You’ve probably heard of phishing, ransomware, denial of service attacks and of course computer viruses, but perhaps you thought these type of cyber attacks and breaches couldn’t happen to your small business.
“Most small businesses think they don’t have to worry about it. They always think it happens to only to Sony, Target, the federal government, the hospital, but the reality that small businesses have is they are in the supply chain and also they are easy targets because they don’t have the cybersecurity budgets large companies do,” explains Brian Van Hook, Regional Director of Florida SBDC at FIU, in an interview with Growbiz.
The cyber bad guys are playing a numbers game. “They can have thousands or hundreds of thousands of attempts, but they just need one person to open or click a file in an email and they they can get into that company,” says Van Hook.
An attack on a small business may not result in a request for a huge ransom, but it could compromise or lock up their systems impacting their business, and perhaps even more importantly, hurt the company’s reputation and their relationship with their customers, he says.
Van Hook, “a recovering Federal and Congressional staffer,” is quite knowledgeable on this issue. In addition to his work advising numerous small businesses about cyber security through FSBDC at FIU, Van Hook previously worked in the U.S. Senate and in the Office of Technology Policy at the U.S. Department of Commerce, where he helped create national policies and assisted businesses in technology, telecom and cybersecurity. He also earned an Executive Certificate in Cybersecurity Leadership and Strategy from FIU.
And there’s lots of data on cyber attacks on small businesses. According to a Verizon report, 71% of investigated data breaches targeted small businesses with less than 100 employees. Businesses with less than 10 employees are most frequently targeted. These attacks are expensive too: The average cost of a cyberattack on a business exceeds $1 million, and the costs can even go deeper in terms of revenue loss and reputational damage.
The good news is every small business can put in security measures. In identifying weaknesses within your company, you need to think like a hacker.
One of his top tips: Focus on training your staff.
“Like I always like to say your front line is your bottom line, and that’s especially important when it comes to cybersecurity,” says Van Hook. “They are the ones opening emails. It’s about making your team and employees aware of the different methods and threats that are out there.” That includes phishing attacks, denial of service, even someone physically, such as a disgruntled employee, getting access to your computer system. When businesses say they don’t have anything anybody would want to steal, think about credit card information, vendor data such as bank accounts, the social security numbers of your employees, and more.
One of the best ways to train your employees is to do a phishing test to see vulnerabilities. Some employees will fail the test, but they will have much more situational awareness when a real breach happens. There are free phishing tests you can utilize, with more advanced phishing tests available for a cost.
Another area to focus on is to have an internal cybersecurity plan for your business. There are free templates online from such agencies as the Federal Communications Commission. Core to the planning is also doing table top exercises with your team to review potential threats and how your company would respond if attacked. Fortunately, FSBDC at FIU provides services focused on training and cyber awareness, as well as an external threat assessment.
So what else can you do, beyond training your staff? Here are some more tips from Van Hook:
- Avoid using company computers or accessing company portals at public hotspots. And as to company-owned devices, set rules around what they are used for — no outside apps on company smartphones, etc.
- Understand that not everyone in your organization needs access to sensitive information. Limiting access to this can limit the exposure risk of potential threats. Require individual accounts and severely limit access to the most sensitive information.
- Have ongoing detection to understand if suspicious activity is occurring. Most businesses don’t find out about a breach until weeks or months after. You want to catch it in real time. Contact the FBI and Secret Service field offices in Miami in the event of a breach.
- Make sure your software is updated, including patches. “You are only as good as your latest patch.” Also, make sure you have backup access to critical information. Schedule regular backups so you do not lose data or information.
- Require the use of strong passwords, not ones that are convenient to remember or that you use for multiple accounts. There is password manager software to help with that. And don’t forget the 2-factor authentication.
- Take advantage of all the free information and training out there, including from the federal government via the Small Business Administration, the State of Florida and organizations like the FSBDC Network. National associations tend to have cyber trainings and offerings for their members. Check them out for your industry.
Want to learn more? Here are a few resources to get you started:
- FSBDC Network video titled Small Business, Big Threat: Watch it here.
- Federal Communications Commission (FCC) Cyberplanner tool, including a customizable cybersecurity plan. Check it out here.
- SBA cyybersecurity resources, including information and tools: Find them here.
- KnowBe4’s free IT security tools: Find them here.