One click on the wrong link can lead to a days- or weeks-long halt in operations. Even the theft of the smallest customer database can quickly result in reputational damage and loss of face.

The solution, cybersecurity, begins with recognition. A difficult step, as the victims we encounter most often have little in common with ourselves or our businesses.

Large-scale data breaches make the news; smaller incidents go under the radar. Cunning, as even smaller data breaches can cause harm.

Between June 2019 and June 2020, one in five SMEs fell victim (source: SIDN). Affected entrepreneurs who speak out are rare. Incidents are accompanied by losses of tens or hundreds of thousands of euros, shame, and fear.

You don't have to be a target to incur damage. Every business processes the data of employees, partners, and customers. Most companies are vulnerable. If data falls into the wrong hands, the consequences are often severe. We shed light on two risk categories:
 

• Initials, birth dates, email addresses, and other common personal data can be used to commit identity fraud. A cybercriminal poses as a trusted customer to get invoices paid and account numbers changed.
   
• In other cases, the data is used to gain access to company systems. Leaked passwords and usernames - or sufficient personal data to retrieve such information - enable a criminal to attack from the outside.

If you are insufficiently protected and the data of your company is stored by a customer, contractor, or employee, a leak at their end can have consequences for you. This works both ways: if a phishing attack leads to the loss of the data your company processes, all related companies and individuals become vulnerable.

Three attack surfaces

The good news is that cybercriminals can be defended against. The right precautions are threefold. Every company has entrances, passages, and exits. Only when you are aware of the vulnerabilities that exist in this trio can you assess the security of your business.
 

1. By entrance, we mean access to company systems. Think of the corporate network or the management account of a website. Access is almost always guarded by passwords and usernames. If criminals find a way to steal those passwords and usernames, security is bypassed - and customer data, financial information, and employee records are up for grabs.
    
2. By passage, we mean devices like laptops and smartphones, also known as endpoints. We use these devices to store and process data. If a criminal is able to gain access to a device, the data can be used to crack an entrance.
   
   Access is typically achieved through the spread of malware. Often via malicious links, also known as phishing. Although physical theft is rarer, the consequences are identical.
   
   Ransomware is a common form of malware. Malicious actors encrypt the data of a device, demand a ransom, and only restore the device once the amount is paid. If you do get access back, you are one of the lucky ones: some criminals still use, trade, or destroy the data, even when the ransom demand is met.
    
3. By exit, we mean cloud systems. Most Dutch companies use Microsoft 365 with tools like OneDrive, SharePoint, and Teams. Such software runs in the cloud. Collaboration and file exchange often take place in open locations. Cybercriminals exploit this accessibility. Malware is injected via the cloud into the devices (or passages) of users.

As strong as the weakest link

The security of passages, entrances, and exits is crucial for the safety of your business to reduce the attack surface. If a malicious actor succeeds in bypassing the security of cloud systems (exit), then laptops and smartphones (passage) can be infected. If the security of these devices is lacking, then the data of unsecured accounts and company networks (entrance) is at risk.

It is very likely that one of the categories in your environment is already covered by a precaution. Perhaps you are paying for additional security measures in Office 365. Maybe you have secured the laptops of employees or colleagues with an endpoint security tool. But half measures are not enough.

If you secure the passage with endpoint security, a lack of cloud security can still lead to the breach of an entrance. If cloud security is present but endpoint security is not, a successful phishing attack remains sufficient. Ensure that you build layers and have a plan.

Software as an answer

The most effective security solutions cover every category. ESET is a prime example. The security company has recently developed the ESET Protect platform, which is offered through Dutch partners to ensure the safety of every business size.

Various bundles make it possible to strengthen different weak points. The security of the passage, or endpoint security, is included in every bundle. The security of the exit, or cloud, is reserved for more extensive bundles.

These gradations are not a limitation, but rather a benefit. If you hardly work with tools like Exchange Online or OneDrive, then you have little interest in cloud security. In the case of the latter, you choose a basic bundle and only pay for the security that is actually needed. ESET Protect remains the foundation, which facilitates scaling up or down.

Within ESET's bundles, you will find a number of distinctive measures. Cloud sandboxing is one example. The term refers to a particularly effective method for identifying new, unknown threats. Even if you or an employee clicks on a wrong link, the damage is spared. Not for nothing does the AIVD officially advise to combat phishing with cloud sandboxing. The technology is present in four out of five ESET Protect bundles.

In addition to the fixed bundles, ESET offers enhancements such as two-factor authentication and Endpoint Encryption.
 

• Two-factor authentication prevents over 90 percent of all attacks on entrances. Even when the data of accounts and company networks falls into the wrong hands, access is not granted. If two-factor authentication is present, a second device - such as a smartphone - must be linked to a user's account. When you log in with the correct data, a code is requested. This code can only be generated via the linked device. Without this device, a criminal gets nowhere.
   
• If a data breach occurs and no encryption has been applied, there is a risk that data will be made public. An encryption solution makes it impossible for attackers to read stolen data. Full disk encryption is included in most ESET Protect bundles. If you want more options to encrypt emails and attachments, removable media, and folders, then ESET Endpoint Encryption provides the solution.