Can Small Businesses Have Effective Cybersecurity?
Can small businesses have effective cybersecurity? The short answer? Yes!
In this episode, Security Architect Sean Jacobs dispels the myth that small businesses are unable to provide adequate cyber protection.
According to the FBI’s Internet Crime Report, the cost of cyber crimes reached $2.7 billion in 2018 alone, and 43% of these breaches impacted small businesses. As this number only continues to rise, cyber attacks are a growing threat for all businesses.
Small businesses especially make attractive targets—but why?
Why Cyber Attackers go After Small Businesses
Small businesses typically lack the security infrastructure that larger businesses possess, which can make them more susceptible to a cyber attack. In fact, 88% of small business owners in a recent survey felt their business was vulnerable to a cyber attack.
According to the Bank of America Merchant Services’ Small Business Payments Spotlight, small businesses breaches are becoming both more common and more costly. In the last two years, more than one in five small businesses reported a data breach—up 17% from two years ago. The scariest number? The same research found that 41% of small businesses have suffered a breach that costing more than $50,000 to recover from. For small businesses, this can be a major blow.
Small businesses are often a sweet spot for hackers since they have more digital assets than an individual consumer would, but less security than a larger enterprise. Small businesses have limited time, money, and resources, so many can’t afford to pay for the high salaries required to have a full-time, in-house IT staff with the most recent skills and experience. Plus, with fewer employees, there is limited time and resources to devote to cybersecurity. Many small businesses also overlook cybersecurity because they simply don’t know where to begin.
Don’t get overwhelmed—just because you’re a small business doesn’t mean you can’t have effective cybersecurity. Through awareness, education, and a little extra effort, businesses with any amount of employees and revenue can take strides towards protecting themselves.
Cybersecurity Threats Small Businesses Should be Aware Of
The first step to improving your cybersecurity as a small business is simply to gain awareness of what kinds of threats are out there. Once you have this knowledge, you can identify which threats your business is at most risk for. Only then can you actually create and implement a strategy for avoiding them!
So, while this is by no means a comprehensive list, here are some of the most common cyber security threats facing small businesses.
Malware. Malware is an umbrella term. It refers to any kind of program introduced into the target's computer with the intent to cause damage or gain unauthorized access. Common types of malware include viruses, worms, Trojans, ransomware, and spyware.
Viruses. Viruses are harmful programs intended to spread from computer to computer and other connected devices. Viruses are designed to give cyber criminals access to your system.
Ransomware. Ransomware is a specific type of malware that infects and restricts access to a computer until a ransom is paid. Ransomware is usually delivered through phishing emails.
Phishing attack. Phishing, or credential harvesting, is a type of cyber attack that uses an email link or a malicious website to infect a device with malware or collect login credentials Phishing emails are so dangerous because they look like they’ve been sent from a legitimate organization or known individual.
DDoS attack. An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target's website or network system. Then, the hacker can gain access.
Inside attack. This is when someone inside the organization purposely misuses their credentials to gain access to or exploit confidential company information. Former employees can present a major threat if they left the company on bad terms, so make sure you have policies in place to revoke all access to company data as soon as an employee leaves.
Man-in-the-middle attack. Hackers who use man in the middle attacks install malware that interrupts the flow of information to steal important data. This is generally done when a user is connected to an unsecured public Wi-Fi network.
Password attack. There are three main types of password attacks. One is a brute-force attack where the hacker simply guesses the password until they get in. Another is a dictionary attack, which uses a program to try different combinations of dictionary words to generate common passwords. The last is referred to as key-logging, which is when a hacker uses a program to tracks a user's keystrokes in order to replicate their usernames and passwords.
SQL injection attack. SQL injection attacks on your server give hackers access to sensitive information, which they can then modify or download for malicious use.
Zero-day attack. Zero-day attacks prey on unknown flaws and exploits in software and systems. They are often discovered by hackers before a company’s internal developers or cybersecurity team are even aware of any threats. Since these exploits can often go undiscovered for months, they can be especially dangerous.
