Many small business managers mistakenly think that cyber criminals are only interested “the big boys” with their large databases of customer information.
However, a survey from the Ponemon Institute revealed that 55% of small companies with 1,000 or fewer employees had experienced a cyber attack in the past 12 months.
- 50% of the companies had data breaches involving customer and employee information in the past 12 months.
- The companies spent an average of $879,582 because of damage or theft of IT assets.
- Disruption to normal operations caused by cyber attacks totaled $955,429.
What cyber threats and vulnerabilities does your small or medium-sized business need to pay attention to? How can you reduce your risk of a cyber attack and be prepared in case an attack does happen?
Cyber Security Threats Facing Small Businesses
The survey revealed that the most prevalent attacks against small businesses were web-based and phishing attacks. Small companies’ biggest cyber security worries included loss or theft of customer information and intellectual property violations.
In addition to these concerns, Risk Placement Services has identified other cyber security threats that affect small businesses:
- Ransomware. This is an act of sabotage in which hackers demand money from an individual or organization as a condition for ending the attack.
- Internet-of-things attacks. As more people adopt internet-connected cars and other devices at home, at work and on the go, there is a growing risk that they may be compromised for nefarious purposes. For example, Wired magazine published a demonstration showing how a connected car can be hacked in order to control the vehicle, including braking and steering.
- Chatbots. Bad guys have used these to target financial institutions. They gain remote control of customer devices, then pose as regular customers to access private accounts.
- Machine learning and artificial intelligence. AI means that cyber criminals can detect vulnerabilities in your system even faster, making it harder to keep security software up-to-date.
- Insider threats and compromised business addresses. Attackers will spend time gathering data on targeted individuals within the organization. Business addresses and websites will be used for malware, digital currency mining and data gathering.
Cyber Security Risks for Small Businesses
Companies of all sizes have databases containing personally identifiable information such as credit card and bank account numbers, Social Security numbers or medical histories. Any business network where employees store and access customer data could be an attractive target for cyber thieves.
Besides the misperception that cyber attacks only happen to large organizations, there are other sources of risk that leave many small companies vulnerable to cyber threats like those described above.
- Lack of a cyber security policy. Many small organizations believe they simply don’t have the personnel, budget or technology to implement a strong security policy, so threats go unidentified and unaddressed until an attack occurs.
- Lack of a password policy. Two-thirds of small businesses surveyed do not strictly enforce a strong password policy, and most do not require passwords or biometric identifiers to secure access to mobile devices.
- Vulnerable devices. Web and intranet servers were the most vulnerable end points and entry points of attack for small businesses surveyed. Cloud-based computing and growing usage of mobile devices are another growing source of vulnerability.
A Cyber Security Strategy for Small Businesses
Although the possibility of a cyber attack can never be completely eliminated, a small company can reduce the risk by implementing a cyber security strategy.
- Protect against viruses, spyware and malicious code. Invest in antivirus software and antispyware on all computers, and update your protection regularly.
- Secure your networks. Firewall and encryption technology guard against unwanted access. Your wi-fi should be configured so that the network name isn’t broadcast to passersby. Router access should be password protected.
- Protect sensitive information. Establish and enforce a clear policy for handling and protecting personally identifiable information (PII) on customers.
- Have a password policy. Require employees to use strong passwords with capital and lowercase letters, numbers and special characters, and change passwords on a regular basis. Some companies require multi-factor authentication that requires an extra identifier besides the password.
- Use best practices on payment cards. Ask your bank about anti-fraud services, and use separate devices for processing payments and regular Internet usage.
- Backup important information. Never store vital company information in just one location. Store copies offsite, on an extra hard drive, in the cloud or in hard copy form.
- Control physical access to computers and network components. Remember, laptops and many other devices can be easily picked up and stolen. Keep sensitive devices locked when unattended. Create separate user accounts for employees so you can track who has access to sensitive data and devices.
- Control use of mobile devices. Require employees to password protect their mobile devices, and have them install security apps to prevent sensitive information from being stolen from public wifi networks.
- Protect pages on public-facing websites. Many businesses already know to secure web pages where customers make purchases or sign up for newsletters. But what if a hacker gets access to your website and defaces it by posting objectionable content or propaganda? Patching, protected access credentials, automated backup and regular scanning are steps that can mitigate this risk.
- Educate employees and hold them accountable. Every employee should know, understand and help to implement your company security policy. Your cyber policy should include safe use of social media and connected devices.
Cyber Insurance Coverage
In addition to implementing a security policy, cyber insurance can offer additional protection in the event of an attack.
A cyber insurance policy can include data breach insurance and cyber liability coverage, and may include the following:
- Cover the costs of a data breach for identity protection solutions, notifying affected individuals, public relations, legal fees, liability and other costs.
- Help facilitate a quick response in the event that your business falls victim to a cyber attack.
- May provide access to professional assistance to help with compliance with applicable laws pertaining to the attack
Are you concerned about cyber security for your business? Are you looking for ways to reduce your risk?