Cyber crime is a growth industry for criminals across the globe who engage in financial crimes and steal company data and trade secrets from the comfort of their chair. Cyber crime and security breaches cost large and small businesses a fortune. They disrupt businesses as well as their customers who fall victim to identity theft.
Data breaches cost trillions of dollars every year. And they’re targeting small businesses like never before. That’s because they’re vulnerable and easier to attack. Forbes data journalist Niall McCarthy reported that the average cost of a data breach is about $7.9 million in the U.S., based on an IBM survey. He also reports that cyber attacks took close to 7 months on average to identify, and over 2 months to contain.
Be worried, especially if you own a small business in 2019!
Homeland Security’s newly established Cybersecurity and Infrastructure Security Agency (CISA) tracks cyber threats and issues alerts and bulletins. If you remember the former U.S. Computer Emergency Readiness Team (US-CERT), it’s now part of CISA, which offers resources and training for small businesses, including a toolkit and best practices. For more tips, check out profitableventure.com’s collection of 50 Best Cyber Security Tips for Small Businesses in 2019.
Verizon’s 2018 Data Breach Investigations Report shows that criminals increasingly feast on unprepared small businesses rather than the household names. It also found that 75% of all cyber attacks now target small businesses.
More and more criminals are attracted to cyber crime activity because it’s so lucrative and easy to do with little investment or risk. These new waves of novice hackers are going after small businesses. Why? Because they represent the vulnerable, low-hanging fruit of cyber crime opportunities.
What if a cyber attack hits my business?
Preparation is key. Inc. contributor Joe Galvin reports that 60% of small business don’t survive past six months after a breach. As alarming as that is, Galvin and Cisco also found that the majority of the CEO’s in their study weren’t prepared. They either didn’t have a cyber security plan or had no plan at all.
Why are small businesses particularly vulnerable to cyber threats? Here are the top reasons:
- They can’t afford dedicated IT staff. And if they can, training and budgets are often inadequate. It’s worth exploring a managed IT services provider for your business. They offer deeper expertise and full-time availability.
- Inadequate or non-existent computer and network security. They can’t respond to threats quickly enough or can’t detect them at all.
- Small businesses don’t use cloud services to back up their data offsite.
- Employees unknowingly help cyber criminals attack businesses. Staff members need to be more aware of attack methods as varied as social engineering calls and email scams. Common scams include phone calls and messages impersonating IRS officials and emails containing fake links.
- Small businesses are easy to attack. Hackers can find entry points to access valuable customer financial data more easily because small businesses aren’t well protected. Criminals can also get the business’ credentials to attack larger targets like suppliers and financial institutions.
Which types of cyber attacks are most common?
Here are just a few of the most common categories of attacks:
- Email and phishing scams use email and text messages to hook victims. Fake, official-looking information asks victims to click on a link to a web page and then enter sensitive financial and personal data. Criminals use the data for identity theft or resale.
- Passwords. Cyber criminals can get access to passwords by tapping into databases, looking at servers to find unencrypted passwords, and using email, text messages or social engineering.
- Server attacks. DOS (Denial of service) SQL injection and drive-by attacks target websites and servers. DOS attacks overload system resources so they can’t handle the volume of service requests. SQL attacks read and modify sensitive data in databases. Drive-by attacks plant malicious code that will infect a visitor’s system to capture and transmit their sensitive data.
- Man-in-the-middle attacks involve hackers intercepting data from a victim on a fake page. These attacks also use phishing.
How can you protect your business from cyber attacks?
Small businesses are more vulnerable to attacks. Your best shot at protecting your small business and your livelihood is to have a plan, apply best practices and stay up to date.
Cyber security is fast becoming as critical to businesses as sales and finance. If your security isn’t up to date, the time to take steps to protect your business and customer data is now. Here what you can do for starters:
- Outsource your IT and security. If your business only has a few employees, you’re better off hiring a managed IT services provider, who has the expertise and capabilities of a much larger company, as well as full-time monitoring capabilities.
