Multifactor authentication is one of the easiest ways to apply best security practices to a small business. However, this simple step is often ignored.
For example, of those using Microsoft cloud products, including Microsoft 365, a little more than a third have activated MFA.
Login authorizations beyond passwords make up a small part of an organization’s security system, and on the surface may not look like a big deal. But other pieces of a good cybersecurity program are missing, too. Businesses have poor password management, intermittent security awareness training sessions, and many lack a data loss prevention plan.
What these organizations lack, more than anything, is a security culture. Without a solid cybersecurity culture, SMBs will struggle to protect networks and data from breaches and other threats.
Developing a culture of cybersecurity isn’t just about following procedures and processes — it is when security is an ingrained part of the organization’s overall business operations, Richard Balducci, CISO with Integer Holdings Corporation, told an audience at Zero Trust World in Orlando, Florida in February.
When people don’t know how to act or apply cybersecurity practices, they’ll follow the lead of others who seem to be in the know, Balducci said. People want to conform to what appears to be the norm, but what happens if those who are leading are just as lost as those who are following?
Small businesses can be especially vulnerable to cyberattacks because of their limited resources, and that includes having access to people who truly understand why building security into business operations is necessary in today’s work and threat environments.
Having the right systems and tools in place is important, but it really does come down to the people.
“Even in my experience with larger organizations where security infrastructure is airtight, the human element can always be exploited without proper safeguards,” said Chris Steinke, COO of MightyID, in an email interview.
This makes fostering cybersecurity awareness imperative. By embedding cybersecurity into the organizational ethos, businesses can enhance their defenses against cyberattacks.
“A cybersecurity culture empowers every employee to act as a custodian of security, creating a sense of accountability for and awareness of potential threats,” said Steinke.
Buying into cybersecurity
Creating a culture of any type requires the participants — in this case, SMB owners and employees — to become invested in new attitudes and behaviors. In cybersecurity, it is building awareness around potential threats to the business, the impact of those threats, and how they can be prevented.
SMB leadership needs a hook to grab the attention of the employees and show how their behaviors and actions are beneficial to the company’s cybersecurity stature, according to Micki Boland, cybersecurity architect and evangelist with Check Point Software.
Gamification has proven successful in offering that hook. Leadership can create scenarios that highlight the growing sophistication of threat actors and encourage teams and individuals to come up with solutions on how to deploy security best practices as internal competitions.
Or they can set up rewards for different habits — not clicking on a link or reporting suspicious emails — until the behaviors are ingrained into everyday use.
Small best practices at minimal costs
Threat actors use all kinds of tricks to spoof companies and fool users into making mistakes. Building a security culture is not just about getting the employees on board to step up their efforts on better security best practices; it is also anticipating what threat actors can exploit in the organization’s system.
“Simple steps like enforcing strong password policies and enabling multifactor authentication can go a long way in thwarting a variety of attacks,” said Steinke.
So can encouraging employees to apply patches and upgrades not only on their work devices, but on any device that could possibly have access to corporate data or infrastructure. This is especially important for remote workers using home routers connected to IoT devices.
It’s also taking a closer look at domain names and email addresses and ensuring they are hack proof.
One sneaky attack threat actors are using is to create fake websites that replace certain characters — a lowercase l for a capital I or a number 1. It is virtually impossible to tell the difference between these characters in a website or email address, which makes it easy for threat actors to spoof them and make links and email addresses that look legitimate but are actually sending the recipient to a malicious site or tricking them into revealing sensitive information.
A quick and inexpensive fix is to register domain names that use easily mimicked characters so the threat actors can’t.
