By Missy Bentzen
Cybercriminals specifically target small and mid-sized businesses regularly. They believe the odds are in their favor that these businesses do not have strong security safeguards—and unfortunately, that’s frequently the case.
- 71% of cyberattacks occur at businesses with fewer than 100 employees
- Average price for small businesses to clean up after their businesses have been hacked is $690,000, and for middle market companies it’s more than $1 million.
- 60% of small companies are unable to sustain their businesses over six months after a cyberattack
When it comes to cyberattacks, it’s not a matter of if, but when. If you use the internet, you’re at risk.
Know your risks
Keeping up with constantly changing cybersecurity threats can be difficult, but here are some of the most common ones impacting small and mid-sized businesses:
Phishing
Phishing is the #1 way for a company to get hacked. It’s cheap and effective because the cybercriminals can cast a wide net and it only takes one person to fall for the phishing email. Phishing is an attempt to acquire sensitive information (e.g., usernames, passwords, and credit card details, etc.) by masquerading as a trustworthy entity (a legitimate business or organization with a legitimate reason to request information). The goal is to get you to click on a malicious link or attachment or provide personal or financial information.
A specific type of phishing email is on the rise – business email compromise (BEC). The criminals may spend weeks or months studying a company’s vendors, billing systems, and the CEO’s communication style and possibly even his/her travel schedule. When the time is right (e.g. when the CEO is away from the office) the scammers send a spoofed e-mail from the CEO, or another high ranking position, to a targeted employee in the finance office requesting an immediate wire transfer. The targeted employee believes he/she is sending money to a routine account, just as he/she has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal.
Malware
Malicious software (malware) includes viruses and spyware. It can be used to record every keystroke to collect data, like a username and password, to use for fraud. This is commonly known as a keylogger.
Hackers use malware, like ransomware, to take control of your files and lock you out of your system by encrypting it. Then they demand money from you in exchange for giving you your access back.
What you can do
Prevention is key, but there is no single solution for cybersecurity. The use of anti-malware software, firewalls, and automatic updates is crucial, but don’t rely on those alone.
- Update hardware and software: Keep your hardware and software up-to-date with the latest firmware versions and patches, and enable ‘auto-updates’. Only use genuine copies of vendor supplied and supported software.
- Move email to the cloud: Move all your corporate email to a cloud-based service. This provides you with a managed service by a reputable external company. These companies typically offer robust scanning technology to filter out most types of spam and malicious emails before they reach your inbox.
- Use strong passwords: The best option is to use passphrases that use variations of whole words or sentences; these are easier to remember but harder for attackers to guess. They should be at least 12 characters in length. Also, consider using a password manager and make sure you use unique passwords for each of your accounts (business and personal).
- Add a layer of login security: Use two-factor authentication (2FA) wherever possible. 2FA is a type (subset) of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know (password), 2) something they have (security token), or 3) something they are (biometric). This means that in addition to passwords, your staff has to provide an extra identifier like a code or PIN sent to their phone via SMS in order to gain access.
- Install security software: Install security software on your business systems and devices, particularly those with Internet access. This type of software will help to protect your business from common malware infections and prevent unauthorized external connections. Set them to run automatically in the background when your computers startup and disable your employees’ ability to turn it off.
- Back up your data: Regularly back up your important data to a separate location. This could be a cloud-based backup solution or an encrypted (or securely stored) offline portable hard drive, depending on what suits your environment.
- Educate your employees and Make someone accountable: Security is everyone’s responsibility. Set expectations about what is appropriate—including browsing safe sites and applications allowed on computers. Encourage employees to use strong passwords that differ from other accounts, and teach them how to spot and report phishing emails. Assign a trusted employee in a management role to be responsible for security procedures that you establish.
Resources
If your budget is tight, use these free resources to learn about how to secure your business and train employees to help do their part.
National Cybersecurity Society
FTC – Protecting Small Businesses
National Cyber Security Alliance
Cybersecurity for Small Businesses Course
[1] What Happens When Your Small Business is Hacked, Entrepreneur, June 2017
Editor’s note: Missy Bentzen has more than 15 years of experience of information security in non-profit, government, and tech industry. She has a CISA and CRISC designation. She also holds a bachelor’s degree from Virginia Polytechnic Institute & State University and a master’s degree from Ashford University (San Diego, CA). She is also a graduate of Christiana High School (Newark, DE). She has done consulting work with government agencies and has performed security risk assessments for a non-profit before moving into a security training and awareness role. Missy currently leads a global program that raises awareness and educates employees, helping to ensure the security of company assets and customer data.
