We rarely say this about technology, but, when applied correctly in your business, cybersecurity can be a silver bullet for your data’s safety.
However, that’s assuming you’re doing the best of the best: you’re actively monitoring your sensitive information, documenting your data protection policies and processes, educating your team members annually on cyber attacks, and a lot more.
Most of us understand the importance of securing devices against malicious attacks, but aren’t sure how deep in we should get. We know that human error plays the biggest role in most people’s security breaches, but aren’t sure what information our employees need to know. We know that our sensitive data is worth protecting, but don’t know exactly which data is considered “sensitive” beyond our social security number and credit card.
Most businesses understand cybersecurity… They just don’t know how to execute it.
If you’re a business owner worried about the potential data danger online — or in-person — read on to learn where we suggest small business owners start with cybersecurity.
Cybersecurity At A Glance
We all need some form of cyber security in our businesses. That doesn’t necessarily mean you need to implement all the best practices, though; your cybersecurity practices should scale accordingly with your business.
To maintain consistency within this blog post, let’s set some basics of cybersecurity.
What is Cybersecurity?
Cybersecurity is umbrella term given to the process of identifying, addressing, and strengthening the protections against any threats to your personal information. These cyber threats could be external to your organization, but they could also be internal — 34% of companies that experience any data leakage report internal actors.
Cybersecurity is not Information Security
Information Security, or InfoSec, is a part of cybersecurity. Cyber security refers to the protection of all software, data, and data networks. InfoSec specifically protects your personal information as it travels across those same networks.
If you’d like to read up more on information security, read our Small Business Guide to Information Security here.
Cybersecurity is not Information Technology Security
Similarly, cyber security also isn’t IT security; cyber security is a part of IT security. Given the name, you can assume what cybersecurity supposedly doesn’t cover — physical hardware — but this is untrue.
Contemporary cybersecurity must begin at the source, i.e. your internal hardware.
The only real difference that leaves between cyber security and IT security, then, is what kind of data security they emphasize. IT security’s goal is to protect all data from leakage, while cybersecurity emphasizes protecting sensitive data.
Why do we need Cybersecurity?
Cyber attacks are not new to the world. Social engineering, identity theft, and malicious activity have been apart of society — and law — for as long as we’ve been able to communicate through technology.
In fact, cybersecurity as we know it didn’t start with computers; it began with phones. “Phone phreaks” were a community of people in the 1950s that discovered phones were connected on networks — networks that could be intercepted.
The idea wasn’t malicious, however. Phone phreaks weren’t interested in financial gain or attacking critical infrastructure, they just wanted to have a little fun.
But in that fun, phone phreaks identified mass amounts of new vulnerabilities connected around the world. To oversimplify it, phone pranks pioneered the cybersecurity and threat intelligence industries.
Luckily, we don’t have to worry about digital attacks across phone lines any longer, but there are other easier ways to scam someone.
Cybersecurity Today: What You Need To Know
Since the initial phone phreak days, computer systems have changed dramatically. From the world’s first computer virus, Creeper, to the world’s first antivirus software, Reaper, cyber security as an industry didn’t continue to grow because of curious students like phone phreaks, but because of relentless cyber criminals and security breaches.
In this way, cyber criminals are actually the ones “innovating” in the field — they’re the ones creating problems worth solving. But modern day cybersecurity professionals understand that basic data security and social engineering knowledge isn’t enough to just defend against malicious software and new attacks.
Businesses truly interested in their data privacy must actively prevent cyber criminals from testing new ideas. And for viruses of any kind, the best offense is having the best defense.
Cybercriminals Attack Cybersecurity’s Five Pillars
Cybercriminals work in a variety of ways, most commonly with simple credit card scamming or email phishing tactics. But experienced criminals can access your electronic systems with or without your knowledge. These are the attackers worth considering when doing preventative cybersecurity work.
Here’s where they focus their attacks, in order of how the solutions appeared in the market.
Network security is the pillar of cybersecurity that protects the systems that all your devices interact with. You can think of network security as the blanket strategy most businesses know about; network security strategies include antivirus protocols, firewall management, VPNs, two-factor authentication (2FA), application security (think phone apps), and endpoint (or device) security.
The four major types of networks are LANs (Local Area Networks), PANs (Personal Area Networks), MANs (Metropolitan Area Networks), and WANs (Wide Area Networks).
