A Three Step Cybersecurity Framework to Help SMBs Survive and Thrive in a Remote World
You’ve likely heard that the social media giant Twitter experienced a high profile hacking incident this past summer. What you might not know is that this attack exploited the most democratic of all vulnerabilities — human nature.
In short, cyber criminals used a phishing attack to trick employees of one of the world largest tech companies into divulging confidential information, allowing them to access the company’s internal support tools and gain access to user accounts, inflicting serious reputational damage from which Twitter is still trying to recover.[1]
This news should be a wakeup call to any Fintech or Payments business that has employees who access proprietary information and customers who entrust them with their personal and financial data.
Think your business is too small to be an attractive target for hackers? Think again. Fintech and Payments businesses have what hackers desire most, data and access to financial transactions.
The statistics underscore the threat is real. In 2019, 63% of Small to Medium Sized Businesses (SMBs) reported experiencing a data breach in the past 12 months.[2] And while outsider attacks still account for the majority of those targeting SMBs, insider incidents — whether malicious or unintentional — are exceedingly costly for small businesses, with an average price tag of $7.68 million, according to IBM and the Ponemon Institute.[3]
At Atlantic Capital, we take cybersecurity seriously, and we want to ensure that you thrive through this challenging time by providing you with tips on how to protect your assets, as well as those of your customers. The risks of doing nothing aren’t just monetary. With just one incident, you risk shattering the customer trust you worked so hard to build.
The “ASET” Protection Framework and 7 Tips to Help Protect Your Business
Whether you have a cybersecurity plan in place or are thinking about it for the first time, we recommend a three step approach: Audit, Secure, Educate and Train (ASET).
Here are some practical tips to get you started.
Step 1: Audit
Tip: Know where you stand
Do you understand your vulnerabilities? Security is only as good as your weakest link, so go find it. Completing regular security audits of both internal and external risks will allow you to identify ongoing or new areas of concern and revise your plans, policies and procedures before an incident occurs. Be sure to stress test your defenses and conduct scenario-based exercises to see where you stand so that you can make investments in areas that will have the biggest impact.
Tip: Evaluate account security
A business owner recently faced a $30,000 financial loss due to fraud. An email from a client, stating, “We’ve changed bank account information. Please update your records and remit payment to our new account,” turned out to be from an imposter. The business was a victim of a successful phishing attack, the most common type of fraud targeting SMBs.
Instances of account takeover are increasing in number and speed, up a staggering 72 percent in one year, according to Javelin.[4] And motivated criminals work quickly — 40 percent of all fraudulent activity associated with an account takeover occurs within a day, the organization found. Given the sophistication of these intrusions, it’s critical for businesses to not only implement real-time cyber intelligence solutions to quickly identify and mitigate the risk of account takeover, but to also work jointly with customers to authenticate account-related communications and implement two-way security protections.
Tip: Identify third party risks
It’s possible that your weakest link isn’t inside your business at all. In our multi-channel, multi-platform world, we’re all interconnected. Your biggest vulnerability may in fact be something your third party vendor may or may not be doing. Regularly review your critical vendors’ privacy and security policies and compliance with data security regulations to ensure their vulnerabilities don’t become yours. Understand where the allocation of risk resides if there were a data breach. This is also a great time to review your insurance policies. What types of insurable cyber risks are covered across your existing policies and does this coverage need to be amended as your business grows?
Step 2: Secure
Tip: Update your defenses
This is one case where it’s good to have your head in the cloud. Security experts note that SMBs’ move to the cloud and Software as a Service (SaaS) solutions has enhanced their security, but many SMBs are still underinvesting in modern, enterprise-level cyber defenses. In fact, one study found that 32% of SMBs who use endpoint security protections say that they rely solely on free consumer-grade cybersecurity solutions.[5]
For many SMBs consumer cybersecurity products may not provide enough protection. They need a full suite of security solutions, including SSL, firewalls, email security protections, auto generated passwords, secure content delivery networks (CDNs), multi-factor authentication and endpoint security. And just as important as having the right protections in place is making sure all software and hardware is regularly updated with the latest releases and patches.
Tip: The more layers the better
Just as you may secure your home with locks, alarms, motion lights and a big dog, a multi-layered protection plan gives you the best chance to keep cybercriminals at bay.
Cybersecurity isn’t just a technology problem, so it shouldn’t be treated as just an IT issue. Everyone plays a role.
Effective cybersecurity must include not only the technology but also the planning, training and testing required to support a security-minded culture. This includes implementing incident response and network penetration testing.
Step 3: Educate and Train
Tip: Assume insider risk
It’s not something most businesses want to think about, but employee negligence is the top root cause of data breaches of SMBs in the US.[6] And according to Javelin, “The shift to remote work has significantly raised the threat profile of insiders.”[7] The organization’s recent report on insider cybersecurity threats concluded remote work makes it easier to make mistakes, be caught off guard by a social engineering scam, or for a stressed employee to participate in data exfiltration for financial gain.
During 2020, 22% of SMBs switched to remote work without a cybersecurity threat prevention plan.[8] Given the increased security risks of remote work, it’s paramount for SMBs to educate employees on the nature of the threats and provide them the information and resources they need to recognize and avoid the most common pitfalls, including phishing, social engineering, malware, policy violations and network and hardware vulnerabilities.
Tip: Start with awareness
Consider this: 70% of SMBs reported that their employees’ passwords had been lost or stolen in the past year and more than half reported compromised credentials.[9] The collective risk to SMBs of all this compromised data is hard to overstate, but it’s likely that most employees are never shown the big picture. In addition to educating and rigorously training employees on security policies, procedures and best practices, SMBs can help employees understand their role in creating or reducing the risk of cyber attacks and their implications for the business and its customers.
Conclusion
Despite decades of progress on identifying and mitigating cyber threats, fraud losses continue to grow as cyber criminals capitalize on technological advances and exploit vulnerable businesses and consumers. Cybersecurity is not a one time investment, but rather a continuous cycle of auditing, securing, educating and training to ensure you have the best chance possible of staying one step ahead of the criminals and the damage they can inflict on your business.
To learn more about how to protect your business from the risks of cyber fraud, contact us at www.atlanticcapitalbank.com or speak to your banker.
______________________________________
[1] https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
[2] https://start.keeper.io/2019-ponemon-report
[3] https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/
[4] https://www.javelinstrategy.com/press-release/identity-fraud-losses-increase-15-percent-consumer-out-pocket-costs-more-double
[5]https://www.prweb.com/releases/new_study_reveals_one_in_three_smbs_use_free_consumer_cybersecurity_and_one_in_five_use_no_endpoint_security_at_all/prweb16921507.htm
[6] https://www.keeper.io/hubfs/PDF/2019%20Keeper%20Report%20V7.pdf
[7] https://www.javelinstrategy.com/coverage-area/cyber-security-insider-threats-social-engineering-malicious-intent?utm_medium=email&_hsmi=94280644&_hsenc=p2ANqtz-9IrQjZutfi06opLyCsisv65H0Um8QO88draVlRHSmzuYPIrUOUbFFLnzCtzTbRvl8_UFSAlSewijBLN7_5bXxo2_liKQ&utm_content=94280644&utm_source=hs_email
[8] https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/
[9] https://www.keeper.io/hubfs/PDF/2019%20Keeper%20Report%20V7.pdf