By definition, cybersecurity is the action taken to protect computer-based systems from attack or unauthorized access. Many think cybersecurity is a problem that only plagues large corporations. We frequently hear about data breaches of big corporations and government entities such as Target, Wendy’s, the U.S. Department of Justice, and the Internal Revenue Service. But what about small businesses? They are small enough to fly under the radar of cybercriminals, right?
The truth is that small businesses are just as much at risk for cyberattacks. According to Small Business Trends, attacks against small businesses accounted for 43 percent of all cyber attacks in 2015.
The reasons are simple. Small businesses typically have greater financial assets and commercially usable data than an individual, and they tend to have far less security implemented than the large companies. Many small businesses also lack the awareness and training to effectively protect themselves.
In 2016 the Ponemon Institute published the research survey titled The State of Cybersecurity in Small and Medium-Sized, which revealed that 55 percent of participants experienced a cyber-attack in the 12 months prior to the survey. The research went on further to show that half of those attacks resulted in the exposure of customer and employee data to the cybercriminals.
The evidence for why small businesses should invest in cybersecurity to keep their data protected is insurmountable. But figuring out where to start can still feel overwhelming, complicated, and even a little scary. Fortunately, there’s a wealth of information to help small business owners just like yourself navigate the ins and outs of arming yourself and your business against cyber threats.
Understanding the cyber threats to small businesses
Understanding the predominant attacks, flaws, and human error exploited by hackers to target small businesses can greatly decrease the likelihood of becoming a victim. Listed below are some of the most prevalent security issues that small businesses face.
1. Malware, ransomware, phishing, vishing, and social engineering attacks
These attacks can take a wide variety of forms such as finding and exploiting vulnerabilities found in the victim's’ software, email scams designed to trick the user into divulging critical information or launch attacks such as viruses, ransomware, and system takeovers.
Short for malicious software, malware is a term used to describe a variety of cyber threats that include viruses, trojans, and worms. While not a specific threat in of itself, malware threats affect any software installed on your machine to perform undesirable tasks. This includes stealing or manipulating data, controlling access to your system(s), or otherwise harming the host computers. It is used to benefit the perpetrators without the consent of the machine or data owner. Malware routinely runs in the background and can go undetected for quite some time.
Just like ransomware, malware is typically introduced into your system through email attachments and clicking links or through software downloads. It’s typically designed to steal or destroy data on the system.
Ransomware, one of the most devastating cyber attacks, prevents you from accessing and using data on your computers. It holds your computer or files for “ransom” requiring you to do something to regain use of your computer. Typically, this is some form of payment, but other forms of ransomware require the user to take surveys to unlock the system.
What is a social engineering attack
Social engineering attacks, which depend completely on human interaction and deceitful behavior to trick people, is one of the fastest growing security threats facing any business today. While traditional attacks leverage technology-based system vulnerabilities, such as software vulnerabilities and misconfigurations, social engineering attacks take advantage of human vulnerabilities by using deception to trick targeted victims into performing harmful actions.
Examples of social engineering attacks, which are typically perpetrated through email, include threats such as phishing, vishing, and Email Compromise (BEC). Other examples of social engineering include pretexting, quid pro quo, and tailgating (feeding off common courtesy by following a credentialed employee into an open door).
Phishing and vishing
Phishing is typically email based in which the attacker impersonates a legitimate company or a trusted individual to acquire private information. The emails commonly use threats or a sense of urgency in an attempt to frighten the user into revealing information. Vishing is similar to phishing but takes place over the phone. The attack will typically take the form of an automated call that will appear to be from a legitimate organization.
2. Disgruntled and/or negligent employees or contractors
Many data breaches are caused by theft or the malicious distribution of sensitive data by disgruntled employees. Numerous breaches are also caused simply due to negligence or a lack of training of well-meaning, dedicated employees, or contractors.
3. Outdated or inadequate security
Cybercriminals can and will take advantage of vulnerabilities in outdated or inadequate security. These vulnerabilities typically take the form of insecure human practices such as failing to patch software, neglecting regular system backups, failing to build an adequate firewall or the transfer of infected files.
4. A dedicated computer for banking
Many small businesses fail to use a dedicated system for their banking. Company computers used by employees for social media, web surfing, and email can be open to vulnerabilities which could result in the theft or destruction of banking data.
5. Secure password policy
How secure is your password? Having a strong password might sound like common sense. However, not everyone will put a great deal of thought into this key aspect of cybersecurity. As a result, systems can be breached by brute force methods, exhaustive automated generation of passwords, or by simply guessing passwords based on knowledge which can be acquired through the use of social engineering techniques. Keep reading to learn more about how you can strengthen your passwords.
6. Secure network usage policy
One threat to your business’s network security is outside devices such as phones, thumb drives, and other devices that can be connected to your computers and potentially harbor some of the threats listed above. Not establishing a network usage policy and clearly communicating your expectations to your employees regarding these devices can put your business at risk of the threats listed above.
