How do small-to-medium business (SMBs) owners manage their accounts?
How do small-to-medium business (SMBs) owners manage the myriad web accounts that they need to access on any given working day? Often, it’s by recycling a very small number of usernames and passwords (i.e. account credentials).
In the early days of starting a business, it may make sense to keep things simple and straight forward. However, as an enterprise grows and new accounts are opened, managing dozens, if not hundreds, of commercial and personal account credentials can easily become an overwhelming burden.
This issue is compounded when we consider other factors related to the nature of SMBs. Does a business have high employee turnover rates? Are there a few employees or do they number in the dozens? If a firm cannot afford a dedicated IT department, the risk of experiencing a major data breach skyrockets exponentially.
What does the data tell us?
In Ponemon’s “2017 State of SMB Cybersecurity Report” (sponsored by KeeperSecurity), 600 individuals at companies with less than 1,000 employees were surveyed. Ponemon’s researchers found that in 2017, 61 percent of SMB respondents admitted to experiencing a data breach as compared to 55 percent in the previous year. Of those breached, nearly half, 43 percent, indicated the cyber-attack stemmed from a web-based intrusion.
More disheartening is that 59 percent of the surveyed respondents admitted their company did not have objective visibility into their employee’s password practices. This known security blind spot included the possibility that their employees were using old, weak, and/or shared passwords.
While more companies are realizing the need for responsibly managing their web-based accounts, 68 percent survey respondents said their firm does not strictly enforce the password policies they have already instituted. Furthermore, this same cohort expressed that management is entirely unsure of the process unto itself.
Why are so many SMBs suffering from a culture of complacency when it comes to cyber awareness?
It could be any number of reasons to include limited IT resources and poor employee cybersecurity training and education. While these may appear to be legitimate reasons for postponing the investment into protecting account credentials and employee training, the costs of a breach will reverse this perception.
In the same Ponemon survey, the aggregate cost of damage from a cyber-attack rose from $879,582 to $1,027,053. The picture becomes even more sobering when one realizes the increased lost in operations from $955,429 to $1,207,965. Combined that is an average of $2,200,000 in losses on average.
What can SMBs do to address this problem?
Unfortunately, this is one of those, “it depends” scenarios. It depends on the size, operational complexity, headcount, and risk tolerance of your firm’s operations. However, for this discussion, let’s narrow the scope to a business with less than 100 employees with desktop and mobile endpoints.
Here are three easy to steps to implement a simple and affordable way to manage your employees’ passwords while decreasing your risk of a web-based breach due to weak account credentials.
Step 1: Invest in a Commercial Grade Password Manager.
Password managers such as Dashlane, 1Password, or LastPass. These services allow you to store all of your passwords in a secure cloud database where you only have to remember one master password. The beauty is that you will no longer have to keep up with all of the user names and passwords that you use throughout your day. Like with anything, they are not perfect. You’ll need to make sure that your web browser works seamlessly with the software. We recommend using Google Chrome to get the best compatibility with them all three. Also, your employees will have to understand that if they forget their master password, all of their data will be inaccessible … forever.
Step 2: Create an Easy to Understand Password Policy Statement.
Because your security is metaphorically as strong as your “weakest fence”, decision-makers should take a bottom-to-top approach when crafting this document.
Your password policy, like any other cyber resilience document, should state why it is needed, discusses expectations, include remediation processes, and finally list consequences to employee noncompliance.
A simple Google search can provide many examples of sample policies. Here’s one that we found published by the State of Michigan.
Step 3: Hire an IT Managed Service Provider (MSP)
If implementing an account credentials security program is too much for your firm to handle, then consider developing a relationship with an IT Managed Service Provider (MSP). They can help your organization to assess, implement, and manage your IT needs.
A solid provider will address your current IT challenges while preparing your business for future technology obstacles. This cannot be understated. As your business evolves and changes, so will the technology you will need to address those changes. Hence, it’s best to have someone that you can rely on that knows your operations and can assist with keeping your data as secure as possible.
It is very easy for SMBs to become overwhelmed by their account credentials. As the complexity and number of their web presence increases, so does the risk of a data breach when usernames and password are not properly managed.
Hence, it is important to, at a minimum, use: basic password protection managers, enforce actionable policies, and hire third-party IT experts to assist with your dynamic cybersecurity needs.
At Rylet we are passionate about providing SMBs with affordable and actionable ways to improve their cyber posture. Our desire is to relieve the burden of IT obstacles in order to give our clients the freedom to focus on their core business efforts.
Contact us today to find out how RYLET can help your organization to become cyber-resilient!
(855) 4 RYLET NOW