Hacker and malware attacks have become more sophisticated, targeting entire businesses as a whole. Therefore you need to put in more effort than updating appliances and installing security software.
If you are a small mom and pop shop, you may not be as worried about cyber attacks. After all, nothing bad has happened yet. This can be dangerous thinking. It is far easier to attack small and medium-sized businesses than ever before. You are a more attractive target than large corporations, due to lower defenses and quick return on time investment.
Even if you don't think you have anything of value, you are still at risk. The criminals want one of two things:
- Easy acces to customer contact info, credit cards, health information, vital business information, and intellectual property.
- A jump off point to attack other small businesses.
The cost of an individual attack can range from a few hundred to a few million dollars. The massive range is because of business impact and how the data is reported. Either way, that can be more than plenty to put many companies out of business.
Whether it's to protect you and your customers or other entities and organizations, you have a duty to perform the basic elements of cyber security.
Cybersecurity Is More Than Tech
Cybersecurity is not just about tech so it is imperative to employ active security practices. This isn't a passive undertaking. You can't only leave it to IT and security people, so don't think you can entirely outsource this undertaking either. They can't solve everything themselves and you need to care about it more than anyone else, this is your business.
The main goal is to keep the balance between convenience and security. Just because something is the more secure option doesn't necessarily make it the right decision. At the end of the day, you still have to run a business.
Your data, especially customer data, is important and worthy of attention and protection. Without it, you cannot do business. If you lose or misuse it, you can lose trust and potentially be legally accountable. So the best way to approach information and data is to treat it the same way you do with other assets, whether intellectual or physical.
You Can Still Be Hit, Even if You Are Not a Direct Target
While it's true that not all small businesses are directly targeted, you can still be at risk. Small businesses often are accidentally stumbled upon by scans and probes. When a weakness is found, hackers will exploit a vulnerability to see what they can see. It doesn't have to be a premeditated attack.
Once attackers find a bite, they will look around to see what they can extort you for and sell on the black market.
Different businesses can be valuable for varying reasons. Thus, you should expect a breach to be costly. Besides the loss of data or property theft, you would have to account for potential downtime, compliance penalties, mandates for credit monitoring, litigation, and more.
Small Business Cyber Security Horror Stories
So far, this can all sound inconvenient. If you are not in this realm, it can be hard to see what's truly at stake. But let's see how some of this works in the real world. Let's look beneath the surface in a few small business case studies linked below.
Another story comes from the Hollywood Presbyterian Medical Center. If I can re-find the news story that discusses this incident, I'll link it. For now, here are the facts:
- For over a week, computer systems were shut down.
- Hackers demanded a ransom of 9,000 bitcoin, which was about $3.7 million at the time.
- All of the hospital’s data was encrypted, preventing total access.
- The hospital was forced to revert to paper registrations and medical records. Emergency patients were sent to other hospitals in the area.
- Operating costs skyrocketed, not including the ransom.
- The hospital maintains patient care was compromised.
There's some scary stuff. You have put so much time into your small business. Why not take steps to keep the fruits of your labor around?
Start With Education
Security awareness is about education and behavior change, and not just for you, but your employees as well. No matter how you slice it, people are part of your defense.
So let's start with the basics:
Who Are the Threats?
- Internal threats – employees, contractors, services
- Intentional – disgruntled employees
- Immediate external threats
- Competitors of your business
- Pranksters and trollers
- Organized crime groups
- Foreign governments – Advanced Persistent Threats
What Are the Main Attacks?
- Social engineering – scams, tickery, cons
- Email and website phishing
- Malware, including ransomware
- Denial of service attacks – DoS and DDoS
- Password attacks, including brute force
- Lax access controls
- No enforcement of business practices and procedures
- Out of date software and firmware
- Hardware failures or power outages
- Lack of physical locks and security controls
Focus on People
Fortifying your boundaries is great. However, attacks can come from the inside. By increasing access control and authorization requirements, you can help make sure it is easy for employees to follow protocol.
Not only should this be about training, but also creating a culture of accountability. Expect excellence and help your employees achieve it. Help them understand how critical they are and update them on the latest best practices as they relate to your business.
You do this by establishing these main points:
- Establish rules of behavior on how to handle and protect data, whether it is business information or customer data.
- Define what is at stake, and how the business requires protection.
- Set boundaries and determine recourse for violating business policies.
- Create basic security practices and policies for employees.
Update 3/21: The Best Cyber Security Strategy Moving Forward
You and your employees now have awareness. Great! What's next? You can protect your assets with a news article. What's the best approach moving forward? The best cyber security strategy is to get started.
Keep it simple and make sure you are able to actually move forward. Do what you can, when you can. Get some quick wins under your belt.
More on this topic is available in the video below. Tonya Hall asks Dr. Edward Amoroso, CEO of TAG Cyber, what's the best defense against a nation-state threat actor. The answer may shock you. Going simple might actually be the smart thing to do, especially when cybersecurity is an afterthought.
Ignoring the problem is no longer an option. Small businesses must take steps to secure their business, no matter how likely an attack is. There are cost effective measures to take. A little education goes a long way.
Your average employee won’t know enough about data protection and safe browsing. That's fine. Bring them up to speed on what is expected while they use your assets. You can consider annual training or find a service that can teach your employees.
Even though the attacks themselves have increased in sophistication, the tactics have not. One of the most successful strategies cybercriminals are still using to breach small businesses' networks is phishing and other social engineering tactics. It's a lot easier and a lot less time consuming to just have you let them in instead of directly attacking your defenses.
In closing, this was NOT written with the intention to scare or preach to you. The goals are to raise awareness and help outline steps small businesses can take to make them a little less of a valuable target, whether directly or indirectly.
Some steps are easier than others. Other steps will require a more drastic change. Use what works best for your small business.