As small businesses know, bigger doesn’t always mean better. Being small has lots of advantages — but cybersecurity is one area where small businesses often lack the upper hand.
While large enterprises have the resources to protect their networks against the ever-evolving landscape of cybersecurity threats, smaller businesses have tighter budgets and fewer resources — one of the main reasons hackers target small businesses. In its 2019 report on the state of cybersecurity for SMBs, the Ponemon Institute reported that the number of small businesses that experienced breaches “involving sensitive information about customers, target customers or employees” increased to 63% from 58% in one year.
What are the bad guys after? Here are four reasons your small business is attractive to hackers:
- Data: Even small companies traffic in data that’s easy to offload for a profit on the Dark Web, such as medical records, credit card information, Social Security numbers, bank account credentials or proprietary business information. Hackers can steal this and either use it themselves, or sell it to other criminals to use.
- Computing power: Cyber hackers can commandeer a company’s computers and conscript them into an army of bots to perpetrate massive DDoS attacks. DDoS artificially generates enormous amounts of web traffic to disrupt service to a company or group of companies, and the hijacked bots help generate the disruptive traffic.
- A way to the big guys: Today’s businesses are digitally connected to each other to complete transactions, manage supply chains and share information. Because larger companies presumably (although not necessarily) are tougher to penetrate, hackers target smaller partners as a way to get into large companies’ systems. This is what happened in the 2013 Target data breach, which resulted in 40 million stolen credit and debit cards. In this instance, the thieves accessed the retail giant’s system through a small business — a third-party subcontractor that provided refrigeration and HVAC systems.
- Cash: While some attacks are about disruption (as is the case with DDoS), usually, the motive is to make a buck. This explains why ransomware is such a popular method of attack: It often succeeds in generating revenue — and as long as an attack method proves lucrative, hackers will keep using it.
So how can a small business protect itself? Warding off these costly attacks requires 360-degree cybersecurity measures that proactively protect all devices connected to a network.
These seven recommendations will help a small business create an effective cybersecurity strategy:
- Educate users: No amount of technology can completely protect your network and data, meaning user training and awareness is crucial to building solid defenses. Humans are often the weakest link in IT security — but trained workers shift from liabilities to assets, becoming your first line of defense against cybersecurity threats.
- Enforce password policies: Passwords are necessary and should be changed regularly. It’s important to require users to select combinations with numbers, special characters, and upper and lowercase letters to make passwords harder to crack.
- Secure endpoints: Many traditional or anti-virus tools block only the malware they recognize, based on signatures that have been written into the AV software. More sophisticated endpoint protection software has the ability to scan and block malware, using a constantly updated threat list. From stationary workstations to laptops to mobile devices, all endpoints should be secured to help prevent a breach.
- Add security patches: Many ransomware attacks exploit vulnerabilities that can easily be fixed through proper patch management. Businesses need strict patching policies so users don’t ignore software update prompts. Preferably, businesses should deploy automated patch management, taking users out of the equation.
- Apply Web Security: Web security blocks unauthorized content with controls, such as access denial to Internet domains known to deliver malware. Even if a malware payload is delivered, web security can prevent it from communicating with the command and control server from which it would receive instructions to lock out data. This could stave off infection until the malware is detected and removed. Web security also lets you choose which types of content to allow into your network, blocking unauthorized data while still allowing outbound communications.
- Have an incident response plan: Prevention is critical to a cybersecurity strategy, but you cannot ignore another critical component: incident response. Because no security measure is 100% foolproof, businesses must prepare for the eventuality of a breach. Every business should have an incident response plan outlining what steps to take and who is responsible for the response following a breach. Without one, it’s hard to minimize the damage of a breach if you’re unclear on what actions to take. Some malware infections spread at lightning speed once a network has been breached, so reaction time is critical. Trying to come up with a response plan after an incident has occurred is too late.
- Create a cross-functional security team: While technical staff are usually the first to spring into action following an incident as they seek to identify the problem, assess the damage and start remediation, the response also includes non-technical aspects. Avoiding, preparing for, and responding to security breaches involves more people than those in charge of IT and cybersecurity. In addition to employees, it may be necessary to notify customers and suppliers about the breach, so there is work to do for management, as well as other functions like marketing, PR, HR and legal.
A cyberattack can have serious consequences, with many small businesses forced to shutdown for good due to the fallout. By understanding that small businesses are just as likely to be targeted as the big guys — if not more so — and preparing for the worst with a smart cybersecurity strategy, you can keep your doors open and your customers happy for the long term.