This article was originally written and posted on ZDNet on May 1, 2020.
Small businesses have been facing a mountain of problems since the coronavirus outbreak took hold of the world's economy and shifted most people to working from home. Millions of small businesses around the world, which previously had no experience dealing with cybersecurity, suddenly had to deal with a deluge of new issues, ranging from which VPNs to use and how to safely work remotely.
Deloitte's US Cyber Risk Services leader, Deborah Golden, said many small businesses are facing the brunt of the economic impact related to measures put in place by governments to slow the spread of coronavirus, and these kinds of companies may struggle to adjust to employees working from home and potentially insecure supply chain partners.
"The pressure on small businesses certainly is going to be greater than those on large businesses that have the ability to look at other options when it comes to different supply chain vendors. They have more options than a small business might," Golden said. "They also might not have all the resources necessary to deal with these different types of scenarios, whether it be economic pressure, or the pressure of people leaving or quitting. There is certainly going to be a more heightened sensitivity of the demands placed on small businesses."
Small business leaders must be prepared to deal with the onslaught of security risks.
1. Start small when it comes to cybersecurity
Troy Gill, manager of security research at Zix-AppRiver, said all small businesses should start simple and work their way up.
"Start by assessing the most critical parts of the business that will be served by technology transformation. Look to the cloud for leverage to quickly scale those critical operations while being extra cautious and limiting security risks," Gill said.
"Strongly consider leveraging a consultant or managed service provider. Shifting an entire business practice overnight can be a daunting task even for the tech-savvy. There will be many opportunities for missteps, which can be greatly reduced by having someone with experience on your side."
2. Watch out for social engineering attacks
Sheila Carpenter, chief information officer at Zix-AppRiver, said that all small businesses need to stay alert for phishing emails and make sure employees know to only click on web links within emails that they can assure are authentic.
"Phishing emails typically come with typos and generic greetings such as 'Dear Customer' or 'Dear Sir/Madam.' Be wary of threats and urgent deadlines as these often are characters of phishing scams," Carpenter said.
"Assume all file attachments are dangerous. Attackers often utilize common file types users are used to seeing -- DOC, XLS and PDF, etcetera. While not every file extension can launch an attack, users should treat all file extensions with skepticism," Carpenter added.
Gill echoed those remarks and said that every small business leader needs to be hyper-aware of social engineering attacks, which have increased significantly as more businesses work from home.
Social engineering attacks rely on psychology to trick a user into doing something that serves the attacker's purpose. They are especially effective in a time like this, when attackers can capitalize on rapid change, confusion, and, at some level, fear.
Since January, hackers have deployed millions of email-based phishing and malware attacks that attempt to leverage the COVID-19 crisis with attacks disguised as everything from CDC updates to phoney stimulus notifications, Gill noted.
"We have also seen impersonation attacks ramping up. With these, the attackers often pose as a company owner or executive by faking the display name in an email. Once they have the employee on-the-hook, they ask for wire transfers, gift cards, personal data, or even changes to direct deposit information," he said, adding that small businesses should consider securing a robust email security solution to help protect employees.
"Of course, email is not the only attack vector. End users should also be extra cautious of phone- and SMS-based attacks as well as malicious advertisements."
3. Ask employees to change home wi-fi network passwords
One of the most difficult parts of the coronavirus response for small businesses has been dealing with employees now teleworking, which gives cybercriminals ample opportunity to attack any number of devices or networks.
The security of an employee's home wi-fi network is now vital to the security of an entire business, forcing small enterprises to push their workers into adopting some of the security measures found in most offices or workspaces.
Gill said that while this adds some level of difficulty, it is a positive that people will be less reliant on public wi-fi, which can pose some serious security threats.
All small businesses need to ensure that all remote workers have, at the very least, changed their home routers from the default password to a strong password.
Carpenter made the same observation, and added that employees need to make sure they only allow people they trust into using their home network.
"Employees should consider using 'pass phrases' to strengthen their passwords -- they are more difficult for cyber criminals to guess, and are sometimes easier for the employee to memorize. Don't allow kids to use your work devices because most children are unaware of the dangers of malware, ransomware, and other cyber threats that can take out an entire network," Carpenter said.
"It only takes one click on a malicious link or game download that could potentially harm the hard drive, or worse, find its way to your company's network," she added. "Aside from not allowing them on your work devices, a good rule of thumb is to have them check with you before they download anything to any device."
4. Make VPNs widely available
Even if you can get your employees to take basic precautions in securing their home wi-fi networks, most will still need to use VPN services to have secure encrypted tunnels between the home user and a remote server.
This is of crucial importance in protecting sensitive company data from wrongdoers that might be targeting a wi-fi hotspot or even using intrusive home ISP practices, said Gill.
"While it may be tempting to utilize a 'free' VPN service, especially at a time like this when cost is a big motivator, you should resist that temptation. Many of these services attempt to monetize their service by selling your data to third parties. You should also determine where the company is based," Gill continued.
"Look for a service based in a location that has strong privacy laws to prevent the sharing of your data. Server locations may be something to consider if you need your traffic to route through a specific geolocation. Also, depending on the variety of operating systems or devices you have deployed, you will probably want to make certain that the VPN has compatibility with your critical devices."
Markku Rossi, chief technology officer of veteran cybersecurity company SSH.com added that VPNs were not good enough on their own. Small business owners need to have the ability to make fine-grained access rules.
Default VPN implementations, he said, would simply open the internal network to all remote users. In most cases, this level of access is way too open and most users should only need and be granted access to select systems using a select set of protocols.
"Since most users do not need generic IP-level access, application-level remote access solutions are useful in that they allow for more tightly controlled access. These solutions would provide access, for example, to files and directories, and web applications," Rossi said.
5. Use multi-factor authentication
Carpenter added that small businesses should look to multi-factor authentication when providing connections to private networks. Multi-factor authentication often involves numerical codes that are texted to your phone and must be submitted in addition to your username and password.
"While it creates an extra step for the user, it also makes it much more difficult for crooks to make use of your password if they get their hands on it. There are plenty of options out there, but I recommend a cloud version, and one that leaves zero digital footprint and has the redundancy that your business requires.," Carpenter said.
Both Rossi and Gill said that one simple way to keep a small businesses' most precious systems and data secure is to unilaterally limit access.
The practice of least privilege access is always important, but with many people suddenly working from home, this should be given additional consideration, Gill said, adding that this means only those with a business need to access a system should be granted that access, which helps limit the potential for data exposure.
Rossi added that some small businesses should look into systems that can review identities and have access management rules that can ensure that only relevant and required access is granted to each employee.
6. Update and patch systems
One of the simplest ways to keep your small business safe is to make sure all of your systems are patched and updated.
A recent report from IntSights cyber threat analyst Charity Wright and chief security officer Etay Maor found that cybercriminals have been piling into hacker forums looking for vulnerabilities in all workplace applications and video conferencing tools. While many of the vulnerabilities discussed have since been patched and solved by most of the companies named, they still pose a threat to those who may not have updated their systems.
Carpenter said it was integral that small businesses update systems and software patches regularly.
"This is one of the best defenses against common viruses and malware online, particularly for computers running Windows. Software makers often release updates to address specific security threats. By downloading and installing the updates, you can patch the vulnerabilities that virus writers rely on to infect your computer," Carpenter said.
Rossi added that small enterprises should ensure that all operating system auto-updates are enabled and operational. This applies to all systems, from dedicated production servers to laptops and smartphones.
7. Back up data
Ransomware attacks have become a widespread problem for businesses of all sizes, but small businesses should be fearful of having their data locked away considering the high ransom costs. While larger organizations can afford to pay a ransom or pay security teams to get their data back, many small businesses may not be able to.
To address this, Rossi said all small businesses need to conduct regular backups and store backup data in offline locations, which will help businesses recover quickly from potential cyber and ransomware attacks.
Carpenter echoed that idea and said data backups are a good practice for things beyond ransomware.
"This is important protection against ransomware, but it is also good practice to ensure business continuity during inevitable outages, whether those are accidentally self-inflicted, the result of a malicious attack or due to a natural disaster," Carpenter said.
Considering the deluge of attacks and intrusions seen in the last two months, it's imperative that cybersecurity becomes a chief concern for most remote workers and small businesses. Implementing the right security best practices takes time, but is well worth it.