Top 20 Cybersecurity Mistakes Made by Small Businesses

Posted by Jordan Weber on Wed, Aug, 28, 2019 @ 16:08 PM

1. Reusing old passwords

This is one of the most pervasive yet easiest cybersecurity problems to fix, so we recommend starting here. Did you know the average user's email address is connected to about 130 unique accounts? That's important because people tend to reuse the same passwords when they create these accounts. 

Why? It's easy. There's no way the average person can (or desires to) memorize unique passwords for every single account they create. The problem is, companies suffer data breaches all the time. When hackers steal lists of login credentials from one site, they try logging in with those same credentials on a bunch of other popular websites. This means if you've been reusing passwords, a data breach on an obscure social media platform might expose the same credentials you use for online banking. 

Luckily, this problem is easily solved:  start using a password manager. LastpassDashlane, and 1Password will securely memorize unique passwords for each online account and input them automatically when you visit that site again.

2. Using very simple passwords

According to a 2018 study by SplashData, the most popular password in 2018 was "password". The second most popular was "123456". Other popular ones included "!@#$%^&*", "admin", and "iloveyou". Obviously, these passwords are incredibly easy for hacking programs to guess. Such programs are commonly referred to as password crackers.

In contrast, passwords like "$kFP84Dm615^27j" are virtually impossible to guess in  Another solution is to use password phrases like "Big-violet-pumpernickel-9873". While this phrase incorporates common words, its length makes it particularly tough for a machine to crack. Password managers like the ones mentioned above also feature built-in password generators which save you time while keeping security top of mind.

3. No control over shadow IT

Shadow IT are personal devices workers bring from home and connect to the company's IT network. Here is why they pose a grave cybersecurity risk:

Picture your company's IT network as a hermetically sealed environment (think Bio-Dome, circa 1996). All a hacker (or Bud Macintosh) must do to wreak havoc is get their foot in the door, so to speak. Therefore, anything brought into that environment must be thoroughly inspected and cleared prior to being allowed entry.

Now, suppose a person's personal PC is infected with ransomware, which encrypts a bunch of their files. If they were to connect that PC to their company's IT network, that infection could quickly propagate itself throughout said network, encrypting company laptops, servers, and even backup devices. An incident like this can take down a small business overnight.

Shadow IT is a very pervasive problem in today's work environment. Even NASA gets headaches about it. Companies must clearly define which personal devices are allowed at work, and which are not. If you're unsure of what to do with a specific device, simply ask your IT team to inspect it prior to connecting.

4. No automated patching

Let's start with the basics. Applying patches and security updates as they become available is an essential security practice. Why? Software updates are usually issued to fix a security vulnerability the company found in its software, and they are offering to fix it.

Unfortunately, the average user does not install security updates whenever they pop up on their desktops. Instead, these messages are often perceived as annoying disruptions in an otherwise productive day. Thus, the update remains uninstalled and the software in question remains vulnerable to a known security flaw.

One solution is to set up your network to patch and update workstations automatically when users are away from their machines. This means each machine on the network is always working with the latest security features, employing an update process that doesn't disrupt anyone's work day. Now, we're not saying that any and every patch should be installed without question. That particular question is better left to your IT support team.

5. Insufficient layers of cybersecurity

Think of your company's IT network as a castle under siege. As lord of the manor, you want a castle that is secure and difficult to breach, which means multiple layers of defenses. You'll likely want a drawbridge, a moat, and high walls. The more lines of defense in place, the harder the castle will be to breach.

A solid cybersecurity plan operates by the same fundamental principles. A lone firewall provides inadequate protection for today's IT networks. IT managers must also consider the use of multi-factor authenticationwireless security protocols, and of course antivirus

This is a lot for an IT manager to assess, let alone a non-technical small business owner who is already preoccupied solving a dozen other problems. Thus, many small businesses end up with a rather one-dimensional cybersecurity strategy that is easy to bypass. Seek out a local IT support company with a solid reputation to help map out a cybersecurity strategy tailored to the unique needs of your business. 

6. No active security management

Does your company treat IT as "set it and forget it"? If so, be wary. While Ron Pompeil's signature phrase might put dinner on the table, it won't keep hackers out of your network. The world of IT is very dynamic. Even as far back as 2015, internet security companies collectively discovered an average of 230,000 new malware variants  every day.

Large companies can afford teams of dedicated security personnel to protect their networks from the latest threats. Small and midsize businesses simply don't have the resources to take that approach. Therefore, they turn to an outside IT support company for cybersecurity guidance. Sit down with your IT manager once or twice a year to discuss the latest major cyberthreats and your company's strategy to defend against them.

7. Hosting your own website

This is just a bad idea for a number of reasons, many of which have nothing to do with cybersecurity. Setting up a server to host one's own site requires no small amount of technical knowledge. Once it's built, someone has to maintain that server. Without maintenance that web server will inevitably crash and when it does...your website is down. Now you have the unpleasant task of rebooting the machine and getting it back up and running.

