How to Protect Your Business from Hackers

Before we dive in, here is an analogy to help you understand this concept. 

Let's imagine you're the ruler of a village, with all the villagers living within the walls of your castle. Your responsibility as the leader is to ensure the safety and well-being of everyone inside your castle's perimeter. 

Now, consider safeguarding your business from hackers—it's akin to fortifying a castle. Within this fortress is a community of people or a network of interconnected computers. If you aim for top-notch protection, where do you begin? 

You might wonder, "Well, securing my castle hinges on various factors." These factors could include the resources available to build defense systems, the castle's location, the goods it produces, its design, and more. Similarly, your business network faces unique considerations. You could be a small enterprise with limited cybersecurity resources, needing to shield one or multiple devices. Your network's location may not be prone to frequent threats. Yet, let's imagine that safeguarding your castle remains paramount. Where do you start? 

The strategies used to protect your castle can also fortify your business network against hackers, minimizing the risk of harm to your business or fortress. This article will provide an overview of protecting your business from hackers.  

How Do Security Breaches Happen?

According to the Verizon 2023 Data Breach Investigations Report (DBIR), the top ways that security breaches happen are:

• System Intrusion—This includes complex attack patterns such as leveraging malware (viruses), hacking, and ransomware. Ransomware is still the top way hackers gain unauthorized access to systems, and email and web downloads are the top delivery methods.

• Social Engineering—This attack uses human error to alter normal behavior into taking action or breaching confidentiality. It includes tactics like phishing (email), smishing (text phishing), and vishing (voice phishing). Phishing alone has doubled since last year, making it a significant threat.

• Stolen Access Credentials – Hackers continue to look for easy ways of gaining unauthorized access to business networks, and using stolen credentials is still one of the top attack strategies. These stolen credentials provide access to unauthorized access to different devices, applications, and networks.

The Cost of a Breach

Cybersecurity breaches are still causing significant damage to businesses worldwide, and the resulting financial losses often extend beyond immediate remediation costs. Here are some statistics on the cost of breaches to small, medium, and large businesses:

• Small Businesses (Fewer than 250 employees)

  • The average cost of a data breach for a small business is approximately $2.98 million.

  • Over half of small businesses across various countries pay at least $10,000 per cyber-attack.

• Medium-sized businesses (250-999 employees)

  • The average cost of a data breach for a medium-sized business is about $2.63 million.

  • More than half of medium-sized businesses experience costs of at least $17,000 per cyber-attack.

• Large Businesses (1,000 to 5,000 employees)

  • The average data breach cost for larger businesses is approximately $4.09 million.

Small and medium-sized businesses often think these statistics do not apply to them for multiple reasons. The reality is that they are easier targets for hackers due to their lack of security defenses and valuable data, such as customer information and financial data.

Businesses may think cybersecurity is an expensive and complicated issue involving only technology. But in reality, any business can take simple and cost-effective steps to reduce the risk of hackers gaining unauthorized access to their network. These steps do not only involve technology and can be implemented today.

Layers of Defense  

In cybersecurity, having multiple layers of defense is crucial for protecting your network from various threats. These layers work together to create a strong security system to defend against anything the permitter defense missed. Having multiple layers is essential to: 

• Build resilience to evolving threats. 

• Create a defense-in-depth strategy. 

• Defend against various types of attacks. 

• Comply with regulations and other standards. 

• Minimize weak points. 

Now that you understand the importance of having many layers of defense in cybersecurity, you might be thinking, "What's the next layer or additional measures I can take to protect my network?" Let's say you've secured your perimeter and have internal defenders constantly monitoring for threats. Adding additional layers of defense includes the following: 

• Implement more advanced threat detection technologies. 

• Run regular security audits and other testing. 

• Educate all employees about cybersecurity best practices and how to avoid scams. 

• Stay current on the latest cybersecurity news, patches, and updates.  

Perimeter Defense  

To strengthen your business' cybersecurity defense, focus on securing your network's perimeter. Implement strong and reliable defenses such as firewalls and detection systems. Also, you will want to use various security protocols and access controls to monitor and control network access. To protect your business, create multiple layers of defense, including encryption and robust authentication mechanisms. Always regularly update and patch systems to address vulnerabilities and protect against cyber threats and hackers.  

Network Firewalls  

These same principles can be applied to your business network if you want to protect the perimeter of your network with a solution like a network firewall where a firewall will only allow specific traffic or "people" to get into your network. It is like putting up your stone walls and placing the drawbridge to allow or deny entry. To add security to your business network's perimeter, ensure the firewall has intrusion-prevention capabilities. By placing an Intrusion Prevention System (IPS) on the perimeter of your network, you can protect your network more granularly.  

Intrusion Prevention Systems (IPS)  

In cybersecurity, an Intrusion Prevention System (IPS) fortifies your business network's perimeter by inspecting inbound and outbound connections for potential threats. Some other essential functions include:  

• Monitory networks for suspicious activity. 

• Collects information about threats. 

• Attempts to block any current threats to the system. 

• Reporting any threats it cannot block.  

This tool can protect your business from potential threats and make them easier to catch. There are many points of access on business networks, and an IPS ensures that all points are protected.  