7. Budgeting for security
A large number of companies fail to sufficiently budget for security or simply have no budget at all. In many cases, this is due to the belief that they are unlikely to be a target. In other cases, they believe that their current security practices are sufficient. Small businesses must weigh the cost of an adequate security budget against the potential costs of a breach which could be devastating.
What you can do now to protect yourself
We talked to Brian Burch, head of product marketing (formerly VP of marketing) at Norton an expert in data security, to find out what measures business owners need to take to protect themselves from cyber threats.
He began by emphasizing that data security for small business must be multi-layered. Your security protocols and tools should protect against all cybersecurity threats (as listed above). He also recommends that small business owners have a written policy that every employee must read and talk to them about passwords (which should really be “passphrases”).
Start with your passwords
Strong passwords are your first line of defense because they can deter or slow down potential compromise of your business’s sensitive data. When creating your passwords, it’s important to keep a few things in mind:
- Length, width, and depth are factors that can assist in creating the necessary level of complexity for a strong password.
- Length denotes the number of characters in a password. A password should be a minimum of 10 characters long, but longer passwords are more secure.
- Width refers to the combination of differing types of characters, such as alpha, numeric, upper and lowercase, and symbols. Each password should contain at least one uppercase, lowercase, number, and a special character such as symbols or punctuation.
- Depth indicates that a password has meaning, but that it is difficult to guess. Think about phrases and mnemonics instead of actual words. Example: “You miss 100 percent of the shots you don’t take” could translate into “Ym100%otsydtWG.”
You can test the complexity of your password by using websites like HOW SECURE IS MY PASSWORD?
- Don’t reuse passwords. If one of your accounts gets hacked, it makes it even easier for the hacker to access any other account you use the same password for. Applications like Dashlane provide free secure password creation and management software that can help users overcome this dilemma.
- Use multi-factor authentication when available. Using multiple pieces of data to verify identity is becoming more common. Even if your password has been compromised, the cybercriminal may not be able to access your account. The idea is simple: Once your input your password another piece of data is required. This could be something you know such as a pre-established answer to a question, a key sent to your phone, or a biometric form, such as a fingerprint, voice recognition, or retinal scan.
- Never write your passwords down. If you do write them down, never store them in an easily accessible area, such as taped to your monitor, underneath your keyboard, or in your wallet or purse. If you need a way to keep track of all your passwords, consider a password manager like LastPass or KeePass.
Educate your employees about cybersecurity threats
Employees need to be educated on the attacks that are typically used against small businesses and how to recognize the threat. Here are some ways you can do this:
- Periodically train your employees on how to inspect URLs cautiously to see if they redirect the user to an unknown website. They should also look for other telltale signs such as grammatical mistakes, spelling errors, and generic salutations. When in doubt, verify the request by contacting the company directly using contact information found independently, not from the email.
- Train your employees on the dangers of visiting suspicious or fake websites, opening email attachments unless you absolutely trust the source, clicking on bad links in emails, Facebook, and other social media sites, as well as instant messenger applications. Using pop-up blockers can also help. The key is to always be skeptical, and if you’re ever unsure, just don’t click on it.
- To prevent malware, make sure your employees know to avoid clicking on links or downloading email attachments from any unknown, untrusted senders. This can be done by deploying strong and updated firewalls, which prevent the transfer of large data files over the network in a hope to weed out attachments that may contain malware.
Establish a secure network usage policy
Having a policy in place does not guarantee employees will follow it. It does, however, raise the awareness of security and potential threats. Establishing a secure network usage policy can promote a proactive stance for the company should legal issues arise.
Brian recommends that small business owners have a written policy that every employee must read. In it, emphasize the importance of strong passwords, avoiding suspicious links and emails, the dangers of bringing unprotected, outside devices on to your business’s network (in fact, the best course of action is to not allow any personal devices to be connected to your systems), and how they access your network (only work-related business should be conducted on your network. All personal business should be conducted on a different network or out of the office).
Another way to ensure your employees keep your network safe is to deploy cloud-based services for your business processes. These services tend to be more secure than the traditional forms of storing data and working with data inside a small business environment. Make sure your employees are trained annually to have the same discipline that an employee at a larger company would have. It’s important to make sure that each small business employee knows the potential vulnerabilities of your company, and how they can protect themselves, the business, and your customers or clients from cyber threats.
Today’s world is fraught with peril from cybercriminals who wish to profit from or destroy your hard work. Cybersecurity must be made a top priority to help prevent this. We must be prepared to protect our organizations through countermeasures that include anti-malware software, updating your systems, comprehensive policies, and procedures as well as user training programs.
If you can afford it, it is also recommended to have periodic security audits as a way to keep your business secure. There are many providers who will scan your environments, analyze existing policies, and make recommendations on how to harden vulnerabilities.
Unfortunately, cybercriminals are not going away anytime soon and they are targeting small businesses more than ever before. Keep security in the forefront and you’ll have a better chance to avoid becoming one of their many victims.
Contributing authors: Ellis Friedman, Jennifer Leslie, and Ron Smith