That said, hosting your company website using a server on your internal network also poses a major (and ultimately unnecessary) security risk. Hackers will try to compromise the server on which the site is hosted. Assuming they are successful, they now have access to see every device on the network. 

What should you do instead? Purpose-built website platforms like HubspotWordpress or Wix are easy to use, secure, and reasonably priced. Essentially, these platforms take the hard work out of hosting a website. Finally, assuming one of them suffered a security breach, your internal IT network would remain unaffected. 

8. Old user accounts are still active

Also referred to as "ghost users", these are accounts which are still active despite the fact that the person no longer works at the company. This is somewhat like breaking up with someone, but neglecting to take back their key to your apartment. It is essential for a company to know precisely who can access the company IT network at any given moment. If a person is no longer there, their user account should be turned off immediately.

These old accounts floating around pose two specific security risks. For one, a disgruntled employee who finds out they can access their company network can do some very real damage in the time it takes to make a pot of coffee. 

Making matters worse is the fact that hackers love to use ghost accounts as they probe a company's IT network for vulnerabilities. Since they are still technically valid logins, any activity they generate won't set off any automated alarms. Assuming they can compromise one of the logins they find, hackers use ghost accounts to operate without alerting anyone to their presence.

9. Relying on old network hardware

To be clear, this is not referring specifically to the age of the hardware itself. Enterprise-grade network hardware is not cheap, by any measure. Companies that have invested significant capital into routers, switches, firewalls and access points want to get as much use as possible for every dollar spent. The hardware itself should hold up for several years.

Instead, we're referring to the software on that router, switch, WAP, etc. When a network hardware company (CiscoSonicWall, or Avaya for example) sells a router, typically they will support that product through firmware updates and security patches. This continues until support is no longer offered for that generation of router products. When this happens, that product is said to have reached its "end-of-life" (EOL). While the hardware company may have shifted its focus to ensuring the security of newer products, hackers out in the wild are still looking for vulnerabilities in the old hardware. This means that a router which has reached its EOL steadily becomes more vulnerable with each passing day.

The best way to avoid this is simply to plan ahead. Sit down with your IT support team once a year and create an inventory of your network hardware. Take any upcoming EOL dates into account when building the IT budget for the coming year.

10. Employees aren't trained to spot phishing emails

Did you know that 91% of cyber attacks start with a phishing email? Even more troubling is that without training around 30% of company employees are likely to click on a link in a phishing email.

If a company uses email to communicate (and we all do), it is essential they train employees how to spot and avoid phishing emails. The potential consequences of not doing so are too catastrophic to ignore. According to a 2018 study by IBM a data breach will cost the average business nearly $4 million. This means that each time an employee is considering whether to engage with a suspicious email, there's roughly $4 million bucks on the line. Doesn't it make sense to help them to spot the red flags of a malicious email?

There are plenty of training platforms out there that you can use to send simulated phishing emails to your staff. Consistent training over time has proven to be very effective in lowering a company's risk of a successful phishing attack. At Sagiss, we even offer it as an add-on service for our managed IT services clients.

11. No data backup (or an unreliable one) in place

An essential yet often overlooked component of a cybersecurity system is robust and reliable data backup. Cybersecurity isn't simply about stopping threats from gaining entry to your network. It's also about getting back up and running to recover from a successful attack. In the IT industry this is referred to as "disaster recovery". The quicker one can recover from an attack. After all, time is money.

A reliable backup system could literally mean the difference between business-as-usual and bankruptcy (see #10 above). Equally important is the need to test that backup system on a regular basis. Backing up files is pointless if those files become corrupted, or cannot be recalled because of an error.

Small businesses should talk to a reputable IT support provider and get an automated backup system in place. Once that system is in place, ask the IT provider for regular reports to ensure those backups are successful and usable in the event they are needed.

12. Trusting USB drives

Do you recall the name Stuxnet? Uncovered in 2010, it was a sophisticated computer worm that wreaked havoc with Iran's nuclear centrifuge program. The interesting thing is that the Iranian computers which were infected were not connected to the outside internet, only an internal IT network. So how did the worm get into the facility? Thumb drives containing the worm were left around the facility on the assumption someone might plug one in, and sure enough someone did just that. The infection began without anyone noticing and was very effective.

The same thing can happen to your business. Suppose a hacker posing as a legitimate business were handing out free USB sticks at a trade show. How would your employees know not to use those devices until it was too late?

In response to this threat many companies are simply halting the use of USB storage devices altogether. There are too many other alternatives for easily moving files around. One example is WeTransfer. You won't have to create an account, and you can send files up to 2GB to anyone, free of charge.

13. Multi-factor authentication (MFA, 2FA, etc) not in use

Multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA), is a powerful cybersecurity tool that requires users to provide two unique identifiers to prove their identity. A traditional login system only requires an ID and password. An MFA-based login system requires a secondary credential, which is something unique to that user or something only that person can know.