Internal Defense  

 A business may think securing the perimeter of its cybersecurity defenses is enough to protect against hackers. However, workers and visitors often visit unauthorized websites, click on suspicious links, or download questionable software, both at work and on personal devices. Even with strong perimeter defenses, there may still be vulnerable access points or attackers who can bypass them. Just as you wouldn't rely solely on external guards for a castle's defense, it's essential to have strong internal defenses that can detect and respond to threats that your perimeter defenses could not catch.  

Anti-virus or Endpoint Security  

Businesses must use a layered defense for their business network, approaching it from the outside. The next layer you can apply to your business is protecting each computer or device on your network. To do this, you can install anti-virus software on all your systems that support it. Doing so adds another layer of security to your network. It can help detect viruses or malware like ransomware and even prevent it from spreading from one computer to another computer or device.  

Backups   

This is like what data backups can do for your computers and devices on your business network. In the cybersecurity world, we do not often live in a space of "if something happens" but more across the lines of "when something happens," so it is always good to think of the worst-case scenario and maintain regular backups of your essential systems, applications, and data. So that in the event of a business-disrupting attack on your network, you can revert your systems to the last clean backup (if not configured correctly, backups can also contain malware). 

Data Protection 

Protecting critical business data is essential, and one key method to do so is encryption. Encryption can be considered a locking mechanism for your data, much like a safe. If you had valuable items to protect for your villagers, you would place them in a safe and secure them with a combination, key, or password. Encryption works similarly by scrambling the information so only authorized personnel can access or modify the data. 

Device Inventory  

 Another concept you want to remember when protecting your business is holding an inventory of all assets. It is essential to have an inventory of what your business has to know what you must protect. Suppose your business network has a device or computer on it that you are not aware of or that is not in your inventory. In that case, you will not protect it like all the other computers, so viruses and malware can easily infect that computer or device, leading to the entire business network being at risk. It is essential to know any device that connects to your network, whether a smart thermostat, printer, or camera system. Anything that gets on your network is a way for a hacker to get into it.  

So, we have talked about some technical protections that can be placed on your business network. But we are missing one of the weakest links to protecting your business... humans. We are often our worst enemies, and there are ways we can make sure they are not the reason for our demise. So, how can we help the villagers reduce the probability of the enemy attacking our castle? How can we help the people who use our business network be better aware of potential dangers when using our business computers, devices, applications, data, or systems?  

Security Awareness and Training  

 We should educate and train people who work at our business about cybersecurity threats to create safe cybersecurity habits when using the business network or their personal or home network. Access to essential business systems and information is protected through accounts and passwords. It is vital that when you are setting up people who use the computers or systems on your network, you only give them access to what is needed to do their job.  

Multi-Factor Authentication  

Multi-factor authentication (MFA) is a layered cybersecurity method for securing personal data, passwords, and other applications. This method requires users to verify their login attempts with two or more credentials. This is necessary for accounts with mass amounts of data and can protect against login attacks from hackers. MFA is much more effective than relying on passwords alone. According to the Cybersecurity & Infrastructure security agency, using MFA on your accounts makes you 99% less likely to be hacked. 

Password Complexity  

Enabling multi-factor authentication is always recommended when protecting user accounts for your business. It should be a policy that all employees follow (depending on the application, an admin can sometimes enforce it across all accounts). The same applies to your business and personal user account passwords. The more complex they are, the more difficult they are to guess or crack.  

Additional Password Security Habits  

Another layer of password security would be similar to having a safe in your castle and changing the password daily. The person you trusted to help you would have to stop by and pick up the new password anytime they were going to access the safe. In the real world, this means changing your password periodically, either by choice or default, on the application or system.  

Email Security (Phishing Prevention)  

Email security is another concept that all business employees should be educated in. Phishing, as it is called, is when hackers try to get into your network via email. Have you received an email from a prince that seemed too good to be true? Did the email have a link to download your check? Did it tell you your money would be lost if you did not claim it within the next hour? It was a phishing email.  

Hackers use phishing attacks to deceive the recipient into clicking on a link or downloading a file with a virus or malware onto their device or computer. Falling for a phishing campaign can have severe consequences, such as identity theft, financial loss, unauthorized access to sensitive information, and compromise or theft of personal or business data.  

Providing all employees in your business with practical and applicable security awareness and training does not have to be complex or challenging. Many free online resources can be reviewed regularly, improving employees' understanding of good cybersecurity habits they can implement daily.  

Software Updates  

As time passes, your defenses may deteriorate, and you may need to update parts of your system. You will want to patch or improve any weaknesses, whether getting newer systems or repairing sections with your old ones. Updating any business software or device will go a long way in reducing the probability of a hacker causing harm to your network. This is because as you update your software or devices, these updates are like patches that eliminate any weakness hackers could have used to access your business network.  

What level of security is suitable for your business?  

Suppose you are a business owner or responsible for making business decisions. In that case, you may be worried that you do not have the funds to implement these measures or that you do not need any measures because your business is smaller. Or you might not know if your business already has a cybersecurity system. It is important to know what level of defense your company has. Hackers are attacking all types of businesses these days, including healthcare and nonprofits. So, it is important to always know what level of security you need for your business. 

