Over the past five years, cyber attacks on small & medium sized businesses (SMBs) have increased at a startling rate. As larger corporations have looked to protect themselves by investing more in cybersecurity, smaller businesses lacking the resources to follow suit have become ever more vulnerable as the low hanging fruit for cybercriminals. According to the Ponemon Institute’s 2018 State of Cybersecurity survey, the percentage of SMBs affected by cyber attacks grew from 55% in 2016 to 67% in 2018. While a single data breach within a small company may not produce a large return for cybercriminals, these attacks can be repeated at a high volume using automation, rendering obsolete the previously held notion that a small business is too insignificant to attract the interest of cybercriminals. As has been true in the past, the industries most frequently impacted by cyber attacks are healthcare, finance, non-profit, education, and government, due to the sensitive nature of the data they keep. Moving forward, it will be increasingly critical for small businesses to ensure their system has established best practices, review proactive security monitoring options and establish a disaster recovery plan in the event of a breach.
Best Practices for Developers
For companies working with custom software developers, it is important to know that ongoing system security is typically not the developer’s responsibility. Even if you retain their support services on a monthly basis, the scope of their responsibilities still may not include active security monitoring of your system and applications. For this reason, it is extremely important that you follow these best practices and verify that your developers have built your system architecture with the correct baseline security measures in place.
For server architects, all large cloud providers have their own recommendations for standard security protocols. Typically, they all include the following:
Recurring database backups. Not only will this reduce downtime in the event your system is breached or crashes, but the frequency of these backups protect you from large data sets being lost.
Database query protection. SQL injections are one of the most common types of web-based attacks. Using query builders, SQL prepared statements, parameterized queries or stored procedures will help prevent SQL injection vulnerability.
Avoidance of script-related data appearing in front-end forms. This can be done through input validation, but also includes protocols put in place to appropriately handle cookies, cache and local data on the web. You don’t want to expose code when someone uses the “inspect element” or “developer tools” on a web page.
Blocking of certain IP addresses. For example, if you’re only doing business in one country, you can deny international IP addresses from accessing your system.
Data encryption. If you must store important client data such as financial or payment information, then make sure it is encrypted. If storing this information isn’t necessary, then removing it from your database will lighten the impact of a potential breach by minimizing the importance of the data that has been stolen.
Access Restriction. Avoid exposing passwords and access keys within the code, and implement role-based access to different servers to reduce system-wide access.
Not only do you want to make sure your software is appropriately built, but you also want to make sure that your employees are trained on baseline measures, including the following security checklist.
Enforcement of strong password policies. Two-factor authentication and routinely updating/changing passwords decreases the chances of your password being hacked or stolen.
Training on security risks like phishing attacks. According to the 2018 Verizon Data Breach Investigations Report, 93% of modern data breaches now involve a phishing attack. Training your employees oh what to be on the lookout for can help prevent successful phishing attacks.
Control of facility, network, and device access. Make sure you and your employees are locking your screens when away from your computer and using secured/private WiFi connections, especially in public spaces.
Establishment of a disaster recovery plan. Because of how common cyber attacks have become for small businesses, you should treat them as an inevitability. Not only should you devise a plan internally in the event of a breach, but make sure you have a procedure for notifying your clients. More on this below.
Post-Development Security Options
Nowadays, the methods used to hack or breach your system change quickly and can be very difficult to keep up with, so most companies are only aware of a small number of the types of attacks that pose a threat to their business at any given time. Outside of development best practices, there are a number of options available to help bolster your cybersecurity efforts. Below are the methods we most commonly recommend to our clients to help protect their data.
Managed Service Providers
For small companies that cannot employ their own IT department, managed service providers (MSP) may be the right choice for you. MSPs offer a wide range of services from IT management, help desk staffing, and security solutions. They will be able to help identify risks and mitigate damage. Every business is different, so discussing your particular needs with an MSP is important to ensure they’re a good fit.
Proactive Security Monitoring
Many of the cloud service providers (Google, Amazon, etc.) offer extra security options to help monitor your system. These tools can configure alerts to an admin on server status, CPU utilization, and more. In addition to these add-ons, there are many tools like Sqlmap, Havij, Veracode which scan your site or code. These tools will evaluate security standards and pinpoint vulnerabilities in the code so that your team can make adjustments before those weaknesses are exploited.
As previously mentioned, cybersecurity and malicious attacks are constantly evolving, which can make it hard for any individual to keep track of. Companies like Recorded Future specialize in identifying the most advanced threats and then providing their clients with proactive security strategies. Once they’ve initially scanned your code, they can provide updates anytime they’ve recognized a new attack vector or pattern that may threaten your system. Paying for these companies can be expensive, but receiving informed security strategy and recommendations may be worth the investment to protect your data before a breach occurs.
Disaster Recovery Plan
In the event your system or database is compromised, you want to make sure you’re prepared. Building a disaster recovery plan is crucial in terms of mitigating the risk associated with a breach. From a business perspective, you want to have a client communication strategy that informs them of the incident, the countermeasures being taken, possible fallouts, and the security of their data. All client data is important, but if your system harbors financial data or patient health information, the impact of a data breach is exponentially higher. From a technical perspective, you want to make sure your team moves as quickly as possible to erase the threat. They need to understand what has been compromised, the reason behind the breach, what data has been lost and what the appropriate recovery steps are. In general, they will need to immediately update your server and database access keys and then delete all unwanted users. Establishing a plan for both internal and external operations and communication will make these events less painful.
Make the Right Decision for Your Business
As cybersecurity defenses have grown, hackers have had to adapt as well. By leveraging automated attacks, they can now target numerous companies at once, making small businesses a viable target. Unfortunately, this means that small business owners must invest in securing their systems so that they are prepared when an attack takes place. It is critically important that you take the time to identify and invest in the correct countermeasures now in order to mitigate the risk and fallout of future breaches. Speak with your software development team and managed service providers to ensure that the correct steps have been taken to protect your business. If you’re in need of a development team to help with this task, don’t hesitate to reach out to AppIt Ventures. If we cannot provide the service you need, we’ll do our best to put you in touch with someone who can.