How companies without CISOs can build their defenses

There’s no such thing as “too small” to be a cyberattack target anymore. If you think hackers wouldn’t be bothered to target small to medium-sized businesses (SMBs), think again. 

Today, even small ventures handle valuable data such as customer and payment information, which makes them profitable targets to hack. In fact, attacks against small businesses have been increasing. Password-stealing malware attacks on small companies increased almost a third from the first quarter of 2021 to this year’s Q1. 

Considering how prevalent cyberattacks have become, SMBs should prioritize security. Unfortunately, SMBs aren’t investing as much in cybersecurity as they should be. Nearly half of businesses with less than 50 employees lack a separate budget for security. Larger enterprises, by contrast, have the luxury of hiring Chief Information Security Officers (CISOs) to spearhead their defensive strategies. In SMBs, IT teams have to assume this responsibility. They even have to adopt broader perspectives when securing the entire organization.

Security is a shared responsibility across all technology users. This is why companies, SMBs included, must be ready to invest in security. The lack of a dedicated CISO shouldn’t stop them from implementing robust security strategies that significantly reduce their risk of falling victim to damaging cyberattacks. Everyone can start by applying basic security practices.

Here are several tactics that security teams can implement that will immediately impact SMB security posture. 

Enable multifactor authentication

Companies have been shifting workloads to the cloud through Software-as-a-Service (SaaS) enterprise applications. Fortunately, SaaS apps have improved their security measures. SMBs should be taking advantage of this.

Most have options to enable multi-factor authentication (MFA). With MFA enabled, users must provide at least two forms of credentials to be granted access to an app or a system. A common implementation of MFA is one-time passwords (OTP). 

Aside from a valid username and password combination, an app would require the user to enter an OTP. Users receive the OTP at the time of login in their registered email addresses or mobile phones. This mechanism commonly prevents unauthorized access just in case a hacker gets ahold of a username and password combination to the SaaS app.

Enable password rotation and limit privileges

When securing accounts, use strong passwords and complex passwords. Special characters and length make it more challenging to crack. Employees must also avoid reusing their personal emails and passwords for work and vice versa. Hackers now have access to login information from many past data breaches. So, if a user happens to continue using compromised credentials, chances are hackers can readily access systems or apps that use the same credentials.

You can typically require password rotation in your enterprise apps. User passwords can expire so that employees will be forced to change them. This limits the time an account is exposed if it ever becomes compromised. To help employees keep track of their credentials, have them use password managers. They will be able to use long and complex passwords for the apps they use and even continuously update their passwords without needing to remember each one.

When providing employees with access to systems and applications, only give them access to the bare minimum of data and functionalities that they need to function. Most enterprise apps let you customize user roles and create user groups, making it easy to limit a particular user’s access and capabilities. This way, you can further limit the risks a compromised account can bring. This is often referred to as “the principle of least privilege.”

Humans are prone to mistakes, making us a weak link in any cybersecurity equation. Hackers like to exploit this weakness by using social engineering attacks like phishing. These fake messages and websites impersonate trusted services and companies. They try to trick users into giving up private information or downloading and installing malware into office devices. For example, the recent Uber data breach reported last September was accomplished through a social-engineering attack that targeted an Uber employee. 

SMBs should develop cybersecurity awareness in their employees and build a strong security culture company-wide. Employees should be able to spot and report phishing messages and break risky habits like plugging in external storage devices, such as USB sticks, without scanning them. 

There are plenty of resources that can help improve cybersecurity awareness. Amazon, for instance, has made its in-house awareness training accessible to everyone.

Know your security posture

SMBs should have a basic understanding of their current cybersecurity posture. If you use productivity apps like Microsoft 365 and Google Workspace, you can use their built-in security measures to help you evaluate your posture.

Microsoft 365 users, for instance, can check their Microsoft Secure Score, which measures organizations’ security posture. A higher score indicates that more security measures have been implemented to protect identities, data, devices, and apps. It also provides measurements of other metrics, visualizations, and suggestions for improving the score.

Google, meanwhile, allows individual users to perform security reviews of their accounts. Google’s Security Checkup provides detailed information on which devices, third-party apps, and services have access to the account and if measures like MFA are enabled.

Secure all hardware and devices

Small businesses must control the hardware and devices that access their data and infrastructure. Each of these devices must be secured. Computers and mobile devices should require login or have access security enabled. Firewalls and antiviruses should be turned on.

There must be clear policies on how employees should use IT resources. Company-owned devices should strictly be for business use. If the business has a bring-your-own-device program, they should seriously reconsider it. They should discontinue the practice if they don’t have the capability to audit and secure employee-owned devices.

Better safe than sorry

According to IBM, the average cost of a data breach in 2022 stands at $4.35 million. A single cyberattack can cripple smaller enterprises easily. Since experiencing a cyberattack is inevitable these days, establishing measures to prevent their success is vital for SMBs. 

These tactics may seem basic and to some extent obvious, and certainly, they do not replace the need for a comprehensive cybersecurity strategy. But putting up preventive measures now is better than having no protection at all. These can be implemented without having a full-time CISO on board and should serve as the building blocks for a more robust cybersecurity strategy.

David Primor is the CEO and cofounder of Cynomi, a AI-powered, automated vCISO platform.