Computer or network security can be like driving a car. Some people feel that wearing your seatbelt is inconvenient, signaling with your blinker that you will turn is unnecessary, or insurance should be optional since it is only valuable when something happens. However, those safety features and insurance policies are there to protect you or reduce the probability of something wrong happening; the same goes for cybersecurity and protecting your business network. Implementing these cybersecurity principles (controls) can reduce the likelihood that hackers will cause any harm to your network.  

It can feel like keeping your accounts, systems, and business network secure can seem like a lot of work and complex, but it does not have to be. Not all businesses need a lot of layers of security; some can do with one layer, and some require several layers; it all depends on what your business is for. Some companies need to pay someone to help them manage, configure, optimize, and provide reports that their security solutions are working correctly. Other businesses can be well protected with free basic or low-cost solutions.  

Businesses might see cybersecurity as an insurance policy; it is only worth it when something happens, and you need it to protect you. Otherwise, it is an investment that does not always show a tangible return on investment and can sometimes be inconvenient. So, businesses often choose not to spend on network security protection, which can result in breaches and various attacks.  

But if hacked, you might want to consider the following questions: 

• How long can your operations be down?  

• How long can you afford for your business to be closed? 

• What will you do in the event of an attack? 

 If your business cannot be closed for more than a few hours or days, you should consider implementing network or computer security solutions, whether free or paid. If you are okay with your business being closed for weeks or months, investing in network or computer security solutions may not be necessary, but it can be helpful.  

Practical Solutions to Implement Today  

In summary, some basic cybersecurity principles that can help you reduce the probability of hackers causing harm to your business include:     

1. Defend your business network perimeter with a network firewall and IPS. Most business routers provided by your internet provider have basic capabilities that can be configured to help protect your network. Some solutions to consider:  

2. Cisco  

3. Palo Alto  

4. Check Point  

5. Fortinet  

6. Juniper Defend your computers or devices (endpoints) with anti-virus or anti-malware software.   

7. Some software to consider:     

8. Windows Defender can provide robust protection to your PC. It is free if you pay for a Microsoft 365 account subscription.    

9. Microsoft 365 Business Licensing (Standard & Premium)  has built-in security capabilities like anti-phishing, anti-malware, and anti-spam protection for email.   

10. Microsoft Licensing (E3, E5, F3) has built-in security capabilities.   

11. CrowdStrike Falcon - starting at $25 per endpoint  

12. Trend Micro - starting at $20 per endpoint  

13. Carbon Black – starting at $30 per endpoint  

14. Symantec Endpoint Security – starting at $20 per endpoint  

2. Have an inventory of all the computers or devices on your business network.  

• Free tools can be installed on your cell phone or computer that can perform an IP scan of your network, telling you all devices connected to your network. (Do not download from Kazaa or Limewire. You can use this free IP Scanner on a computer that is on your network: https://www.advanced-ip-scanner.com) If checking from your phone, you can use this tool: https://www.fing.com/fing-app/      

3. Have a backup of your data or computers.    

• Carbonite - cloud-based backup and recovery solutions (starting at $24 per month per computer, unlimited backup storage, and including ransomware protection with automatic detection and recovery)    

• CrashPlan (formerly Code42) - cloud-based backup and recovery solutions (starting at $10 per month per computer, unlimited backup storage, and including ransomware protection with automatic detection and recovery)  

• Offline (External Hard Drive)    

• Western Digital My Book Duo: Prices start at $200 and can go up to $500, depending on storage size.

4. Protect your data with encryption.

5. Educate all employees of your business about best practice cybersecurity habits.    

6. Implement Multi-Factor Authentication on all accounts that have it as an option.  

• Some multi-factor apps to consider:    

• Microsoft Authenticator    

• Google Authenticator    

7. Educate all employees on best practice email security habits.  

• Teach employees not to download suspicious files, click on suspicious links, or open emails with odd promotional material. 

Free resources for security awareness and training

• https://www.cisa.gov/resources-tools/resources/cisa-cybersecurity-awareness-program-toolkit  

• https://www.knowbe4.com/free-cybersecurity-tools-ga?utm_term=cyber%20security%20training&utm_campaign=Google_Search_US_NB_Security-Awareness&utm_source=google&utm_medium=cpc&gad_source=1&gclid=Cj0KCQjwn7mwBhCiARIsAGoxjaLHHWSoODYd-r6zLoMMMP7BSNScTo5ZEWLaqQ6aEVd1MpTuEKf-WlIaAkG7EALw_wcB  

Remember, cybersecurity is an ongoing process, and staying informed about evolving threats is crucial! Ask us how Castile Security can help keep your business protected from cyber-attacks! 

References:

Cost of a Data Breach—Stats Your Clients Should Consider

https://prowritersins.com/cyber-insurance-blog/average-cost-of-a-data-breach/

The Many Costs of Cyber-Attacks on SMBs

https://www.cyrebro.io/blog/the-many-costs-of-cyber-attacks-on-smbs/