How to Avoid Cybersecurity Attacks as you Grow your Business

When you’re managing a growing business, cybersecurity attacks may be the last thing on your mind. It’s easy to think, “That’ll never happen to me,” or, “I’ll cross that bridge when I come to it.” But by then it could be too late.

The best way to avoid cybersecurity attacks is to arm yourself with knowledge on the latest trends, and follow best practices from the experts. To save you time, we’ve gone and researched exactly those two things.

Business growth and digital innovation tend to go hand-in-hand. And CEOs are fired up for change: 94% want to maintain or accelerate digital transformation begun during the Pandemic. We’ve found that smart advances are a necessity as small-to-medium-sized companies face a host of specific cybersecurity challenges in the wake of new working patterns.

Let’s look into some specifics.

How Vulnerable are SMEs to Cyber Attacks?

The rapid dispersion of work teams has created new playing fields for cyber criminals. With more of us working on a combination of personal and company devices, traditional security structures are in disarray. Microsoft warns that “attacks against remote management devices are on the rise, with more than 100 million attacks observed in May of 2022 – a five-fold increase in the past year.” Around half (51%) of top IT professionals believe their organization will likely experience a cyberattack in the coming year, according to ISACA’s State of Cybersecurity 2022 report.

What are some of the causes? There’s evidence that cyberattacks exploiting poor information architecture are on the increase. Attacks based on “security misconfiguration” (e.g. unpatched flaws or default credentials at any layer of the application stack) were reported by one in ten cybersecurity professionals in 2021, up from 8% the year prior.

Trends in Cybersecurity Following Pandemic Disruption

• BYOD: Bring your own device. Business managers should be aware that allowing colleagues to work from their own devices means losing control of security settings and malware updates.
• Working remotely increases vulnerability to cyber attacks because of possibly unsecured networks. Working from public Wi-Fi increases this risk in particular.
• Continuous risk assessment increasingly favored over a once-yearly security audit. Market intelligence provider IDC predicts 60% of top companies will hire external help to take on regular security check-ups by 2027.

What’s All This About Zero Trust Architecture?

The National Cybersecurity Center of Excellence (NCCoE) working group is developing new standards to help business leaders cope with the security challenges of remote working. Their approach centers on a “zero trust architecture” (ZTA) which “focuses on accessing resources in a secure manner, regardless of network location”. They do this by combining various IT products, creating “a standards-based reference design” that can be adapted to your business’ particular needs.

The NCCoE is building this in collaboration with government agencies, vendors, and academics so the resulting framework will be as widely applicable as possible. A few draft versions of the guidance were published in summer 2022.

What can we learn from the NCCoE’s work on ZTA so far? Well, firstly, protecting data and resources is a genuinely difficult challenge given the complexity of hybrid working environments today. Secondly, the heart of a secure information architecture is a carefully crafted access policy.

“Compliance policies can help protect organizational data by requiring users and devices to meet some requirement,” the draft guidance reminds us. It outlines the set-up for Microsoft Defender compliance policy, which allows the manager to specify certain access criteria. You can maintain better control over network security by ensuring devices meet certain acceptable limits before permitting data exchange.

60 Seconds with… IT Expert Callum Williams

To gain more insight into the cybersecurity challenges of businesses today, we spoke to IT consultant Callum Williams from Matchable.

Q: What does a small or medium business stand to lose if their IT networks aren’t secure?

CW: “The short answer is absolutely everything. If things go badly enough, you can lose your business. If you are found legally liable for a data breach, you are open to being sued. Many have gone out of business this way, having to declare bankruptcy.”

Q: Who should take responsibility for company cybersecurity?

CW: “There’s historically a very cliched image of ‘the IT people – they’re all tech-y’, and others in the business can leave them to it. But it’s not like that anymore: individuals and businesses have a responsibility in the cyber world to be secure.

“Everyone needs to understand that they have a role in making a business secure by virtue of making themselves secure. There isn’t an industry or company size that isn’t susceptible to cyber attacks. It’s a question of when, not if, it will happen, unfortunately.”

Q: How do you know when your company is secure from an IT point of view?

CW: “There’s no such thing as secure. There is ‘more secure than other people’ and there is ‘less secure’ but no company in the world can say they are secure. Google, Microsoft, Airbnb have all had customer details stolen.

“But you don’t want your company to be the easy target, right? If you’re in the woods with a friend and a bear is attacking you, you don’t need to outrun the bear, just outrun your friend.
“You just need to be more secure than the majority of other people.”

Q: What approach should a company take in managing cybersecurity?

“Be aware that cybersecurity is forever evolving. You should ask yourself on a regular basis, ‘Is there anything else we can do right now to make us more secure?’. A good first step is to audit what data your company holds and then you can assess how to protect it.

“From then on it’s like tidying the kitchen: if you leave it for a month it’s gonna be a bit of a pain. If you can do a little bit every day, fantastic. Just having regular check-ins make that very daunting task manageable.

“The point is, you shouldn’t leave any aspect of your data storage off the map. Say you migrate from Salesforce to some new tool and move your customer records over. You shouldn’t leave your old data forgotten and unsecured.”

Q: How’s best to communicate IT policies to your workforce?

“Come from a place of empathy, of being a human that makes mistakes. When you’re talking to people, treat them as colleagues. You are in this together. By virtue of a company having employees, these people are, whether they like it or not, part of the cybersecurity team.

“As soon as someone feels part of something, you are going to get more buy-in than if you’re just trying to force something down their throat.

“Over 90% of cyberattacks against businesses happen through email. You can put some technical solution in place but people still need to open emails. So the chances of one of your employees falling for something malicious are incredibly high.

“So do what you can to encourage regular watercooler conversations about cybersecurity. And don’t save up cybersecurity training for an annual one day event – it’s dry and easily forgotten.

“Instead, encourage colleagues to ask, ‘Hey, I came across this really weird email. Did you get it too?’ Sanity checking goes a very long way to creating a company that’s security first.”

Callum’s Top Tips for Securing Your Business Data

Try these four easy steps for more secure IT infrastructure in your workplace.

1. Take a digital asset inventory

It’s crucial you understand what data you have as a business, and who has access to those things inside your own company. Understanding which information is stored on-premises and in the cloud gives you a map. From there you can prioritize what’s important to protect first.

This map needs regularly updating. You could do a quarterly evaluation of what kinds of customer information you’re storing. So you’d find out if you’re now storing social security numbers whereas you weren’t three months ago.

2. Introduce a password manager policy

There’s still plenty of people that reuse the same password. We are all guilty of it. Get a password manager and give it to your employees. Pay for something – they really don’t break the bank.

Then you can mandate that whenever people are signing up for something, the password manager will generate a nice long password and save it. Then you don’t have to worry about your employees having weak, easily guessed passwords.

3. Use multifactor authentication

Multifactor authentication will block a huge number of compromising avenues. If someone’s password and username have been leaked, it doesn’t matter with two-factor authentication.

Let’s be honest, we always have our phones on us now. The pain point of having to reach for it while logging into accounts is all but gone.

4. Shout about your company cybersecurity successes

Make security a regular occurrence in business communications. It stops this attitude of, “Oh, security is this boring thing that gets thrown at us once a year.”

If you’re a slightly larger company, share information about how many phishing attempts were caught in the last quarter. Doing this kind of comms often smooths over resistance to reporting spam.

There you have it: securing your business against cybersecurity attacks is akin to cleaning the kitchen. If you do it regularly, use the right tools, and ensure everyone in the business takes on their share of responsibility then you’re headed in the right direction.