Prepping For Cyber Security In 2026

Welcome back to another episode of Cappuccino Chat. This time we're talking about getting ready for your cyber security in 2026. This is going to be a small business survival guide. All right, so this time on Cappuccino Chat, we're going to be talking about prepping our cyber security to get ready for 2026. 2026 is going to be a big step up because we got to be honest to ourselves. It's really going to test our cyber security for our small businesses with the AI powered attacks, zerorust security stick coming into play. The mix of CL cloud and hybrid still in uh kind of flux with everybody. More people are coming back into the office, but some still allow a lot of remote access into their systems. And then just the cyber insurance and regulatory stuff that's going on. It's getting harder and harder to get um quality cyber insurance at a you know cheaper rate because everything's going up because the attacks are much more um devastating and impactful to those businesses causing more money to be spent. So the insurance companies of course don't want to have those big payouts. So we're going to go over some stuff that you could do now to get ready for 2026. So first things first, you want to know what your risks are. So you want to identify all the different assets within your system. Now this isn't just your computers, server, those kinds of things. Some of the stuff like your MSP like ourselves would do take care of for you. This might be other devices, personal devices that you allow on your network like people's cell phones, iPads, laptops that come in, those types of things. also your security cameras, uh, like Ring video doorbells and all those different things, um, copers, uh, voiceover IP phone systems, all these different things come with some level of risk because they have to communicate to your network and sometimes out to the internet. So, you want to identify all those different devices that are plugged into your network that communicate to the internet so that you know what you're looking at. So that's kind of step one is identify everything. Then you want to make sure that you're locking down the basics. So that's number two, lock down the basics. So we want to make sure any software is updated. So if you've got Ring software, any kind of sec other security camera software that it's being updated and maintained, voiceover, IP, phone system, copers, all that different stuff that might be connecting. If you're in uh retail, your POSOS system and the POSOS terminals, credit card terminals, all that stuff, you need to look at updating it. You want to make sure you're requiring 2FA, MFA, where you got to get that code set up for anything that needs access to the cloud. Um, I mean, your bank should already be set up, but if you got any kind of cloud software, your Office 365, email with somebody else, all that stuff, basics. But if you're logging into a cloud portal for accounting, HR, uh maybe a line of business type application, you want to make sure we get that 2FA, MFA set up so that it's as secure as you can be. Is it foolproof? No. Is it going to um reduce your risk? Absolutely. That's what we're looking for. Use a password manager or look into using a password manager. We still see a lot of users using weak passwords. password password one two three admin one two three those types of things you want to get rid of all that stuff and not just change one character or something every year to update your password you want to be want it to be very unique and we're also seeing where they're coming out with they want passwords longer and longer the longer they become the harder they are to remember therefore users will get loose with them not do it or write them down which is not secure that's where a password manager really comes into play It stores all that for the user. They don't have to remember some weird uh combination of, you know, letters, numbers, and special characters because the password manager has it all. We want to make sure we're backing up any data. Uh you want to back that up to the cloud. Again, if you're using any cloud apps, what kind of backup are they doing? What what processes are to possibly restore? And you want to do a test restore or see that restore is capable, right? separate your network, segment your networks, both internal um hardwired and wireless. So, if you need wireless for your business and you need a guest wireless for employees to use, guests that come in, maybe vendors, you want to make sure those are separated and you're not allowing those devices to communicate on the same wireless network. Um, inside segregating different types of stuff. If you got a POS system, segment that off. If you've got credit card terminals, segment that off. Voiceover IP phone system, segment that off. Because that way, if that system gets compromised, it's going to limit its ability to spread to other parts of your network. It's going to slow it down and it's going to limit it and reduce that risk. Number three is going to be building the next layer. And that's where we're going to build on top of those basics that we just talked about. So, this is where you're going to limit employee access to strictly what they need. A lot of companies still use one big shared drive and there's folders in there from all the different departments and everybody has access to it and then later on you find out, oh, hey, such and such employee was digging around in the accounting folder, the HR folder, and they shouldn't be. So, you want to look to make sure that they only have access to what they need. Same thing if they're not in the accounting department, they probably don't need access to the accounting software directory. Even if they don't have it installed under their computer, they don't need access to it at all. So again, we want to make sure we limit that access so that if somebody's computer was compromised, it doesn't spread into those other systems whether they use them or not. You want to check your cloud setups to make sure there's any miscon uh configurations going on, right? So, you don't want all ports open or um no 2FA MFA like we talked about earlier. You want to make sure that it's configured and locked down as best as possible with any of those cloud applications. Next one's a little more probably need to get your IT person involved. Your incident response plan. Um this is where