That secondary credential could be any number of things such as biometric (retinal scan or facial recognition), SMS-based (6 digit code sent via text) or even a digital code on a USB key.Each of these methods carry their own unique advantages and drawbacks, but on the whole, MFA is very effective at preventing account takeover.

Today's most popular digital platforms all offer MFA-based logins, including FacebookTwitter, and Google. Businesses can use Microsoft Authenticator to secure access to programs like Outlook, Sharepoint, and OneDrive.

14. Not using a separate guest wifi

While providing guests to your business with access to your company WiFi is the act of a gracious host, giving someone too much access poses a significant security risk.

Company WiFi doesn't simply give employees access to the internet. They use that network to access shared file folders, printers, and backup systems to name just a few. When you allow a device onto your company WiFi, that device sees everything connected to your network. There is no reason to give guests this level of access. Your goal should be providing access to the internet, without exposing your company's business-critical systems.

An ideal solution is to set up a guest WiFi network. This provides users with access to the internet but nothing more. An experienced IT support team can set up a guest WiFi network, and even most consumer-grade wireless routers offer an option to create one  that you can activate yourself.

15. No penetration testing

In penetration testing, a cybersecurity expert attempts to breach a company's network in order to find security flaws so they can be fixed. Imagine if Fort Knox decided to hired Ocean's 11 to see how a thief could successfully get away with the gold in the vault. It's a very similar principle.

Penetration testing usually involves a fair amount of effort and time to do properly and is virtually impossible to execute without an in-house cybersecurity professional.  Thus, the best option for most small and midsize businesses is to hire an outside firm to run penetration tests throughout the year. While we can’t recommend a specific penetration firm, we do recommend that you prioritize experience and demonstrated success in your search. Seek out firms that clearly explain their methods, and who will lay out a plan to repair any flaws they find.

16. No disaster recovery plan in place

As much as we don't like to think about them, business-crippling disasters happen all the time. Fires, floods, earthquakes, power outages, and any number of other catastrophes can befall a business. While we can’t prevent or even foresee these events, we can at least prepare for them.  It's essential for every business to create a disaster recovery plan and your IT systems should be a central part of the process.

Your IT network likely serves as the backbone of your business operation. If it goes down, communication goes dark, orders get misplaced, data is lost, and clients get angry and go elsewhere. The point is that your IT systems must be given serious consideration in your disaster recovery planning process.

17. Employees with too much access

How many people in your company have access to every file and every system? How many people could, even inadvertently, break something that grinds your business to a halt? Remember, not everyone who works at the bank gets keys to the vault.

Smaller companies, and startups in particular, are often forced to deal with this risk. When companies are in startup mode, everyone on the team is playing multiple roles. In such a scenario, a single individual requires broader access to systems on the network to fulfill their various functions.

However, as a business grows, roles become more specialized. Specialized roles require access to specific systems and data. At such a stage, companies should consider granting network access according to the principle of least privilege, which states that each user shall only have access to the systems they require in order to do their jobs.

18. Reliance on legacy software and systems

Similar to the hardware mistakes noted in #9 above, relying on outdated software and systems can pose significant security risks. A legacy system is one that was once widely used but has since been discontinued in favor of something newer. IBM mainframesWindows XP, and COBOL are prime examples of legacy systems that remained popular long after newer models were released.

Companies remain loyal to old technologies for a bevy of reasons. Technologies that have been in place for a while tend to be well understood and easy to use. Aside from that, switching an entire company to a new technological standard requires a significant investment of time and resources.  However, it's often less painful to implement a technological overhaul sooner rather than later.

Precisely because legacy systems have been around so long, hackers have had time to develop bigger and better tool sets with which to attack these systems. Keeping old, unsupported systems online makes your company's IT network more vulnerable to attack.

Be sure to work with your IT team to review software and systems annually to determine whether it’s time to implement some newer and safer technologies.

19. No physical security in place

Even if your company has taken every measure possible to protect your IT infrastructure from cyberthreats, you may have overlooked the most basic physical risks present in your building.  Sometimes businesses get so focused on cybersecurity that they forget to check the locks on the front door. All the cybersecurity in the world won't do much good if anyone can simply stroll into the server closet.

Keep your server room locked, and consider having a keyless entry system installed. They might not be cheap, but the money spent now will pay off in the long run.

20. "It will never happen to me..."

Out of everything we've listed here, this mindset is probably the biggest danger to the security of a company's IT network. Studies have shown that despite increased awareness of the importance of robust cybersecurity measures, SMB executives in particular continue to believe their companies will fly under a hacker's radar. The scary truth is that this mentality makes them even more vulnerable. Hackers like to target small & midsize business precisely because of mindsets like this.

If you or your company’s CEO have the perception that you’re safe from cyberthreats because you’re not a large corporation, it’s time to take a look at the sobering statistics.  Seek out a qualified IT consulting and support firm to help you put security measures in place today.

Topics: Cybersecurity, How To DIY Guides