By Earl Gregorich, CBA – South Carolina Small Business Development Center, Greenville
It’s a crazy world out there and small businesses are being targeted by scammers, fraudsters, hackers, thieves, and bad actors. So how do we run a business and keep our cash, data, employees, and clients safe? Let’s take a look at some of the upcoming trends in cybersecurity that might help small business owners create a defensive strategy:
Attacks Will Continue – More Frequently and with Greater Sophistication
OK, this prediction certainly isn’t a surprise but it certainly sets the stage for why it is important to establish a defense against these attacks. Ransomware and phishing attacks have been around for a while now but the days of just scanning for poor grammar to stay safe are over. (Thanks AI!) Hackers can now take more sophisticated approaches, using traditional email with more effective narratives, graphics, and fake email addresses. Attacks will also become more widespread with improved voice dubbing for phone and audio attacks and more powerful computers to drive the hacking.
Small business owners will need to consider implementing threat detection, robust backup systems, and most of all, a persistent training plan for employees to stay ahead of the scammers. At the very least, a small business owner should implement a defense strategy that makes a hacker move on to a less protected victim.
Action Items to Stop Attacks
- Implement advanced email filters and scanning
- Regularly update software and firmware on devices
- Train employees on common threat recognition and response plans
- Remove unused software and mobile apps that are unsupported or out-of-date
- Run and test regular data and system backups
Remote and Hybrid Workforce Security – Is Your Data Safe at Home?
Many factors have caused the face of our workforce to change. We have become accustomed to work-from-home models. Employees now work in the office, at home, on the road, and sometimes on the other side of the globe. Endpoint security, virtual private networks, and multi-factor authentication are high-priority considerations in any robust defense but they are especially important when working with users accessing business data from remote locations.
Strong policies on the use of personal devices (Mobile Device Management (MDM)), and conduct while traveling and using public access points must be communicated and enforced. Training employees on the risks and pitfalls of remote access should be held regularly.
Action Items to Keep Data Safe While Remote
- Enforce strong access controls with multifactor authentication, limited privileges, and VPN usage
- Require strong, unique passwords and consider implementing password management software
- Conduct regular cybersecurity training for remote and hybrid workforce members with emphasis on secure Wi-Fi connections and safe internet browsing practices
- Utilize endpoint security solutions like antivirus and anti-malware software including update procedures
Internet of Things (IoT) – Everything is Connected
Cameras, alarms, refrigerators, manufacturing equipment, and many other devices around your business are connected to the internet and communicating within your network. It is possible any one of these devices could represent a gateway for an attacker. Small business owners need to be aware of what devices connect to their network and how to configure their security features. This will include keeping the software updated and passwords secure.
One of the easiest ways to insulate valuable company data from attacks through IoT gateways is to segment networks to isolate devices from secure networks. This can limit exposure if a hacker gains access to a device and may also allow easier monitoring and detection of unusual activity on IoT segments.
Action Items for IoT Safety
- Isolate IoT devices on separate, dedicated networks to prevent unauthorized access to critical systems.
- Implement firewalls and access controls to restrict communication between IoT devices and sensitive data.
- Maintain a schedule for applying firmware and software updates provided by IoT device manufacturers.
- Change default passwords on IoT devices to strong, unique credentials.
- Monitor IoT device traffic for anomalies and unusual behavior.
Regulatory Compliance – The Legal System is Playing Catch-Up
The small business community has, for the most part, taken a wait-and-see attitude when it comes to cybersecurity. The mindset that small business is too small for scammers to target runs rampant across the country. However, small businesses make up 95% of the US economy so they represent the majority of the targets available to hackers. And, these small business targets are usually not well protected and provide a gateway to larger and larger targets through the companies they work with. For this reason, government has begun taking measures to enforce regulatory requirements within the small business community as a layer of protection for government and corporate contractors.
Small businesses will increasingly have to show they are taking measures to protect customer and client data. Standards will have to be met regarding how networks and devices are managed. Compliance will become commonplace and business owners will have to document the actions they are taking to maintain diligence in the fight against fraud and cybercrime. Local, state, and federal laws already exist regulating incident reporting. Regulations are already in place regarding data handling within medical, financial, and defense-oriented businesses. Many small businesses may not realize they are currently being held to these regulatory standards.
Action Items to Prepare for Compliance
- Stay in the know on relevant industry-specific and regional regulations and compliance requirements and consult legal or compliance experts as needed.
- Establish clear policies and procedures that address compliance requirements, including data protection, privacy, and reporting.
- Appoint a compliance officer or team responsible for overseeing and enforcing compliance efforts.
- Audit and maintain comprehensive documentation of compliance activities, including policies, procedures, and audit results.
- Address any compliance issues promptly and transparently.
AI, Machine Learning, and Quantum Computing – Oh My!
As was mentioned above, the bad actors are getting smarter. Tools are more plentiful and computing power is increasing exponentially. Artificial Intelligence (AI) now allows even a non-techy person to write complex computer code in seconds. Machine learning can now assess millions of scenarios in just minutes, allowing attack methods to be tested and perfected before launch. These capabilities are made even more threatening by the increasing computing power available to the average hacker. A complex password with 14 characters including numbers and characters that just three years ago would have taken a few years to crack, now can be deciphered in minutes.
Small businesses, in most cases, won’t have the resources in-house to combat this level of technology. A business owner will need to seek outside assistance and use cloud-based systems that are already built with security systems in place to withstand high-powered AI attacks. Enlisting the services of a managed security services provider (MSSP) may also be a good strategy since these companies are using the same AI, machine learning, and quantum computing to fight off hackers.
Action Items to Protect You from the Machines!
- Maintain an understanding of what AI can and cannot do. Plan protections that are sensible and directed toward realistic threats.
- Research cloud-based services that meet your business needs and incorporate security beyond your budget or abilities.
- Consider partnering with managed security service providers (MSSPs) that offer AI-powered threat detection and response as a service.
In closing, it is not a matter of “if” you will fall victim to a scammer or hacker. It’s “when.” No amount of planning or protection can guarantee safe computing. However, you can make your business a less desirable target by watching the trends and making sound adjustments to your defense strategy. As always, should you need no-cost assistance in your preparations, reach out to our local Small Business Development Center by going to AmericasSBDC.org and searching by your zip code. Our team of professional consultants stand ready to assist.