Small businesses often have a large number of gaps when it comes to their security posture and according to a report by the Australian Government, small businesses are the victims in 43% of cybercrime cases. A large number of these arise from the fact that many small businesses do not consider cybersecurity a core business function and as such security is neglected. Some of the most common mistakes include:
Not having proper staff IT onboarding and offboarding procedures
Policies around staff IT usage and onboarding and offboarding are vital to preventing cyber attacks, particularly from current or former staff members.
Not Backing Things Up
Having backups is important, particularly where sensitive information or systems requiring high availability are concerned. Backups of important resources and infrastructure should happen on a regular basis and backup testing should be incorporated into your disaster recovery planning
Lack of Logging
It is important to keep logs of all the activity which happens across your network. This can help when responding to or preventing a cyber attack.
Too Much Access
It is common in small companies to have multiple staff with access to data. However, this also means that there is risk arising from people having too much access. The principle of least privilege should apply where staff are only given access to data which they need access to.
Not Using Encryption
It is important that your data remains encrypted when it is being stored and sent. This includes having encryption in-transit and at-rest enabled on databases and anywhere data is stored. Emails should also be sent with encryption enabled.
Lack of Training
The most recent report by the Australian Cyber Security Centre found that a general lack of security awareness training was a common factor. As a result, staff are often caught unaware when it comes to recognising cyber attacks such as malware or phishing and, often unintentionally, do not follow best practice when it comes to changing passwords or sharing data.
Not Investing Enough in Cybersecurity
Many companies, particularly small businesses, see cybersecurity as an expense that doesn’t generate revenue. As a result, many do not invest in improving their security posture until it is too late – such as after a breach! This includes not just having the right personnel but ensuring your business is covered by cyber insurance.