There’s a dangerous misconception that cyberattacks only affect large organizations. The majority (66%) of business leaders at small to medium-sized businesses (SMBs) don’t believe they will fall victim to a cyberattack, according to Keeper Security’s SMB Cyberthreat Study. Small businesses are prime targets for cyberattacks.
According to Hiscox’s 2018 report titled Small Business Cyber Risk, 47% of small businesses had at least one cyber attack in the past year. This study put the average cost of a cybersecurity incident for small business at $34,604 but a more recent study by Continuum has that figure at $53,987. Furthermore, Ponemon Institute and Keeper also found that 67% of SMBs experienced cyberattacks within the past year.
Whatever the exact cost, the impact can be crippling for small businesses which is why having a robust cybersecurity policy in place is essential.
Secure Internal Systems
To mitigate the risk of an attack occurring, internal IT systems should be secured and managed by a dedicated IT team. There are two ways to do this, you can either hire an in house IT team or hire an IT service provider (MSP). There are pros and cons to both approaches. With an in house team, you have tighter cost control since the employee’s salary will remain static, they will have a greater understanding of your systems, and they are on-site so able to respond immediately to incidents. However, with the severe shortage of cybersecurity professionals in the US and Europe, salaries tend to be higher.
Outsourcing your IT team can be more cost-effective depending on your package and you can gain access to 24/7 support from highly skilled IT professionals. The downside is they are not on-site and you have to trust a third party with your IT systems.
According to the 2017 Email Security Report by IRONSCALES, 90 to 95 percent of successful cyber attacks were the result of a phishing scam. Legacy systems can put employees at risk by failing to filter phishing emails, but human error plays a huge role once the email gets in front of the employee. Staff must be given the skills to correctly identify a phishing email by knowing what to look for, and exercise caution when they are unsure.
Staff needs to be educated on spam, malware, ransomware, phishing, and social engineering attacks and the training needs to be refreshed regularly. The cyberattack methods that hackers use are constantly evolving and becoming more sophisticated so training needs to be repeated to reflect new risks.
Only 32% of small businesses have conducted phishing experiments to assess employee behavior and readiness in the event of an attack, presenting a huge risk to the small business. Employees of all levels need to receive cybersecurity training to ensure the business as a whole is safe and individuals understand what action to take.
According to Verizon’s annual ‘Data Breach Investigation Report (DBIR) released this year, C-level executives are 12 times more likely to be the target of cybersecurity incidents. Often hackers have greater access to the names and email addresses of higher-level employees like the owner or directors, which makes them a good target for social engineering scams. Higher-level employees are also the decision-makers so they are less likely to seek permission before completing an action that might compromise the company.
Credential Authentication, Screening, and Management
Having a strong password management policy is a cheap way to provide a significant boost to your cybersecurity. According to Keeper Security’s 2019 SMB Cyberthreat Study, with most breaches caused by stolen or weak passwords, organizations should start their cybersecurity efforts by focusing on password security first and foremost.
You can screen for previously used passwords from your employees, weak passwords, and compromised passwords against your internal IT systems. Enzoic provides affordable tools that can help you screen active directory for weak passwords and identify users who should create a stronger password.
All company-owned devices should be password protected to reduce the risk of both physical and remote attacks. Businesses are increasingly relying on a suite of devices to aid employees in their work. These include company smartphones, tablets, and portable laptops so that employees can work on the go. This presents a risk to company systems if these devices are not protected and are left unattended in public or are joining unsecured WiFi networks.
If your small business hosts online accounts, it’s essential that you use a compromised credential screening tool to protect you from account takeovers and fraud. Account takeover attacks have been on the rise in the last couple of years due to high profile data breaches exposing user credentials and this is one of the most effective ways to combat the issue.
Follow NIST Guidelines
Your company should follow NIST guidelines, especially NIST 800-63B guidelines. NIST provides a list of IT security guidelines for federal agencies to better manage cybersecurity risks. These are best practice guidelines around the use of authentication, digital credentials, and more. You should ensure that your IT team or MSP is familiar with the guidelines.
Encryption of Sensitive Files
You should consider encrypting sensitive files, such as those that contain personally identifiable information (PII), as well as legally or medically sensitive files. Encrypting these files ensures that only people who are authorized to see them can actually see their contents. This is important in terms of controlling and managing data within your business but also protects your files in the event of an outside attack.
You should ensure that your small business has a robust network security policy and that there are proactive security measures in place to protect systems from external access points. Even something as simple as a VPN is a good way to protect your data when you are sharing files online with employees, and they’re very affordable.
Small business cyberattacks can be prevented if you adopt the basics and use industry guidelines like NIST to shape your security policy.