you're going to set up, you know, who gets notified when a potential incident happens. Um who to call, what to shut down, how to notify clients. So these are things not only your IT person needs to be involved in, but you might need legal counsel. Your insurance provider is definitely going to be on that list and that would be a good place to start. See if they've got an incident response plan template that you can use and ask them what their notification requirements are uh to them if there is an incident. So again, that's number one. You start with them and then work your way down on that and then consider cyber insurance. Uh but remember it supplements what your protection it doesn't uh replace good security. So right, so your cyber insurance is going to be really expensive if you're not doing these basics that we're talking about. If you're not implementing 2FA on your email, doing cyber awareness training, um imple starting to implement zero trust. Those types of things need to be in place. Otherwise, your premium is going to be really expensive. But that premium or that insurance policy doesn't mean you have good security. It means when you're breached, you're going to get some help possibly, right? So, you just got to look into that, but be careful when researching that. It doesn't replace good security. It's in addition to. Now, again, uh kind of mentioned it with the cyber awareness training. Number four is training your team. You want to make sure you're doing some uh automated um reoccurring training for your employees on cyber security awareness. Uh we recommend quarterly at a minimum. Uh this is where they're going to be tested. Uh given some videos to keep it top of mind. So if we're not constantly thinking about things, when the time comes, people are going to click on an email, open an attachment, click a link, fall for a fishing attempt. Um we've recently learned about some additional ones where, you know, people are still uh bank routing information saying, "Hey, I need you to change where my wire transfer goes. Please do this. They should there should be a policy in place to change that, have multiple people look at it, but they should be able to review those emails and understand that this is a fish attempt and to notify people and not respond to it. Right? You want to make sure that your employees, as much as we want to say our employees are the smartest out there, people get busy, people get bogged down. We're into the holiday season. It's stressing everybody out, right? Their packages. What am I going to get this person? What about airline travel? All these different things. People might click on something. So regardless of what you think about you, it doesn't mean your employees are not as smart as the next, but you want to keep that training in front of them so they can pick up on things that much more easier. So we want to make sure we're doing that. And then also testing those employees, right? So something that we offer in addition to our cyber awareness training is we will also send out fake fishing emails to try to get employees to click on something so we can test them to make sure they understood the information that was provided to them that training. Next is uh number five is going to be watch your vendors. You need to communicate with your vendors. So again, in number one, when we identified all those assets, we want to make sure now we're working with those vendors and every partner or app that touches your network or that you log into. You want to make sure you understand who has access to what, can they get in? Sometimes some of these accounting packages, they want you to use some kind of remote access tool when you open up a ticket. Uh maybe your POSOS vendor, your point of uh sale vendor wants to have access. Well, can they log on whenever they want? Do you have to initiate and approve it? You want to check all that different stuff out. You want to make sure they're using MFA when they need to get in. And then you want to make sure your contracts with those vendors have something in there, some information. What happens if that vendor gets breached, gets hacked? What protections do you have? What are your ramifications for getting compensated when the system's offline or down? Is there anything? Those types of things. Just understanding that contract before you initial sign and keep paying them. What happens if that vendor where your accounting system and gets breached and all your accounting data is leaked out to the world? Right? What are your what can you do legally? What what are what is their obligation to get your data back online as quick as possible? What will that take? SLAs's, those types of things. You want to make sure you understand those things. But again, we got to start with those basics and then work our way down. So bottom line is cyber security in 2026 is going to become more important, not less, because every time we come up with a way to stop these guys, they're coming up with two ways to get around what we're doing. So we really need to be vigilant and stay on top of cyber security. This is a service we provide to our clients, constantly reviewing and going over. We go out to trade shows. We talk with different vendors. We see what's going on, what's upcoming as far as these attacks go and stay on top of stuff and then ensure that our clients in their industries, what's best for them to do, where's the best protection for the money. We understand money does not grow on trees regardless of what some people think. We understand budgets are tight, but we also need to have those protections in place. If it costs you 2,000 a year for something, but when you have a breach because somebody wire transferred something that cost you, you know, $50,000, $100,000, did you save any money by not having that training? No. You lost money because somebody did something they should have known better to you, but you they weren't being adequately trained. So, make sure you take a a look at your cyber security for 2026. go through those different uh items that we talked about on the checklist. Number one, know your risks. Number two, lock down the basics. Number three is build that next layer of protection. Number four is train your team. And then number five is watch your vendors and make sure you're maintaining those relationships. As always, if you have any questions for us, please reach out. 760-770-52000.