Using Legacy Software & Systems
Some businesses want to continue using the technology that has served them well in the past, regardless of how old said technology is. Some industries require niche software that may lack modern versions. Regardless of the reasoning, many businesses continue using legacy technology in their daily operations. However, since legacy technology has been retired and, by description, no longer receives patches from its vendor, running the technology poses a severe cybersecurity risk.
Insecure Wi-Fi
Many business owners fail to properly secure their company Wi-Fi, opting to leave most of the default settings in place. Default credentials, overexposed signal broadcast, outdated encryption algorithms, and even a complete lack of authentication measures are some notable misconfigurations that can leave a network extremely vulnerable.
Lack of Network Segmentation
Segmenting networks through technologies like VLANs is a great way to reduce the attack surface of a local network. By breaking down an extensive network into small, private domains, risk is reduced since the network is no longer operating as a single point of failure. Segmentation is also an excellent way for administration to organize tech assets by departments and other criteria. Unfortunately, implementing segmentation can be difficult for the average small business owner with no dedicated IT.
Flawed Access Control
Many small businesses provide employees with administrator access to resources regardless of the employee's role in the organization. In today's digital age, identity is replacing the network perimeter as the primary determining factor for whether an organization is secure. Fine-tuning access controls throughout your business is no longer optional.
Poor Authentication Policies
Compromised passwords leading to security breaches are a tale as old as time. Still, many businesses fail to impose a secure password policy on their employees and devices. Besides that, a simple username and password combo is no longer acceptable anyway. Multifactor authentication is a must in today's digital landscape. Even if a business enforces a firm password policy, you'll likely find an abundance of passwords written down on sticky notes and left strewn in the open.
Lack of Disaster Recovery/Business Continuity Planning
When it comes to cyberattacks, it is a matter of "when", not "if". Any organization is bound to experience at least a handful of cybersecurity incidents in its lifespan, and there's little that can be done about that fact. What can be done is to create plans and guidelines on how to manage these incidents with as little damage as possible. Good disaster recovery and business continuity plans could mean the difference between going out of business, yet many small businesses lack any such plans.
Poor Software Patching Policies
Keeping software updated is one of the most basic security precautions anyone can take. However, remembering to keep software patched can be difficult, especially in an environment with more pressing concerns. Nonetheless, one vulnerable unpatched program can give an attacker a clean path right into your network. Upgrading operating systems with every new release and turning on automatic updates on as many programs as allow it will go a long way.
Exposed Ports & Services
Some business owners may wish to access their IP security cameras and other smart devices remotely. This often results in port forwarding, where traffic for a specific port is sent through the router to a specific device. This practice is extremely dangerous, as it exposes the said port and the target device to the open Internet. Threat actors regularly comb the Internet looking for exposed smart devices to exploit.
Lack of Backups
Backing up your business data may seem tedious to you, but someday you will realize that it's one of the most important things you'll ever do. Regularly capturing and storing backups of user data, system configurations, and account information will provide you with the necessary means to recover after a severe cyber incident like a ransomware attack. It is important to be smart about the backup methods and to have a combination of on-site and off-site backups.
Shadow IT
The Internet has provided lots of great services that have drastically improved workflows for organizations all over the world. However with so many operations taking place on the Internet through cloud services, it can become easy to lose track of what services employees are using and where your organization's data is going. Shadow IT occurs when employees use their workplace identities to sign up for cloud services that have not been authorized by management. Oftentimes, management is not even aware that employees are using them. Even if these services are positive for workflows, it is risky because organizational data is being attached to third parties without the knowledge of the in-house IT/cybersecurity department.