices, such as USB sticks, without scanning them.

There are plenty of resources that can help raise cybersecurity awareness. Amazon, for example, has made its entry awareness training accessible to everyone.

Know your security posture

SMBs should have a basic understanding of their current cybersecurity posture. If you use productivity apps like Microsoft 365 and Google Workspace, you can use their built-in security measures to help you evaluate your posture.

For example, Microsoft 365 users can check their Microsoft Secure Score, which measures security posture of organizations. A higher score indicates that more security measures have been implemented to protect identities, data, devices, and apps. It also provides measurements of other metrics, visualizations, and suggestions for improving the score.

Google, meanwhile, allows individual users to perform security assessments on their accounts. Google’s Security Checkup offers detailed information which devices, third-party apps, and services can access the account, and whether measures such as MFA are enabled.

Secure all hardware and devices

Small businesses must manage the hardware and devices that access their data and infrastructure. Each of these devices must be secured. Computers and mobile devices must be logged in or have access protection enabled. Firewalls and antivirus programs must be enabled.

There should be clear policies on how employees should use IT resources. Company-owned devices must be for business use only. If the company has a bring-your-own-device program, they should seriously reconsider. They should stop the practice if they are unable to monitor and secure employee-owned devices.

Prevention is better than cure

According to IBM, the average cost of a data breach will be in 2022 $4.35 million. A single cyberattack can easily cripple smaller businesses. As experiencing a cyber-attack is unavoidable these days, it is vital for SMEs to take measures to prevent its success.

These tactics may seem simple and obvious to some extent, and they certainly don’t replace the need for a comprehensive cybersecurity strategy. But taking preventive measures now is better than having no protection at all. These can be implemented without having a full-time CISO on board and should serve as building blocks for a more robust cybersecurity strategy.

David Primary is the CEO and co-founder of Cynomian AI-powered, automated vCISO platform.