- Create a culture of security in your business. Make sure employees report suspicious activity immediately and understand you are targeted by hackers.
- Assess risks and vulnerabilities. Hire an external consultant to test systems that have external access, such as websites, drives and folders. Create procedures to follow in case of a breach and make network and computer security top priorities, on par with other key business priorities.
- Training for employees is key. Make employees aware of cyber threats and cover network and computer security at regular staff meetings. Provide training for in-house IT staff. Microsoft offers online courses.
- Manage passwords properly. Make all passwords strong and unique. Use different passwords for different accounts. Make using strong random passwords containing letters, numbers, symbols and special characters mandatory. Good passwords shouldn’t be easy to remember. Also, ask staff to change all passwords every few months.
- Use two-factor authentication and facial recognition to login to apps and systems. Apps and e-commerce websites use 2-factor authentication to verify a user’s identity. Users receive a numerical code by email or text and enter it along with their password to gain access. The Hello feature in Windows 10 uses a laptop’s camera to logon a user instead of a password.
- Update your software and systems continuously. Make sure you’re running the latest versions and security patches. Properly configure network security and use antivirus software.
- Back up all your data to protect against ransomware attacks. Use an offsite cloud provider in addition to on-site backup.
- Get started with the FCC’s Cyber Security Planning Guide. It covers everything from network and computer security to awareness and device and website security.
Why do I need a business continuity plan? And why should it cover cyber attacks?
A business continuity plan lays out the steps and processes to follow so that your business can recover and resume operations after a disaster or major disruption.
Governments consider that cyber attacks are potential disasters, just like floods and earthquakes. A business continuity plan ensures your business keeps running during a disruption. It may not prevent cyber attacks, but it should at least aim to lessen threats and risks and limit downtime.
Audit your ability to recover regularly to identify vulnerabilities and make sure you can respond quickly. Preparation and testing can save you money in the long run. Protecting your business against cyber threats should be a priority for you and the entire board if your business is a corporation. Implement your plan across the entire business.
The business continuity planning process for large corporations and governments is extensive. To go into a lot more detail about planning steps before and after attacks, visit Ready.gov’s Cybersecurity online resources.
What’s an IT disaster recovery plan, and do I need one?
A basic IT disaster recovery plan should identify steps to assess damage and restart operations. It should also identify who’s responsible for which tasks and specify how often to update the plan.
What happens to your IT systems and data in case of a disaster? Your business might have a disaster recovery plan, but does it cover those areas? In a cyber attack, you could lose your business’s network access and data. A basic IT disaster recovery plan should detail the steps to get you running:
1. What did they steal? Assess damage
What data is compromised? Is just names and addresses or more serious data such as passwords or credit card numbers?
2. Respond immediately
Change all your logins and passwords. Use completely different random passwords. If they accessed your banking information, call your bank and ask to cancel cards and issue new ones.
3. Advise customers, suppliers and anyone else affected
Advise customers and others as soon as you’re aware of a breach. Tell them what data was hacked, what you’re doing about it what they should do.
4. Perform an audit to determine the scope and vulnerabilities
Audit your systems to figure out what happened after a breach. If the cyber attack involves criminal activity and stolen financial information, hire a consultant to audit the scope of the damage. This helps to determine the scope of the attack and recommend actions to plug security gaps.
Bottom line: cyber attacks are the new normal for small businesses!
If you’re still reading, then you know vulnerable you are to cyber crime. Cyber attacks are the new normal for small business. Media reports focus on corporate mega breaches, but as mentioned earlier, small businesses are the new frontier for cyber criminals.
Large corporations have the resources to survive big breaches. On the other hand, a small business might have to close shop after a breach. Given the risks, you need to make sure you prepare to prevent. Have the right measures ready and regularly updated rapid response and IT disaster recovery plans. Use an IT services firm if it makes sense for your business and treat cyber security as importantly as any other aspect of your business.