It’s an unfortunate truth: small and medium-sized businesses (SMBs) continue to suffer from frequent and sophisticated cyberattacks. In 2021, SMBs remain a top target for myriad intrusions, including ransomware, malware, and other damaging attacks. SMBs are often a prime target for a simple yet egregious reason—because these businesses lack the proper cybersecurity. Now is the time to invest in a stronger security perimeter to protect your operations, your reputation, and your people. 

However, it’s not enough to simply implement a cybersecurity strategy and just sit back. To most effectively mitigate the threat of cyberattack, SMBs must also regularly test these cybersecurity measures to make sure they truly work. Even with a robust plan in place, dangerous gaps can exist due to lack of knowledge of the current-day threat landscape, poor training, platform misconfigurations (either intentional or accidental), or simply because, as we all know, mistakes can and do happen. 

Testing your cybersecurity measures usually involves working with a specialist to run tests on your website and other systems. These experts can help you identify potential security gaps and plug any holes that do exist. Whether you plan to test your cybersecurity internally or are shopping around for a trusted partner, we look here at five cybersecurity testing measures you should employ to keep your data protected and secure.

Vulnerability Testing: A Routine Check-Up for Cyber-Health

For many people, routine medical check-ups are a key contributing factor to staying healthy. Regular visits can help us identify potential issues early on—before they become a larger problem. Regular check-ups can produce important data, like changes to blood tests over time, and for many, they hold us more accountable to our own health and promote a greater overall awareness of our bodies and our minds.  

Vulnerability testing is like a check-up for your technology infrastructure. A vulnerability test (also called a vulnerability assessment) is the process of evaluating the security risks of your network and other  IT systems and looking for known vulnerabilities. Often, SMBs partner with a trusted third party to conduct vulnerability testing. These experts will scan and test everything from devices to software to ports. Vulnerability testing is a critical measure because the threat vectors facing your business change so often. Even seemingly “safe” actions, like updating software, can pose a risk to your business as trusted patches can themselves be the conduit for an attack. 

Just as routine check-ups can help us adopt healthier lifestyles, a vulnerability test provides a comprehensive understanding of your firm’s potential security risks. The point of vulnerability testing is not just to identify the unique weak points in your network, but to understand how you can mitigate these risks, before cybercriminals can take advantage of them. In fact, a common output of vulnerability testing is a set of clear and expert recommendations on how to address any vulnerabilities that were found. 

Website Vulnerability Testing: Close your Backdoors, All of Them

Another common attack vector are the many web applications that you rely upon every day to manage and grow your business. Remember, attackers seek out weaknesses in your website and can uncover backdoors that can be used to access your network.

Website vulnerability testing is another “routine check-up” for your business, but with a focus on identifying website-specific security vulnerabilities. Often, the process involves an automated tool that scans all site pages to detect vulnerabilities—some scanners are more advanced than others and can delve deeper to find flaws that other scanners may miss. Website vulnerability testing involves validating your website security controls and crawling through pages—either passively (to simply identify potential vulnerabilities) or actively (to actually simulate an attack from an outside perspective). 

While you can research and purchase an adequate website vulnerability scanner, partnering with an expert third party will provide a robust scan of all of your web applications. For SMBs with overworked technology teams and limited resources, this option can also help you conduct a website vulnerability scan more quickly than if you had to do it all in-house. Acting sooner on cybersecurity is always better than acting later. And taking no action at all is really no longer an option these days. 

Program Update Checks: Patch and Update

Hackers can easily gain access to your network through software vulnerabilities. To thwart these intrusions, you must ensure that all software and systems have the latest patches and updates. To get a sense of the landscape, just visit the Cybersecurity & Infrastructure Security Agency’s “Current Activity” web page, which reports frequent and high-impact security incidents. At the time of writing this post, three of the top four entries are recommended software security updates that administrators should apply (from Fortinet, Cisco, and Google Chrome). 

But with so many platforms and systems at play in your business, how do you even know where to begin? And how do you stay on top of the ever-evolving updates and patches that come out?

Here, once again, your team can choose to work with an expert partner to fully discover and apply the necessary patches you need to safeguard your operations, including making sure your anti-virus software is up to date. This support will help you not only discover all problems that may be lurking in your network, but also to quickly and effectively remedy these vulnerabilities by applying the necessary patches.  

Access Controls: Who Needs Access, and Who Doesn’t? 

Another measure to keep your company safe goes to the heart of your business: your people. Access control is the process of checking to see who has access to what data and applications at your business. And, just as importantly, it involves making sure that people who shouldn’t have such access—or don’t need it to do their job—don’t. 

Ensuring proper access controls involves an inventory of your systems and user roles. A good rule of thumb is to only allow administrators and those who need access to carry out their duties to actually have access to critical data and systems. You can also add a recommended additional layer of security through additional authentication steps, like multi-factor authentication. 

Microsoft Office 365 Security Assessment: Because It’s Popular, Not Fool-Proof

More than 730,000 companies in the U.S. rely on Microsoft Office to conduct business. Chances are, you’re one of them. But do you really know how safe your Microsoft Office 365 suite really is? When it comes to protecting, accessing, and restoring your data, you should understand where Microsoft’s responsibility ends and yours begins. It all begins with analyzing your security controls in Microsoft to ensure you have the right configurations and protections in place.

Working with a partner to conduct a Microsoft-specific security assessment is one of the most effective approaches. Doing so can help you identify timely and commonly exploited misconfigurations, reduce your Microsoft 365 attack surface, and prioritize security enhancement. And while you’re at it, we also recommend looking at your data backup strategy (or implementing one if you don’t have something in place) as this is not an automatic feature of Microsoft Office 365.

This is exactly why we’re excited to partner with Altaro, an award-winning software developer, on an Office 365 Backup solution to help protect your business against unexpected data loss or damage. The solution can also help you comply with any long-term data retention requirements (Office 365 has a limited standard retention policy of 30 days but many SMBs are required to be able access data from much further back). Read more about our Office 365 Backup solution here and here.

It’s a wild world out there. As such, there are numerous other cybersecurity testing measures available, like penetration testing and ethical hacking, but the five measures we highlighted here should be included at a minimum. Regularly testing your cybersecurity strategy will give your business a clean bill of health and the assurance that your operations, data, and people are fully protected. With that assurance, you can focus on what matters: Running and growing your business. 

Please get in touch with us today to learn more about how we can help you assess the efficacy of your cybersecurity strategy. We can do it all or we can plug in for specific exercises—like testing for vulnerabilities on your network and web applications, applying program updates and patches, optimizing your access controls with added authentication measures, and fully securing and backing up your Microsoft Office 365.