In 2021, the cost of cybercrime was estimated to be $6 trillion. By 2025, that cost is expected to grow at a 15% year-over-year increase to $10.5 trillion1. Within 60 days prior to this article’s publication, T-Mobile, Mailchimp, Norton LifeLock, and Uber all suffered significant data breaches.
Oddly enough, that may be why so many companies do not make cybersecurity a top organizational priority.
Cybercrime has become so commonplace that we’re numb to its presence, and when we learn about it in the news, the targets tend to be major corporations. But assuming that small- and medium-sized businesses (SMBs) are safe with routine protections is a critical mistake.
In fact, according to Verizon’s 2021 Data Breach Investigations Report, 46% of cyber attacks were directed at businesses with less than 1,000 employees.2 They just don’t make the headlines.
If companies with massive resources like T-Mobile and Uber fail to stop cyberattacks, SMBs need to make cybersecurity a top strategic priority. Here’s how to get started.
Defense in Depth
Think of defense in depth as a fortress for data and systems. Multiple layers of redundant defenses keep any intruder as far from sensitive areas as possible.
This is in contrast to something like a firewall, which is end-point protection. Defense in depth encompasses all of the technology, personnel, and operations that could lead to a firewall being tested by cybercriminals.
Physical Controls:
These protect IT systems from direct, in-person intrusion. They include locked doors, security personnel, and alarm systems.
Technical Controls:
These protect the network systems and include firewalls, VPN, SD-WAN, intrusion prevention systems, and much more. Although technical controls encompass the software-based protections most people associate with cybersecurity, they also include hardware.
Administrative Controls:
These are the procedures and policies that govern how everyone—from owners to leaders to employees—needs to approach cybersecurity.
Address Administrative Controls at Your Organization Right Now
Of the three elements of a defense-in-depth strategy, administrative controls are the most expediently addressed and arguably important. We think of cyberattacks as portrayed in cinema—highly skilled programmers applying top-level computer science to crime.
And while that expertise certainly exists, most data breaches occur because an employee commits an easily preventable error. This is by no means a comprehensive list, but it’s a good place to get started on improving administrative controls.
Train Employees on “Cyber Hygiene”
Cyber hygiene is the basic best practices that everyone should know and use in our digital world. It includes:
Using Multi-Factor Authentication (MFA) Whenever Possible
MFA creates multiple authentication steps to log in to a system. For example, after entering credentials into a portal or app, a randomly generated code is sent to a smartphone that is required to complete the process. It may not be convenient, but make MFA mandatory for all applicable software programs, applications, or services.
Requiring Complex, Unique Passwords
That means every password is a minimum of 12 characters and includes uppercase and lowercase letters, symbols, and numbers. And that also means passwords must never be reused. The previously mentioned Norton LifeLock data breach came from a “stuffing” attack, where a reused password is compromised and leveraged to access multiple systems.3
Provide Company-Wide Phishing & Spoofing Training
Phishing is a simple concept that requires minimal effort on the part of the cybercriminal but sets the stage for more than 90% of successful cyber attacks. They create an email that looks like it is from a trusted source and blasts it out to many different targets. If a user clicks on a link or downloads a file from that fake email, their machine can then be compromised by malware and viruses.
Spoofing is when a cybercriminal creates a website that appears to be legitimate—sometimes they are excellent recreations of trusted sites—in order to infect the user’s device or have them voluntarily enter personal information.
For both phishing and spoofing, cybercriminals can make extremely convincing recreations. They are often accompanied by frightening messages, so the user will react before thinking.
“Did you recently make a $5,000 purchase on Apple.com? If not, please click this link and confirm your identity to protect your account.”
Security as a Service
By far, the most expedient and efficient way to shore up cyber defenses is to hire an expert organization. Cybersecurity encompasses multiple layers of operational and technical disciplines. Even if you have excellent IT personnel on staff, it takes multiple experts to design and implement an effective defense in-depth strategy.
1 https://www.electric.ai/blog/recent-big-company-data-breaches
2 https://www.strongdm.com/blog/small-business-cyber-security-statistics#small-business-cybersecurity-overview
3 https://www.electric.ai/blog/recent-big-company-data-breaches
Did You Know About Our Cybersecurity Solution?
With the ubiquity of remote and hybrid work and the popularity of the cloud, cybersecurity will only become more challenging and mission-critical. That is why we offer a single-source solution for all cybersecurity needs backed by teams of experienced engineers.