Think your business is too small to be target of the cyber bad guys? Think again.
According to the Verizon 2019 Data Breach Investigations Report released this month, 43% of cyber attacks in 2018 targeted small businesses. That’s pretty high odds.
Just over half of the breaches resulted from hacking. Other tactics included social attacks (33%), malware (28%), events caused by errors (21%), misuse of authorized users (15%) and physical actions (4%).
If that is not enough to scare you, Symantec’s 2019 Internet Security Threat Report found that “formjacking” attacks skyrocketed in 2018, with an average of 4,800 websites compromised each month. Remember ATM skimming? Formjacking is similar, but it’s targeted at e-commerce. Cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details.
The Symantec report also found that supply chains remained a soft target with attacks ballooning by 78 percent.
While large businesses can dedicate resources to cybersecurity, small businesses face the same cybersecurity challenges and threats with limited resources, capacity and personnel. Yet, these statistics show that small businesses can no longer afford to sit back and hope that it won’t happen to them. Just like their large company brethren, small businesses need a cybersecurity strategy.
“I hear all the time from all size businesses, why would anyone attack us? In today’s world, it doesn’t matter if you are a Fortune 500 company or a startup or an individual, there are attackers out there that are coming after data, coming after money, using different mechanisms to attack all sized companies,” said Kevin Campbell, PwC’s Southeast cybersecurity expert, in an interview.
RANSOMWARE THREAT IS REAL
Ransomware continues to be a big threat to small businesses, he said, a point echoed in the findings of both the Verizon and Symantec reports.
Verizon’s report found that ransomware accounted for a quarter of all the malware incidents analyzed. Symantec’s report found that while ransomware threats were down against individuals, attacks on enterprises were up 12%.
“Ransomware are these bots that people can create or go to a store [on the dark web] and rent to launch attacks. Once the ransomware has found the way into your system in some way, shape or form they very quickly propagate across your network and encrypt everything. Then a message comes up demanding a ransom, typically $50,000 give or take,” Campbell explained.
The bad actors know that small businesses are typically more vulnerable. For a lot of these businesses, they are paying the ransoms. That’s because the alternative is to rebuild their systems from scratch.
“’I’ve seen small, medium sized companies that went in and tried to rebuild their systems, but then realized they hadn’t been backing up for six months,” Campbell said. “Ransomware really is targeted at your smaller companies.”
IoT DEVICES A NEW FRONTIER
Another trend is the use of IoT technologies as an infection vector. Indeed, the Symantec report found that IoT was a key entry point for targeted attacks and privacy breeches. Most IoT devices are vulnerable, the report said.
“It’s the wild wild west. People are building products, they are building apps, but yet they aren’t taking the lessons learned, from all the cybersecurity issues we have had, by building cyber and digital resilience into their product offerings. We are making the same mistakes we made 30 years ago,” said Campbell.
In PwC’s inaugural Digital Trust Insights survey, 81% of respondents said IoT is critical to at least some of their business but only 39 percent said they are very confident they are building sufficient digital trust controls with security, privacy and data ethics into the adoption of the IoT. Only 30 percent list IoT security among the safeguards they plan to invest in this year, the survey found. Similar results were seen for other emerging technologies.
So what’s a small business to do?
BUILD SECURITY INTO YOUR CULTURE
“If you are a new or newer company, from day 1 you’ve got to build security into the people, the process, the technology, the culture and the governance. You have to do it right … to ensure you have that digital resilience,” Campbell said.
Employees who click on attachments is still one of the easiest ways for companies to get infected, he said.
“Security awareness is huge. By building the right culture, the products we are going to build will not only hit this level of quality, but they are also going to have quality associated with security. Security is everyone’s job.”
And yet, he said, a lot of times companies are not putting enough structures in place for the reporting and oversight.
“Having the latest security software, web browsers and operating systems and having the best anti-virus software are part of the basics every company needs to have in place. But also key is the culture that ensures that an employee doesn’t introduce vulnerabilities and that they keep the software and systems updated.”
CUSTOMER TRUST IS AT STAKE
The stakes are high – and they go way beyond monetary losses. Your customer’s trust is on the line.
““Every company out there these days may be swept up in some broad attack that is happening out there. Every threat actor is relevant,” Campbell said, noting that one of the costs of one of the ransomware attacks, NotPetya, was $10 billion worldwide.
“I’m sure there were companies that went out of business [because of that attack]. And how do you build trust with your customers if your site is down for a week while you are figuring out whether you are going to pay a ransom or not? For hospitals, it’s lives on the line.”
Campbell believes having a cyber insurance policy is becoming a cost of doing business. Even so, he warned that small businesses need to make sure they have the right controls in place. He’s seen instances of insurers denying claims because the company hadn’t done certain things that were required.
Cybersecurity is a big focus for PwC, said Campbell, who is one of six partners in the Southeast dedicated to cybersecurity and privacy.
“With all sizes of companies, we try to address this risk that is real, and sometimes underestimated, so when it does happen to them — and it is not if it’s when — they are able to respond accordingly and have their business back up and running quickly.”
The Florida SBDC Network has a program and a website dedicated to cybersecurity education and advice. That website offers a guidebook, videos and other information. You can access the webpage here. In addition, Florida SBDC at FIU occasionally holds seminars on the topic.
MORE ADVICE FOR SMALL BUSINESSES
Here are some other recommendations gleaned from the reports cited in this post and from the Small Business Development Center’s guide:
- As you put your cybersecurity plan into place, consider firms that have experience in helping small businesses respond to cyber attacks. Your IT or managed service provider may have suggestions. The main function of a competent incident responder is to quickly identify the issue, stop the attack and minimize damages.
- Go beyond passwords (and there are an alarmingly high number of companies that don’t even have a strong password policy). Require 2-factor identification for everything, including customer-facing applications, any remote access and cloud-based email.
- Keep your operating system and antivirus software up to date and patch your operating systems as soon as they become available. This sounds super basic but it’s often not done, especially among small businesses.
- Web application compromises now include code that can capture data entered into web forms. Consider adding file integrity monitoring on payment sites, in addition to patching operating systems and coding payment applications.
- Your employees are your first line of defense against cyber attacks. They need to be trained to avoid becoming victims of phishing attempts and to report strange computer activity. Are company guidelines in place about the security of data on company laptops and on the use of unsecured WIFI?
- Speaking of employees, we know you love them. Yet about a third of cyber attacks on businesses last year were inside jobs: Monitor and log access to sensitive data, quickly move to shore up the access when an employee leaves the company and be vigilant.
READ MORE: Download the Small Business Development Center’s Guide: Cybersecurity Basics for Small Business.