Think your business is too small to be target of the cyber bad guys? Think again.
It seems like we are always hearing reports of cyberattacks and breaches. This week, it’s Kaseya, a cybersecurity services provider to companies of all sizes, from SMBs to large companies, and its clients that are battling a massive ransomware cyberattack. It’s a reminder that cybersecurity needs to be an ongoing priority for all businesses, big and small.
While large businesses can dedicate resources to cybersecurity, small businesses face the same cybersecurity challenges and threats with limited resources, capacity and personnel. Yet, these statistics show that small businesses can no longer afford to sit back and hope that it won’t happen to them. Just like their large company brethren, small businesses need a cybersecurity strategy.
“I hear all the time from all size businesses, why would anyone attack us? In today’s world, it doesn’t matter if you are a Fortune 500 company or a startup or an individual, there are attackers out there that are coming after data, coming after money, using different mechanisms to attack all sized companies,” said Kevin Campbell, PwC’s Southeast cybersecurity expert, in an earlier interview with Growbiz.
Marc Farron, an IT consultant for Florida SBDC at FGCU, would agree. He said 70% of small businesses experienced a cybersecurity attack and 2018 and 83% don’t even have a cybersecurity plan. The risks are real: 60% go out of business within six months of a major cyber attack, he said in a earlier presentation at the Small Business Leadership Conference in Orlando, produced by the Jim Moran Institute and the SBDC Network. “You should be concerned. This affects you,” he said.
He suggested small businesses need to follow a framework that provides a lens small businesses can look through to get a clearer view of cybersecurity risk and where they need to go. He recommends the NIST CyberSecurity Framework, by the U.S. Commerce Dept’s National Institute of Standards and Technology. It’s a voluntary guidance – in plain language — based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. It breaks it down in to five processes: “You Identify, Protect, Detect, once you detect you Respond and then you Recover,” Farron said.
Mitigating risk starts with identifying the risks. That means taking an inventory of your data/technology as well as your resilience requirements to run your business and detailing cyber roles and responsibilities within your org chart.
Two-factor identification should be part of your password management, which also needs to include frequent password changes. Farron also suggested employees access to data and being diligent about turning off access to departing employees and providing only temporary access to vendors.
As other experts have noted, spam and web filters, anti-virus software and spyware aren’t effective if they are not regularly updated, but you would be surprised at how many small businesses are lax about that, as well as on installing patching updates on operating system software.
And all the technology in the world may not save you if employees aren’t trained not to click on suspect emails and to monitor and alert about warning signs such as slowdowns, mysterious emails or popups and missing information. “When things go a little different, go tell someone,” Farron said.
Lastly, he said, develop a plan for how you will respond if you are attacked, including alerting customers of the breach required by law, if that is the case, and managing the PR risk. “Stop making cybersecurity a technology issue and a constraining issue. … You have to manage risk and compliance,” he said.
Campbell said ransomware continues to be a big threat to small businesses. “Ransomware are these bots that people can create or go to a store [on the dark web] and rent to launch attacks. Once the ransomware has found the way into your system in some way, shape or form they very quickly propagate across your network and encrypt everything. Then a message comes up demanding a ransom, typically $50,000 give or take,” Campbell explained.
The bad actors know that small businesses are typically more vulnerable. For a lot of these businesses, they are paying the ransoms. That’s because the alternative is to rebuild their systems from scratch. “’I’ve seen small, medium sized companies that went in and tried to rebuild their systems, but then realized they hadn’t been backing up for six months,” Campbell said. “Ransomware really is targeted at your smaller companies.”
So what’s a small business to do? “If you are a new or newer company, from day 1 you’ve got to build security into the people, the process, the technology, the culture and the governance. You have to do it right … to ensure you have that digital resilience,” Campbell said.
Employees who click on attachments is still one of the easiest ways for companies to get infected, he said. “Security awareness is huge. By building the right culture, the products we are going to build will not only hit this level of quality, but they are also going to have quality associated with security. Security is everyone’s job.”
And yet, he said, a lot of times companies are not putting enough structures in place for the reporting and oversight.
“Having the latest security software, web browsers and operating systems and having the best anti-virus software are part of the basics every company needs to have in place. But also key is the culture that ensures that an employee doesn’t introduce vulnerabilities and that they keep the software and systems updated.”
The stakes are high – and they go way beyond monetary losses. Your customer’s trust is on the line.
Campbell believes having a cyber insurance policy is becoming a cost of doing business. Even so, he warned that small businesses need to make sure they have the right controls in place. He’s seen instances of insurers denying claims because the company hadn’t done certain things that were required.
The Florida SBDC Network has a program and a website dedicated to cybersecurity education and advice. That website offers a guidebook, videos and other information. You can access the webpage here. In addition, Florida SBDC at FIU occasionally holds seminars on the topic.
Here are some other recommendations gleaned from the reports cited in this post and from the Small Business Development Center’s guide:
- As you put your cybersecurity plan into place, consider firms that have experience in helping small businesses respond to cyber attacks. Your IT or managed service provider may have suggestions. The main function of a competent incident responder is to quickly identify the issue, stop the attack and minimize damages.
- Go beyond passwords (and there are an alarmingly high number of companies that don’t even have a strong password policy). Require 2-factor identification for everything, including customer-facing applications, any remote access and cloud-based email.
- Keep your operating system and antivirus software up to date and patch your operating systems as soon as they become available. This sounds super basic but it’s often not done, especially among small businesses.
- Web application compromises now include code that can capture data entered into web forms. Consider adding file integrity monitoring on payment sites, in addition to patching operating systems and coding payment applications.
- Your employees are your first line of defense against cyber attacks. They need to be trained to avoid becoming victims of phishing attempts and to report strange computer activity. Are company guidelines in place about the security of data on company laptops and on the use of unsecured WIFI?
- Speaking of employees, we know you love them. Yet about a third of cyber attacks on businesses last year were inside jobs: Monitor and log access to sensitive data, quickly move to shore up the access when an employee leaves the company and be vigilant.
READ MORE: Download the Small Business Development Center’s Guide: Cybersecurity Basics for Small Business.