Fear and Loathing in Cyber$ecurity
There’s a lot of scary headlines and a lot of scare tactics going around on cybersecurity for small businesses—from phishing to hacking to spam to you-name-it-be-afraid-of-it. While we want people to be on guard, we’re a bit tired of the scare tactics used against small business owners to get them to write big checks for assessments and remediations. You might as well replace that “s” in cybersecurity with a $, based on what we’ve seen out there.
Too many firms are charging small businesses tens of thousands of dollars just for scary cybersecurity network assessments! This is madness, given most of the assessments we’ve seen are done with pre-built tools with some consultant time thrown on top. A lot of consultants are good but they aren’t $30,000 for a few hours of time kinds of good just to get a scary report that doesn’t even fix anything. Talk about Fear and Loathing!
For most small businesses, good cybersecurity is a lot like good football: it starts with the basics like blocking, tackling– and if you do the right things and work with the right people you get a really good defense out on the field. The Center for Internet Security has a punch list that, if done properly, has been proven to stop 95% of known intrusion methods. Here’s our shortened list to get you going…
Let’s start by removing fear, and that starts with putting in place a good backup system just in case that intern or new hire tries to open that “urgent invoice” email and malware/ransomware attacks your files. The smart goal is to have a process to able to totally restore 100% of your data within 8 hours or so—most businesses can survive that. The next thing is to determine how often you want your data backed up. Most SME businesses can get away with data backed up every 1-4 hours… key systems like Quickbooks should be closer to the 1 hour mark. Sounds expensive? These services are readily available and typically cost a few hundred dollars a month for the “Cadillac” versions. Chevy versions are available as well and are worth it. Have an employee check every day to make sure your backups are good.
Secondly, look to offload critical systems to the cloud—most key business applications have cloud versions these days, and while the subscription model can be annoying, weigh it against the fear of having a server get taken out or fail on you. Go cloud when you can, and it does make things easier once you get there. Cloud systems tend to be more secure.
Third, have an expert look at your firewall and computer patching status. Most of this can be done cheaply—for a 20 computer firm it should be less than $1,000 of time to tell you what you need to change on your firewall to lock things down, if your firewall firmware is up to date, and assess how current your computers and servers are on critical patches and updates. Firewall assessments do need an expert but for most other things we use a software that can scan a whole office of PCs and it generates a report on what’s missing. Pretty simple and not costly at all.
Fourth, use a high performing anti-virus/anti-malware software. Some can bog down older systems so if you have computers older than 5 years, you might want to get some help picking the right product for you. This is a “gotta do it” line item so don’t skimp.
Fifth, train your staff over and over again on how to protect your data, how not to fall victim to phishing, and put in a password strength and password change policy— long oddball passwords are best and change them every 30 days is what we recommend. It’s annoying but this is one of the most effective ways to keep bad actors out and it costs nothing! If you need to keep track of a lot of passwords, use a credible password tracker like LastPast.
Lastly, and this makes the most sense—get people around you that can do this for you. Managed Service Providers, like us, do this every day and we offer low-cost monthly subscriptions to handle all this for you and get this stuff off your plate. Your business is like a bank— and your dollars should have a good security firm protecting it.
So what should a network assessment cost a small to medium size business? We’ve seen really good ones for $5,000 to $7,000 for 20-50 employee businesses. We’ve also seen $30,000 ones and I have to tell you, there’s not $25,000 worth difference between the two.
Don’t be scared into hugely expensive network assessments for cybersecurity. Don’t loath cybersecurity—it’s very doable and affordable! Focus on the basics, get your policies and best practices in place, and the best option of all is bring in a firm like Groff NetWorks that’s focused on practical, professional, and affordable solutions.
Hope this provides some reassurance out there. Call us anytime if you want to learn more.