Here at Blue Ridge Technology, we talk about cybersecurity. A lot. And there’s a good reason for it: cybersecurity incidents can aggressively disrupt your business’s continued growth success!
We know you might be sick of hearing about cybersecurity, but the fact is, most small businesses are still making dangerous cybersecurity mistakes that could cost them tens of thousands of dollars, hours of lost productivity, and hard-earned customer respect and loyalty.
Let’s walk through three top cybersecurity mistakes, along with how to avoid them (or course-correct if you’re making them right now!).
1. Lax Employee Privileges or a Lack of Access Control
When you’re just starting out, your IT policies are pretty fluid. Your team is small, you trust them all, and there isn’t time to worry about limiting access to files internally.
But once you grow larger than a small startup, this kind of laissez faire approach can get dangerous.
Think about it: you don’t leave your physical facilities unlocked and unguarded, and you probably control who can go where (through physical access control systems, if you’ve grown large enough). At a minimum, there are clear boundaries between here customers and visitors can go and where your staff can go, right?
Why do we control physical spaces? Simple: it’s just obvious that giving everyone unrestricted access is a bad idea. Eventually, someone’s going to do something, whether accidentally or on purpose, that harms your business.
Your IT systems and files offer just as much of an opportunity to criminals — and to unwitting or irresponsible employees. If your systems are wide open for anyone, then any and every compromised credential becomes a systemwide threat.
Solution: Access Control
So what’s the solution? Implementing digital access control, which limits access according to roles and responsibilities. This takes some work to implement, and it has to be maintained as people change roles within the company or leave the business entirely. But the effort is absolutely worth the increase in cybersecurity preparedness. (We can help with both implementation and maintenance, by the way!)
2. Lateral Movement
The second mistake tons of businesses large and small make regarding cybersecurity is something that we call lateral movement in this industry. This is when threat actors gain access to some kind of secondary system that seems unimportant, even disconnected from your core business. But once they work their way into that system, it’s often possible to break into other systems connected to the compromised one — including your core systems and financials.
This isn’t just theoretical, either: it’s the tactic behind some of the most famous consumer data breaches of all time. Way back in 2013, Target’s entire customer database got breached — it was terrible for the company and its millions of customers.
You’d think a company like Target would be highly secure, and you’d be right. But what they didn’t account for was the hundreds, maybe thousands, of vendors that had access to their systems. The company had given an HVAC company access to certain network elements so they could remotely monitor store temperatures.
The hackers stole credentials from the HVAC company. These hackers knew what they were doing, and once they got into the HVAC controls, they managed to access the POS system through lateral movement. Their prize? Data on 40 million credit and debit cards. Accessed through the networked HVAC controls.
Solution: Access Control and System Segregation
Access control helps here as well, because the vendors that have access to your systems should only have access to very small areas. System segregation — essentially, setting it up so the POS terminals and the HVAC network controls aren’t on the same system — is the other part of the puzzle.
3. Thinking Cybersecurity Threats Aren’t a Big Deal
The third mistake is simply not taking cybersecurity threats seriously. Many small businesses think the bad guys will target the big guys first, but many hackers actually prefer softer targets.
Solution: Awareness, Education, and a Better Cybersecurity Partner
The solution here is understanding the threat and its ramifications, as well as educating your team on those realities. And for all three of these mistakes, working with a better cybersecurity partner like us is ultimately the best choice.
We’ll help you secure your systems, set up access control, and educate your team on the realities of these threats.
If you haven’t reviewed your cybersecurity in a while, now’s the time. Call or shoot us a message today.