Business leaders at small and medium-sized businesses (SMBs) may think they are not at risk for cyberattack, but the evidence shows that nothing could be further from the truth. In fact, SMBs are prime targets for cybercriminals.
According to a 2019 Ponemon research study, there has been a significant increase in the number of SMBs experiencing a data breach over the last three years, with 66% of respondents reporting that their organizations experienced a cyberattack over the last 12 months.
The costs of cybersecurity incidents can be severe, especially for small businesses. The report showed that SMBs spent an average of $1.2 million because of damage or theft of IT assets and infrastructure. Additionally, disruption to normal operations cost an average of $1.9 million.
Monetary losses, along with damage to a company’s data and reputation, can have devastating effects long after a cyberattack occurs. Because of that, it's critical for businesses to understand how they're vulnerable and how they can protect themselves.
Why Are SMBs Vulnerable to Cybercrimes?
With so many competing demands, cybersecurity is often not top-of-mind for small business owners. A cyberthreat study by Keeper showed that only 9% of SMBs ranked cybersecurity as a top business priority, and 60% of executives at SMBs said they do not have a cyberattack prevention plan.
The lack of priority for cybersecurity, along with limited resources that SMBs have for IT professionals and protection, often put small businesses right in the crosshairs of cyberattackers.
Types of Threats for SMBs
New versions of cyberthreats develop almost daily. Here are some to be on the watch for:
- Phishing is a top cyberthreat for SMBs, in which attackers try to entice employees to click an email link or open an attachment to gain login credentials or infect users’ computers with malware.
- Spear phishing emails impersonate a company executive, requesting that an employee wire funds on their behalf.
- Malware, which comes from spam emails, malicious website downloads or other infected devices, provides a way for hackers to gain access to networks and steal or destroy data.
- Ransomware encrypts company data so it cannot be used or accessed until the company pays to unlock it.
- Web Server attacks involve a Distributed Denial of Service (DDOS) attack, which overloads system resources, causing a disruption or delay in a company’s server or network.
- Password insecurity occurs when employees increase their vulnerability to cybertheft by using weak passwords or the same passwords across multiple accounts.
Ways to Defend Your Business Against Cyberattack
While cyberthreats continue to grow, there are a number of actions that SMBs can take to protect against an attack:
1. Make a Plan
SMBs need to make cybersecurity a priority. According to research from The Manifest, 64% of small businesses say they are likely to devote more resources to cybersecurity in 2020.
Start by assessing your current risk with a cybersecurity audit. The FCC offers a tool to help you create a custom cybersecurity plan for your company, including how to respond to an incident if one should occur.
2. Educate Your Staff
Since a single click on a malicious link can lead to data loss, the importance of regular employee training cannot be overstated. Help employees spot phishing emails by teaching them to evaluate the veracity of URLs and cautioning them not to click on suspect links.
Looking for the lock on HTTPS sites is no longer enough. Employees should verify a site by clicking on the lock icon to see the Certificate Authority (CA) that issued the certificate and the company to which it was issued.
3. Keep Your Systems Up-to-Date
Ensure you have the latest threat protection by keeping your computer operating systems, antivirus programs and other software up-to-date. A Website Application Firewall (WAF) can offer another tool to provide protection against DDOS and other web application attacks.
4. Use Encryption
Encryption software, available from IT service providers, can help ensure that sensitive information, such as employee and customer records, doesn’t fall into the wrong hands.
Encryption can also be a vital tool in protecting the increasing number of employees working remotely. SMBs can lessen the risks by providing a Virtual Private Network (VPN), which creates an encrypted connection for remote workers to send and receive data.
5. Strengthen Employee Passwords
The Verizon 2020 Data Breach Report showed that 37% of credential theft breaches used stolen or weak credentials. To combat this threat, encourage employees to use strong passwords that include letter, number and symbol combinations and which are not used on other accounts.
Other ways to beef up password security include password managers and providing multi-factor authentication, which requires employees to use more than one method to login to their accounts.
6. Emphasize Mobile Cybersecurity
Protecting company data goes beyond desktops and laptops to include mobile devices. Ensure that employees who use their own mobile devices password protect them, encrypt sensitive data, and install security apps that can help keep information safe while the phone is on public networks.
7. Protect Against Insider Threats
Current or former employees or contractors may either intentionally or mistakenly cause an information breach. A 2019 Varonis Data Risk report showed that 17% of all sensitive files were accessible to all employees. Guard against insider threats by determining who at your organization should have access to certain types of data and continue to monitor emails and activity on key data sources.
8. Back Up Your Data
Finally, use a regular data backup system to ensure company data is always accessible. In addition to onsite storage, secure cloud storage can provide a solution to help protect your business against data loss or ransomware as well as safeguarding the work of remote employees.
The key for businesses is to remain vigilant, because cyberthreats show no signs of abating. In response, small businesses need to keep their guard up and take action to protect the data that’s the lifeblood of any company. With stakes that high, businesses are wise to take a proactive approach to cybersecurity.