Simple Cybersecurity Best Practices for Small Businesses
Here are a few best practices that small businesses can adopt (even without a complete internal IT team!) in order to protect themselves from the common types of cyberattacks we just went through:
1. Assess Your Business Risk
The first step in improving your cybersecurity strategy is understanding where it currently stands, your risk of an attack, and where you can make the biggest improvements. Conducting a cybersecurity risk assessment makes it possible to identify where your business is vulnerable so you can create a plan of action going forward!
2. Keep Your Software Up-to-Date
Hackers are constantly scanning for security vulnerabilities, and outdated software can make you more susceptible to an attack. It’s important that each of your devices is equipped with anti-virus software and anti-spyware—but even more important that it's updated regularly. Most software vendors regularly provide patches and updates to their products to improve security and functionality, so configure all your software settings to install these updates automatically.
3. Educate Your Employees
Raising awareness about cybersecurity in your organization and properly training your employees is a great first line of defense against hackers. Teach your employees about the different ways cyber criminals can infiltrate your systems, how to recognize red flags, and tips for staying safe while using the company's network. You could consider displaying materials in your workplace to raise awareness about cybersecurity. The Department of Homeland Security’s “Stop.Think.Connect.” campaign provides posters, brochures, and other materials that you can download and distribute.
4. Use Strong Passwords and Multi-Factor Authentication
Using strong passwords and multi-factor authentication is one of the easiest ways to improve your cybersecurity. Be sure all of your employees are educated on what a strong password includes, use different passwords for different accounts, and have multi-factor authentication enabled. This can prevent credential harvesting, one of the biggest cybersecurity threats!
5. Control Physical and Administrative Access
Prevent access or use of business computers by unauthorized individuals. Laptops can be targets for theft or easily misplaced, so lock them up when unattended. Additionally, administrative privileges should only be given to trusted IT staff and those who actually need it. Every employee shouldn't be able to open the storage room for devices or change settings on the network.
6. Implement Formal Security Policies
Having formal security policies in place (and actually enforcing them!) is an essential component of any cybersecurity strategy. Make sure each employee knows what to do in case they lose their work laptop or they receive a suspicious email that may be a phishing attempt. There should be a process for reporting issues to IT and following up on them.
7. Practice Your Incident Response Plan
Despite your best efforts, there unfortunately may come a time when your small business falls victim to a cyber attack. It's important that your staff knows what to do in this case. Being prepared prevents a state of panic that can lead to even more vulnerabilities. By drawing up an incident response plan and practicing it, attacks can be quickly identified and steps can be taken before too much damage is caused.
8. Utilize Secure Digital Tools
Thanks to modern technology, there are various tools available on the market that your business can leverage in order to combat common security threats. Before purchasing any type of hardware or software for business use, make sure it has the right security features and fits into your cybersecurity strategy!
Protect Your Small Business with Microsoft’s Secure Tools
Microsoft hardware and software comes equipped with valuable, robust security features that can keep your business data secure and give you peace of mind.
For example, when using a Microsoft Surface device with built-in LTE, employees working remotely or on-the-go can won’t need to connect to public Wi-Fi networks. This makes it possible to avoid dangerous man-in-the-middle attacks altogether.
Surface devices also come equipped with a built-in firewall and anti-malware solution. Plus, with automatic updates, your business will always have access to the latest and greatest security features, as well as most updated versions of Microsoft Teams and Office 365.
Additionally, the higher tiers of Office 365 for Business include multi-factor authentication, which should be used to provide another layer of security to usernames and passwords that can be easily compromised. These tiers also include phishing email protection in the Outlook tool! Both of these features can protect your users from falling victim to credential harvesting.
At Protected Trust, we're a Microsoft Certified Partner wit the goal of helping organizations become more modern and mobile. We believe this can be done through Microsoft’s tools and vision.
Our team is always here to help businesses of any size operating in any industry create a cybersecurity strategy—then effectively execute on it using Microsoft hardware and software.
Ready to transform the way your small business handles cybersecurity? Contact us today!