If you’re familiar with older internet, you might remember LAN parties in the 90s.
These parties were set up over location-based dial-up internet, meaning that their network wasn’t just the internet they connected to or the devices they connected with. No, LAN party networks included telephones, video game consoles, internet routers, and all the servers sending and receiving data between those three endpoints.
Basically, the network worth protecting wasn’t just devices — it was the data, service, and continued accessibility of that data, so that you and your friends could continue playing games.
Mobile security is the type of cybersecurity that all mobile devices fall under. Technically covered under network security, mobile security gets its own cybersecurity pillar due to its unique vulnerability: Operating Systems (OSs).
Both iOS and Android OS have been targets for successful attacks for decades. New technologies allow for jailbreaks, SMS marketing allows for tect message scams — our national security is often laid on the line because of a simple human error.
How can you ensure your mobile devices are secure from unauthorized access? How can you be sure your employees aren’t using their personal devices to access sensitive data?
We’ll cover more on what to do if you’re struggling with cybersecurity later, but for now, the best answer is this: Separate your business and personal devices.
The Internet of Things (IoT) is the tech industry’s way of identifying any and all hardware that interacts with the internet — and then to one another. IoT security is securing the entirety of that network, making it essentially a combination of network and mobile security, since both networks and devices are vulnerable to one another in IoT gadgets.
There is no way to install malware protection onto our smart devices, which means the network is vulnerable to the different types of cyber threats that the device is. But most networks don’t have the ability to detect or know what IoT devices are communicating through the network, meaning the devices are at risk of cybersecurity attacks, too.
IoT security addresses the full environment of your data rather than just a single device or network. Specifically, IoT security professionals will examine the place your system lives, the variety of IoT devices your employees (or former employees) use, and the information systems available to help you streamline your security measures and ensure you never end up in data security headlines.
As our development and understanding of the internet improved, so did the opportunities for data storage, selling, and sharing. Cloud security is the process of securing typically in-person services like servers, storage, and software, usually with the help of machine learning.
Cloud infrastructure allows these services to be delivered completely online, which has exponentially increased our pace of sharing online — and the pace of potential threats and suspicious activity.
Which brings us to the best cyber security question we know: How do you know who to trust?
You don’t. So if you use services like Amazon Web Services (AWS) or cloud-based accounting softwares like Xero or Quickbooks, it may be time to consider a cloud security strategy.
On this end of cybersecurity’s history, it’s easy to see why the Zero Trust cybersecurity philosophy came to popularity; Zero Trust is a standard set of guiding security measures for organizations that boils down to this: Nobody is trustworthy with your personal data until proven otherwise.
This proof can be as simple as a multi-factor authentication process or as complex as a fingerprint ID. Depending on the severity (and classification) of the information you deal with in your business, your Zero Trust protocol might be stricter than others.
At Ampersand, we only operate out of Zero Trust. All of our technicians, service providers, and staff know all about our firewall, have multiple 2FA methods, and understand the severity if their Master Password goes missing.
Which brings up a good topic to discuss next.
What Cybersecurity’s 5 Pillars Miss
No industry models progress perfectly, but technology is often held to an unrealistic high standard of innovation. The reality of internal business technology couldn’t be farther from the truth, making it the most at-risk of data leakage.
We highly recommend taking the following into account for all future cybersecurity plans.
Business Continuity Planning
Adopting new strategies takes time. Creating new systems takes time. Updating your software from legacy systems to cloud solutions can take years. If you want to do cybersecurity right in your business the first time, expect it to take time.
What innovators lacks in time, they usually make up for in creativity. But when businesses lack time, they don’t suddenly get creative — they rush projects (yes, even projects like new business practices) out the door and end up back at square one. Don’t be that business.
We see this happen all the time: A business owner is excited about adopting a new cybersecurity tools into their business because they’re confident it will improve their team spirit.
But once they onboard it, their team is overwhelmed with the availability of information and suddenly the human interaction in their business drops — forcing the owner back to their old software.
End user education is important for all new business processes and intellectual property updates, but communication is important above all else. If your employees aren’t aware of changes to come, they can’t possibly set themselves up for success. This also leaves them ignorant of the changes, resulting in data loss. Don’t surprise your customers or employees with new cybersecurity tools.
