The majority of small businesses don’t have adequate security in place to protect against potentially devastating cyber attacks.
“Many small businesses think that if they have a firewall and antivirus software, they’re secure, but that isn’t the case,” said Michael Ball, CISO with Performance Advantage. Even more concerning is that a Statistics Canada survey shows that 10 per cent of companies say they have no security at all.
Twenty-one per cent of Canadian businesses say they’ve been impacted by cyber security incidents. In fact, most businesses have been hacked, said Ball. “They just don’t know it yet.” Small companies are increasingly targeted as a route through the supply chain to bigger companies.
“Small businesses are just like large ones, with all of the same risks and supply chain vulnerabilities,” said Ball
The right security measures take constant effort
Small and medium-sized businesses must practice good cyber hygiene, “all of the time”, said Ball. They need to be proactive on security measures, including password management, multi-factor authentication, patching, monitoring, intrusion detection and backups.
“When is a backup not a backup? When you don’t test it and it turns out to be a blank file,” said Jim Love, ITWC CIO. “I’ve had CIOs call me in tears when they can’t restore their data.”
Continuous monitoring is essential. “You need to understand what’s going on inside the network day in and day out”, said Ball. Monitoring enables companies to take the required steps to identify, contain, analyze, remediate and report the threats.
For security monitoring to be effective, all devices on the network need to be covered. The first line of defence is firewall monitoring and url filtering to block any traffic that is contrary to preset rules. As well, endpoints should be protected by monitoring for anomalies in how the applications work. Anti-virus protection is no longer good enough to defend against hundreds of thousands new malware threats created every day, said Ball “They’re generated automatically now.”
To do it right, it could take up to seven people to monitor everything full-time, said Ball. “It’s time consuming and onerous. We’re all looking for the silver bullet. There is none. It’s all work and effort.”
There is an easier way
Commercial products, with 24/7 support, can put the necessary defences in place, but the price is often too steep for small businesses, said Ball. A number of open source security products are available, however, most of them require ongoing management.
A managed detection and response (MDR) service is a good option for small and medium sized businesses, Ball said. It’s a subscription-based service offered by experts who will work with businesses to identify key vulnerabilities and put best-of-breed monitoring tools in place. “You can rest easy knowing that your systems are protected and that any security incidents will be contained and resolved.”
“It’s an affordable way to get the expertise you need to protect a small business,” said Ball. “You can hire an MDR service just like you would hire an accountant.”
