Naivety plagues SMEs

Despite this mutating prevalence of ransomware attacks, SMEs are not adhering to the warnings of managed service providers (MSPs) and cybersecurity providers. A widespread belief by some businesses is they are too small or insignificant for a ransomware hacker to target, however, this is far from the truth. SMEs are twice as likely to be victims of ransomware attacks, making the need to focus on cyber security imperative. A business’ reduced efforts towards its cybersecurity, presents an easier pathway for hackers to execute a successful ransomware attack.

The misplaced confidence in a business’ stature births extreme vulnerabilities and consequences to ransomware attacks, as the lacklustre attention to its cybersecurity is easily exploited. The new threat landscape eliminates businesses’ luxury of only investing in cyber protection. Ransomware should be considered with the highest of threats, as hackers have the opportunity to access and manipulate a business’ data, whilst the downtime leaks money from the SME’s pockets. Businesses should not just fixate on cyber protection but employ a holistic cyber resilience plan to introduce business continuity.

A shift from cyber protection to cyber resilience

Cyber protection is an integral part to a business’ security, but it shouldn’t be the only component. Reliance purely on protection software and technology can’t compete against the resurfacing complex attacks. SMEs will become stuck in a game of ransomware-wack-a-mole, which they cannot win. Instead, SMEs should put focus on not only prevention but also its detection response and recovery capabilities.  SMEs need to shift to cyber resilience to mitigate the effects of triumphant attacks and reduce their downtime. SMEs will struggle to manage and recover from a ransomware attack whilst simultaneously attempting to operate a breached business without a business continuity plan in place. This is what builds cyber resilience.

How SMEs can implement cyber resilience

Cyber resilience requires a more proactive and consistent approach from SMEs. This includes:

• Practice good system maintenance. It is vital SMEs regularly scan and test their cyber security. Although a successful ransomware attack will always induce a negative outcome, if SMEs can recognise vulnerabilities before they develop, it will alleviate damages to the business. An internal plan should be assembled with delegated responsibilities across senior leadership to ensure the business’ cybersecurity is optimal against ransomware. Using multi-factor authentication and completing daily back-ups also leads to a healthy infrastructure.
• Educate and assess for the future. SMEs’ naivety stems from the lack of awareness and education on ransomware threats. Businesses need to understand and assess the current threat landscape, recognising what threats to look out for whilst also identifying internal weak points. Shifting focus to cyber resilience means planning for recovery, so SMEs need to compose an incident response strategy, which contains specific directions for specific scenarios of attacks, avoiding further damages, reducing recovery time and mitigating cybersecurity risk.
• Don’t make it a later agenda. Ransomware will only increase in severity as hackers’ attacks become more complex. It should be an urgency for SMEs to shift their focus to adopting a cyber-resilient approach that establishes business continuity. No business is too small for ransomware.

Regardless of size, businesses can no longer believe they aren’t relevant enough for cybercriminals to attack. SMEs need to understand the dangers of the current threat landscape and implement comprehensive business continuity plans and build cyber resilience to prepare for the growing threats of ransomware.

The post Why SMEs should be shifting away from cyber protection and focusing on cyber resilience appeared first on Inside Small Business.

Despite the increased prevalence of malicious attacks, 81 per cent of hacking-related breaches result from poor credential and password management; this is because many SMEs regard multi-factor authentication (MFA) as costly and technologically challenging. However, modern zero-trust security architecture can provide unprecedented simplicity that allows SMEs to protect their operations, without overcomplicating things.

When are passwords necessary and are there affordable alternatives?

There are three factors that can comprise authentication and identity: ‘something you have’, ‘something you know’, and ‘something you are’. Since a password is something you know, the question for SMEs is, “What are the areas where ‘something you know’ is absolutely necessary in securing your business operations?”

From a user perspective, programmes and systems are more accessible through passwords. Typically, usernames and passwords are required for most SaaS applications, unless users have a single sign-on (SSO) platform like Azure AD or Okta. When using SSO platforms, passwordless technology can be used if it’s native to the platform, or it can be easily integrated into the single identity found in the access management layer.

To create a more secure operation, the combination of hardware-based MFA and biometrics is recommended. SMEs should keep in mind that passwordless security can be insecure – remember, it’s just technology. However, by adding biometrics instead of a password and keeping a user’s MFA workflow, SMEs will be able to gain access to a world where zero-trust security models are a
possibility.

Zero trust

Zero trust encompasses more than just user authentication, as it also includes the device. To illustrate, when a machine enters a secure network, it may only authenticate the user, not the device itself. However, zero trust authenticates both. With zero trust, there is a continuous revalidation of trust. This means implementing passwordless access in a zero trust model is easier for users and more secure for the operations since the ‘something you have’ and the “something you are” factors are much more difficult to attack.

When implementing zero-trust security measures, SMEs need to remember that passwordless is not synonymous with zero trust. Users can also have zero trust with passwords and MFA tokens, time-based one-time passwords (TOTP), or a hardware token.

Passwordless accessibility will reduce friction in a zero-trust model since the user only needs to touch the hardware token, use a fingerprint scanner, or glance at a camera. When difficulties with passwordless technology occur, password-based workflows can allow access. The most important point for SMEs to remember is that there needs to be a layer of multiple factors, meaning using two of “something you know”, “something you have”, and “something you are”.

Building a zero-trust security model in the SME environment

Zero trust security models are growing in significance in the face of a constantly mutating threat environment. It is more important than ever for SMEs to constantly evaluate their level of security and implement zero trust. Users shouldn’t have an asset that is implicitly trusted all the time, and SMEs should continuously revalidate and re-trust the operational state of assets and individuals.

Building and implementing a zero-trust security model can be daunting for SMEs, which is why managed service providers actively work with SMEs to improve operational security. If in doubt, consult an expert, and start 2022 off the right way, ensuring your operations and data are secure.

The post Past passwords: securing your business in 2022 appeared first on Inside Small Business.