“There’s a temptation to say, “it couldn’t happen to me.” But actually, it could. And it does. The “it” we’re talking about is cybercrime.
Malware, ransomware, hacking, phishing … the big businesses aren’t the only ones who have to worry about it; small businesses are becoming a bigger target for cyberthieves. Nearly half of all small businesses suffered a cyberattack last year, according to a survey by insurance carrier Hiscox.
We’re not trying to scare you— well, maybe we are, a little, but it’s a scare that might prompt action. Having good cybersecurity takes time, effort and money, which can be hard to scrape up for small businesses. But a little preparation can go a long way. We spoke to local cybersecurity experts about the blind spots many small businesses continue to have when it comes to keeping their digital data safe.
Fight the Good Fight
The biggest problem: Most small businesses just don’t make cybersecurity a priority. They may give it lip service or take it seriously one day only to forget it the next.
“People become complacent,” says Lee Noriega, COO and co-founder of Inceptus, a cybersecurity firm in Cape Coral. Remain vigilant, he said, because cybersecurity is an ongoing battle. A few fixes that often slip through the cracks at small businesses:
1. Update your software regularly. In addition to new features, updates often include security patches.
2. Get better passwords. No, “password” is not a good password for your email. Require unique passwords and change them every three months.
3. Go beyond antivirus. Most companies have antivirus software that can detect and remove malware, but it’s best at detecting known threats. Noriega recommends EDR (endpoint detection and response) tools that are much more comprehensive and do a better job of monitoring an entire system to detect when an attack may be happening.
4. Educate, educate, educate. You may assume everyone knows not to open that suspicious email attachment … but it just takes one person for your business to fall prey to a phishing scam. Have routine education sessions on best practices.
In a time when many are working from home due to the coronavirus outbreak, the virtual office must be protected, too. That raises a host of issues, especially if workers are using their personal computers that may not have updated software or are logging in to public WiFi. Companies can get around some of these issues, such as by creating a VPN (a virtual private network) if employees will be accessing sensitive data from home.
Naples-based cybersecurity consultant Carrie Kerskie recommends giving employees general identity theft training. “If you teach employees to protect [themselves], that will carry over to the workplace,” Kerskie says.
If that’s not enough to take in, here’s where it gets more difficult: One big blind spot for small businesses is third-party vendors, Kerskie said. Remember the Target Data Breach? The one where hackers got 110 million Target customers’ personal and payment data? That happened because of a third-party vendor. Hackers got access to Target’s system through a company that maintained the retailers’ HVAC system vendors, Kerskie said. If they have access to your network, you need to be asking about their security. “If it affects your company, it’s your responsibility,” she says.
Protect or Pay
You’re not too small to be held for ransom. Ransomware is like being held hostage during a bank robbery, but it’s your servers that are being held. You can’t access them, and the robber has slipped you a note (sometimes by placing it as the background on your desktop) demanding money. This rising threat could come via phishing scam or other stealthier means. It encrypts your data and demands payment for the decryption code. Keep in mind, though, that there’s no guarantee you’ll actually get it once you pay.
More than 205,000 entities had been hacked in ransomware attacks in 2019, up 41 percent from the previous year, according to a study by The New York Times and cybersecurity firm Emsisoft. It’s one of the greatest rising threats for small businesses, too; in fact, about 71 percent of ransomware attacks occur to small businesses, according to insurer Beazley’s Breach Briefing report. The median ransom demand was around $10,000 but could range into the millions.
Close to 60 percent of businesses go out of business within six months of a ransomware attack, Noriega said. It’s a reminder to stay on top of your cybersecurity. Yes, it does come with a cost to get the best protection, but look at the worst-case scenarios. “There is some cost, but the cost is minimal compared to what happens if there’s a breach,” he says.
Often, cybersecurity consultants get involved right after the hack has happened. Panic has set in, the sky is falling, it is the end times—at least, that’s the mood. But it doesn’t have to be that way. As the saying goes these days, “Don’t panic, prepare.” Come to terms with the knowledge that despite your best efforts, you may one day get hacked. Small businesses may have a security plan in place, but generally, they don’t actually sit and plan through an attack.
Kerskie recommended creating an incident response plan. Like you make plans in case of a hurricane, do so in case of a breach. Establish a team—ranging from IT to accounting to marketing—that will guide the process, and possibly bring in an outside expert, depending on in-house expertise. The process helps you gain a broad understanding of your data and the possible ways it can be breached. Then, in case an attack does happen, you’ve created a step-by-step process of how to contain the breach, neutralize the threat and then recover from it. This isn’t just the internal tech response but also gets at questions about how to inform clients about a breach, or a marketing strategy of how your brand recovers afterward. “Every business has some sort of intellectual property,” Kerskie says. “You have to plan as if something is going to happen.”