TECH INTELLIGENCE: A security primer for small businesses

Listen to this article

For small-business owners, the external threats never seem to end. For example, ransomware attacks, in general, are rising – affecting companies every 14 seconds in 2019 and every 11 seconds by 2021 – and according to published reports, more than half of the targets were businesses that had less than 100 employees.

These companies represent easy pickings for hackers since many smaller businesses do not have the financial or technical expertise to safeguard against cyber intrusions. The numbers are scary: in 2022, the overall ransom amounts asked by attackers increased by 60%, to $178,000 on average, and hackers snagged $11 billion in ransom by the end of 2021.

Savvy small-business owners, however, can mount some defenses. One way to enhance data protection is to partner with a qualified cybersecurity managed services provider. But identifying a good provider involves more than just finding one with an attractive advertising campaign. Companies that take the time to develop an initial framework – or an outline of their positioning and needs – can get off to a good start. Since this is an evolutionary endeavor, the process should not be rushed. So, although it is important to move along in a timely manner –addressing one issue or taking one step a week, for example – the individuals and teams involved in the effort should also be flexible about their timing.

A good starting point involves evaluating what, if any, regulations apply to the business or its clients. Common categories to consider may include: 

• Payment Card Industry Data Security Standard (PCI): An information security standard for organizations that handle branded credit cards.
• Health Insurance Portability and Accountability Act of 1996 (HIPPA): A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without patients’ consent or knowledge.
• National Institute of Standards and Technology (NIST): A federal agency that develops cybersecurity and other frameworks and standards.
• Cybersecurity Maturity Model Certification (CMMC): A federal Department of Defense-guided initiative to develop a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.
• International Organization for Standardization (IOS): An organization that develops standards defining specifications and requirements for products, processes, services and systems.

Business owners can also ask prospective cybersecurity solutions or IT support services providers about their experience with the above and other categories. Doing so can help ensure that the provider’s background and capabilities meet the needs of the client. As part of their framework, small-business owners may also want to ensure their prospective – or existing – provider is up to date with its application improvements.

Hackers love a good-paying customer, so a business that suffers a ransomware attack and then pays up is very likely to be struck again. To guard against this occurrence, a company should ask its proposed or current cybersecurity provider about its ability to deploy automated eCare Agents. It addresses issues in security layers, email filtering, 24×7 monitoring and firewall geo-blocking, which can restrict access based upon an outside user’s geographical location. For example, if a small business is not doing business in Russia, it may be a good idea to simply block any traffic from that country.

As business owners make their evaluations, they should keep in mind that effective cybersecurity deployment is not limited to blocking malware, botnets and phishing over any port, protocol or app. The protective measures should also detect and contain advanced attacks before they can cause damage. Utilizing DNS, or Domain Name System filters, to block malicious websites and filter out harmful or inappropriate content can be a big step toward accomplishing this.

The bottom line is that the business model is always changing, and COVID-19 has accelerated the process, creating more opportunities for the threat of bad actors to enter your business. More companies, for example, have gone to a remote work model, yet many have been slow to adopt the protections that may be available from blockchain technology.

Meanwhile, although third-party, cloud-based storage and retrieval may offer some protection, a common standard to ensure data integrity has yet to be developed, which means that data movement and storage continue to represent big concerns in terms of security and compatibility. So, there is no magic bullet to protect a company’s sensitive information and systems — but a well-grounded security framework can be a highly effective beginning.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.