Small Businesses and Cyber Security Threats
Let’s pretend for a moment that I am an IT supervisor at a food retailer that hosts three brick-and-mortar stores and an online e-commerce marketplace. My job as the IT supervisor for this company is to oversee installation, maintenance and upgrades of all of our systems upgrades. I work with and oversee a team of IT administrators and support personnel to ensure that the day-to-day operations of the company’s IT systems run smoothly. I have been tasked by my employers to help prevent and manage cyber security threats.
A few cyber security threats that I would need to be prepared for include social engineering attacks (also known as “phishing”), ransomware, mobile security hacks, remote working risks and identity-based cloud security threats.
Phishing scams are a type of online scam through e-mail, where scammers target a victim by sending an e-mail designed to look like it was sent from an official, well-known source – such as a major company like Amazon. The purpose of the e-mail is to garner personal information from the victim, usually financial information. The scammer then uses the personal information gathered to open new accounts or sabotage current accounts.
Ransomware is a type of malware designed to use encryption to block access to a user or business’ data and hold it for ransom. Users will not be able to access files, databases and other critical applications. Ransomware is often designed to spread across the network and infect other parts of the database. This malware is usually spread through spam e-mails. Once in the network, the malware will prompt the victims to pay a ransom within 24-48 hours. Businesses often lose millions of dollars paying ransom to hackers and lost revenue.
Mobile security hacks are another concern. With the rise in smartphone usage for both personal and business purposes come the rise of mobile phone hacks. Hackers often create fake apps that will compromise a user’s phone when downloaded and leave personal data vulnerable and open to malware.
The increased popularity of remote working has created an unprecedented set of challenges, including remote security risks. It is impossible to truly keep track of every bit of technology that a remote worker is using. Remote workers may be using out-of-date tech, vulnerable devices or connecting to unsecure Wi-Fi networks. This leaves remote users and the organization at large potentially at risk of malware and viruses.
Identity-based cloud security is another potential threat to be aware of. Cloud storage is a model of storing data and files to an offsite location either through the internet or a private network connection. The data uploaded then becomes the responsibility of whatever third-party provider is hosting the Cloud. The data uploaded is not necessarily secure on the Cloud alone, as scammers and hackers typically target the user or the business itself for personal information. If your personal information ends up in the wrong hands, the files and data in the Cloud will be vulnerable as well.
As the IT supervisor of the retail company, I have prepared my team to deal with these potential threats by training our employees to recognize and manage these threats, keeping our networks secure, using antivirus and keeping all our software up to date, managing our Cloud Service Provider and securing sensitive data.
Our employees go through mandatory cyber security training annually, focusing on spotting phishing scams, teaching good internet browsing practices, avoiding suspicious downloads, and practices to protect personal and business information. Our business operates on a secure Wi-fi network, using firewalls and encryption to protect data. We keep all our software updated to the latest version and pay for a trusted antivirus to further protect our employees’ devices. We carefully monitor our Cloud Service Provider to ensure our data remains secure and accessible to our employees. We regularly back up our data and keep the most sensitive information secure via encryption and careful control over who can access it.
We recognize that these methods of security are not always 100% effective. Employees make mistakes sometimes, the Cloud can be finicky to connect to, and antivirus does not always catch malware before it infects a device. Some ways we can further our security are by enabling two-factor authentication where applicable, creating a mobile device action plan for employees that require mobile devices for their work, implementing safe password practices, regularly performing risk assessments and implementing the use of a Virtual Private Network (also known as a VPN).
Two-factor authentication requires a user to use two sources of information to confirm their identity before they are allowed to log into certain sensitive servers, usually through a randomly generated code. A mobile device action plan requires that employees who use their mobile devices for their work be secured the same way as any other desktop device. Safe password practices teach employees how to create strong passwords for their applications, reducing the risk of a data breach. Regularly performing risk assessments of our networks and devices ensures that any issues that may arise are caught quickly. Installing a VPN provides an additional layer of security for the company’s networks. A VPN allows employees to securely access data through a digital connection between a device and a remote server managed by the VPN provider. The VPN automatically encrypts user data and masks their IP addresses.
These new methods of security will strengthen the ones we already have in place. With all these methods of protection against cyber security threats working together, I am confident that our company is prepared to handle any threats that may come our way.
https://legal.thomsonreuters.com/en/insights/articles/top-5-most-common-cyber-security-threats-today
https://www.ftc.gov/news-events/topics/identity-theft/phishing-scams
https://www.trellix.com/security-awareness/ransomware/what-is-ransomware/
https://www.sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity
https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses