Six cyber security holes you need to plug now

Graphic with hexagonal tiles with a lockpad and one tile with an unlocked lock pad against a red background
(Image credit: Getty Images)

Cyber security is a critical business issue for companies of all sizes, not just for organisations with a household name, whose brand can take a serious knock if a security breach were to happen. In fact, it’s the smaller-sized businesses that cyber attackers know are the most vulnerable, and unfortunately, the damage can do more than just harm a small business’ reputation; it can put it out of business altogether.

In the 2022 Data Breach Investigations Report by Verizon, 46% of all cyber security breaches in 2021 impacted organisations with a workforce of less than 1,000, with 61% of SMBs the target of an attack - most of which had no cyber protection. Ransomware was shown to be the most common form of attack, resulting in loss of sensitive data, and just over half those affected actually paid the ransom - something that smaller companies with smaller budgets cannot afford to do.

It’s understandable; small businesses "have less time and fewer resources to focus on cyber security, which often takes a back-seat to sales-related activity," Hemant Kumar, CEO and co-founder at Enpass, says. Yet, they also "often have larger companies as customers, making the potential gain greater and the consequences of a breach more severe". It's not all that surprising that cyber security takes a back seat when you consider solutions are often seen as "expensive and overcomplicated" according to Pete Bowers, COO at norm.. "But whilst enterprise-level solutions can come with enterprise-level price tags," Bowers continues, "there are some simple free and inexpensive measures that small business owners would be wise to implement."

It is worth remembering, however, that there’s no such thing as being 100% secure. However, if you have measures and resources in place to know how to act once an attack has hit, and how to quickly recover from it, you’ve covered the crucial aspects of minimising its impact. It’s all about knowing where the cyber security holes are in your organisation, and how to “plug” them.

1. Identity and authentication

Identity is “probably the first issue that small businesses struggle with concerning security", according to Tom Bridge, principal product manager at JumpCloud. This is the question of who's using a device and how you can prove it, and for big enterprises “there’s a whole industry out there addressing identity and security using strong authentication and single sign-on (SSO)".

RELATED RESOURCE

Building a better password strategy for your business

Exploring the strategies and exploits that hackers are using to circumvent password security measures

FREE DOWNLOAD

For smaller businesses, however, there’s a catch: “These technologies often build on Microsoft Active Directory, and that is not aimed at small businesses." Most still neglect to cover the specific variations or distinctions that an SMB requires, however utilising a cloud-based directory service - Directory-as-a-Service (DaaS) for user identity management could enable single sign for SMB owners.

One solution for smaller organisations is to utilise the power of password management, multi-factor authentication (MFA), and the principle of least privilege (PoLP) - a security concept that enables users to only have specific access to data or applications for certain tasks - to plug your identity and authentication security gaps. A simple password policy just won’t do, with password reuse rife, and many people opting for one of the most common passwords out of convenience, including consecutive digits and the first six letters of a standard English keyboard.

The simple fix is enforcing strong, unique passwords for all business-critical applications and accounts. “Random password generators are a great option for guaranteed one-time use, with password managers helping users to stay on top of these," recommends John Goodacre, challenge director of the UK Research and Innovation’s ‘Digital Security by Design’ and professor of computer architectures at Manchester University.

Any identity management policy should also include a robust MFA process wherever that’s achievable. Lee Wrall, director at managed services provider (MSP) Everything Tech, says recent Microsoft research revealed 99.9% of the cyber attacks customers that approached them may have prevented attacks if MFA was activated. "If a vendor doesn’t support it," Wrall says, "it’s time to look for another." Truth be told, it's not difficult to find vendors that appreciate the value of MFA as a selling point. "The technology of MFA has been used in the banking industry for a long time," Adam Seamons, information security manager at GRC International Group says, "and it’s now in many mainstream products such as Microsoft Office 365, Google Workspace and Apple iWork. Enabling MFA isn’t a silver bullet for account compromise, but it can go a long way to make things harder for attackers."

That brings us to the final line of defence when it comes to identity security: PoLP. "If everyone in your company can make system changes and access important data, then all it takes is one account to become compromised by malware or a cyber criminal and it’s all over," Seamons concludes.

“Unavoidably, in the small business world, employees often have to wear multiple hats and work across a range of roles and systems, so you may need to weigh security against convenience, but putting your thumb on the security side of the scale is rarely a bad move.

2. Patch management

For Jamie Akhtar, CEO and co-founder of CyberSmart, the security hole that most urgently needs addressing in most small businesses is patching.

"Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated," he says. “The trouble is, patching is only as effective as the number of customers who regularly update their operating systems and software." And that can be hard to manage for the smaller business.

Patch management tools can help to centralise the process, but the real key is getting into a routine of patching. As Ken Galvin, senior product manager at Quest, says: "Misconfigured, outdated and unpatched software are three primary vulnerabilities that hackers attempt to exploit." Being able to automate the process is particularly beneficial for smaller businesses without an IT team. "Look for tools with built-in vulnerability scanning which can find susceptible devices and tell you how to remediate issues," he recommends.

3. Email and phishing

It might seem odd to think of email, something so central to most every business, as a security hole, but it is. "A business email system is an open front door that accepts virtually any message sent to a valid email address," Galvin explains. Even once you sweep out dangerous attachments, phishing attacks are as prevalent as ever – and they’re a threat that it’s almost impossible for you to manage.

"Much of your success in thwarting these attempts will be controlled by your employees," notes Galvin. Sure, security training and email filtering, plus antivirus software, all help mitigate the fundamentals. But for better protection, he recommends "gaining better visibility and control of the devices that access your network, through tools such as unified endpoint management software". That can be a big ask, and a big spend, for a small business. However, these points of entry to your platforms and services present a huge opportunity for attackers, so investing into their protection is of utmost value.

If your staff do fall victim to a phishing attack, remember that how you respond after the fact can still have an impact on the overall threat environment i.e. immediately changing passwords and reporting the incident. “If a small business does fall victim to a phishing attack, it's always important to report it to Action Fraud,” advises Goodacre – “and remember not to punish staff, as it discourages them from reporting future incidents.”

4. Remote desktop

Use of the Remote Desktop Protocol (RDP) - enabling users to connect remotely to a Windows PC or server on a local network - and other remote-access tools has skyrocketed in the past few years, as businesses have increasingly adopted a hybrid model. It can be a risk, though: "With this window into your business environment," Galvin says, "if hackers manage to find open ports by using penetration testing software like Cobalt Strike, a brute force password hack on those open ports to gain access to could be implemented, resulting in a complete IT system control takeover."

Ioan Peters, regional managing director for EMEA cyber risk at Kroll, recommends your remote desktop should only be accessible via a virtual private network (VPN) or a virtual desktop solution, to minimise the chances of an attacker finding a way in – and, so far as possible, to establish distance between business-critical resources and employee’s personal systems.

5. The cloud

"In 2022, your small business is only as secure as your weakest cloud service provider," says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre. In fact, protecting sensitive data from being pulled out of the infrastructure by unauthorised users is one of the most critical challenges for a business of any size. With companies increasingly reliant on cloud-based platforms like Google Workspace and Microsoft Office 365 to enable their employees, this is a cyber crack threatening to turn into a full-blown security sinkhole.

"A small business might not have an in-house security team," says Burak Agca, a senior engineer at cyber security firm Lookout, "but data protection can be aligned with secure IT practices concerning how users access the infrastructure and the data within it." Lee Wrall recommends you seriously consider investing in a managed service provider: “The longer you ‘wing’ your IT on your own, the more you’ll be at risk," he warns. “Small businesses should get used to paying someone to allow them to sleep at night from the very early days in their business; most providers have a scaling price model to bring them within your budgetary reach."

6. Untrusted applications

Small businesses often don’t have the resources to put everything through a deep security review, and that can lead to dangerous software being let loose on your company network. "This primarily applies to mobile apps," Agca says, "especially since users could unknowingly download apps laced with malicious loaders that pull malware down to the device after installation."

RELATED RESOURCE

Building a better password strategy for your business

Exploring the strategies and exploits that hackers are using to circumvent password security measures

FREE DOWNLOAD

Although it may be hard to enforce in the age of bring your own device (BYOD), security software is a must for every smartphone and tablet that’s used in a small business setting, ensuring that there’s sufficient protection and that all device types comply with policies and procedures. "Proactive malware protection is critical to ensuring your employees and data are protected from threat actors," Agca says.

This advice is especially pertinent since many small businesses have very little, if any, visibility into what vulnerable assets actually exist in their infrastructure. Satya Gupta, founder and chief technology officer (CTO) at Virsec, reminds us that supply chain attacks, which can result in compromised or malware-laden software getting deployed, are also to be considered here. "These attacks are increasing in volume lately and allow the attacker to inject malicious code in the business without having to exploit a vulnerability or leverage stolen credentials," Gupta says. A good application control solution can help mitigate this.

This article was first published on 29/07/22, and has since been updated.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.