Although many SMBs think they’re too small to be a target, forty-three percent of all cybersecurity breaches in 2020 targeted small businesses. Out of those, 60% went out of business in six months or less. We simply can’t afford to cross our fingers and hope for the best anymore.
While you’ve probably heard about phishing emails, ransomware, and the risks inherent to generic passwords, you may be less familiar with the “dark web.” It sounds pretty ominous because, well, it is.
This seedy underbelly of the web has existed for nearly as long as the Internet itself, and it consists of websites that aren’t indexed by search engines. As far as Google Chrome is concerned, these sites don’t even exist. In fact, you have to use a special browser to access this corner of the Internet, and to do so anonymously. While there are some activists and journalists using the dark web for perfectly legal activities, the majority of these sites are dedicated to crime.
What does the dark web have to do with your small business?
The dark web is where all those hypothetical hacking threats come to fruition. Cybercriminals can purchase phishing kits that contain pre-packaged landing pages that mimic popular sites like Facebook or eBay. Unsuspecting users enter their login information, placing their credentials directly in the hacker’s hands.
This matters to you, the employer, because there’s a high likelihood that this person uses the same or similar passwords to access tools at work. That cybercriminal might only be one or two digits away from gaining access to your entire CRM database.
Ransomware as a service is another thing we have to worry about these days. Individuals can purchase ready-made ransomware campaigns, along with lists of companies to target. This can be both an efficient and effective method for stealing data.
And once your data has been accessed, all of those files go back to the dark web to be sold to the highest bidder.
What can you do about these threats?
A whopping 63% of confirmed data breaches can be traced back to a stolen password. This is a vulnerability that you can control internally, and looking over your internal processes is a great place to start. It’s critical that you know who has access to what data, specifically, who has login credentials to your database, CRM, bank account, and so on.
From there, we should talk about access. There’s a good chance that each employee only needs access to a subset of the software and devices used by the company at large. For example, technicians in a manufacturing plant probably don’t need access to HR’s employee database.
Your goal is to make sure that the right people have the right access with the right privileges to the right tools. Adopt a policy of “zero trust” and be stingy with those credentials whenever possible. Implement a policy that requires employees to update their passwords every ninety days. Keep cybercriminals guessing!
You’ll also want to audit this list periodically to ensure that people who’ve left the company or moved to a different role have their access revoked. Integrating a step into your onboarding and offboarding processes is a great way to keep this up-to-date. The last thing you need is a disgruntled employee running amok with their old logins.
What else can you do?
Unfortunately, these hacking threats don’t end with the company-approved programs and devices, but rather extend to how they conduct themselves online in their personal time. Employee training is a must, making sure your team knows how important it is to get creative with their passwords and how to spot that phishing email from a mile away.
If cybersecurity is out of your wheelhouse or if you simply don’t have the time, consider partnering up with a trusted expert. ForceNow is an end-to-end security solution, and we provide everything from dark web monitoring and employee training, to disaster recovery and vulnerability testing.