Small Business Cybersecurity: Start Small
Okay, so far we’ve covered a brief summary of what cybersecurity is and isn’t, its’ benefits, and major areas of activity for cybercriminals.
That still doesn’t answer your burning question, though: Where does a small business actually start securing its data?
Where do small businesses really need cybersecurity?
Here’s the good news: Most small businesses operate within a pretty limited network.
Outside of the fact that our mobile phones literally connect us all to one another on an individual level, WiFi routers, business offices, and computers are all usually within a close area. This makes securing small businesses extremely simple compared to government agencies, for example, but that doesn’t mean it’s any less important.
To help you prioritize where to start, here is our list of routine checks we make for small businesses in Alaska:
- Public WiFi: Do you know what security type your WiFi has? When was the last time you monitored your firewall? Have you ever had someone with unauthorized access get into your electronic systems?
- Social media: How often do you change your passwords? Can multiple people gain access to your accounts?
- Personal Devices: Do you use your personal computer or phone at work? If so, do you access company data from them?
- Software: Do you have antivirus & anti-malware software installed? Do you use 2FA for all your logins? Do you use a company VPN?
- Team: Do you have a documented IT Disaster Relief Plan? Does your team understand the variety of attacks they’re vulnerable to? Do you have continued cyber security threat info available?
If you don’t know all the answers to the above questions (or how to find them if you can’t possibly know off the top of your head), it’s time to start considering cybersecurity reinforcement in your business.
Why some small businesses still fail to keep their data safe
Even after learning — or at least hearing from their IT team — what we’ve covered today, data breaches in small businesses still soared by over 150% in 2021. Similarly, IBM reported that 52% of small businesses experienced such attacks in the same year.
What’s going on? Why are small businesses still failing to keep their data safe?
- Remote Work Adaptation
Unsurprisingly, having the world’s workforce move online in 2020 was a doozy for most businesses — even small teams struggled to adapt to Zoom fatigue. And with this great digital migration came intense data migration, too; undoubtedly leaving thousands of businesses of vulnerable during a time where even the hackers were home longer than usual.
Lack of Leadership
Company-wide changes (which any cybersecurity measure would mean, even on a small scale) don’t happen out of the blue.
Admins don’t suddenly care about phishing scams because you spent time educating them and even your IT team may not care to implement new changes if it means going back on what they were already working on.
No, the only way to change your business is to change yourself. Before you consider new protocols and policies, ensure you’re actually able to enact them yourself. Because if you aren’t, then no one will be.
Lack of Talent
Now, this one’s a little harder for us to believe, but we understand the problem: Small businesses aren’t sure who to turn to for IT help. Hiring someone seems like a good idea; that way, they’re dedicated to your data specifically.
Where businesses go wrong is assuming 1-2 IT team members can run the entire show. Cybersecurity is never a one-size-fits-all approach; every business is going to need a myriad of skills to accomplish company-wide security. This is where Managed Service Providers (MSPs) come in handy.
What to do if You’re Struggling with Cybersecurity
If you’re still feeling stuck, don’t worry.
Here’s a step-by-step process you can use to get yourself out of confusion and into an action plan.
- Clear your current cache (here’s how).
- Download a password manager to create unique passwords for every log-in (that you never have to remember).
- Download an antivirus & anti-malware software and set it up using your new password manager.
- Download Firewall Protection software — we recommend Fortinet.
- Get a company VPN and begin using it ASAP (make sure to set it up so that it launches on your computer or other device’s startup).
- Set up two-factor authentication, or 2FA, wherever you can (social media, Google, most accounting softwares, etc.)
- Train your employees on common cybersecurity breaches, especially social media managers and administrative staff using email all day (or hire an infrastructure security agency).
- Document your new cybersecurity protocols and policies in your IT Disaster Recovery Plan for future review and revision.
- Reach out to an MSP for any further help you need.
Small Businesses Cybersecurity Solutions Alaska
If we’ve learned anything in the past 25+ years we’ve been in the cybersecurity solutions industry, it’s that small businesses need a human touch in their service providers. Small businesses, especially in Alaska, rely on their community to come through for them.
This is why our motto is Uniquely Human. Being in the technology field requires a broad understanding of very complicated topics, while being in the services field requires a quick ability to connect those topics to real human problems, like the ones you may be facing in your business.
If you’re still struggling with cybersecurity this year, let’s hop on a call — no strings attached.