Small business owners may not expect to be the target of cyberattacks — after all, wouldn’t hackers be more interested in multinational firms, financial institutions and governments?
But SMBs are just as much at risk for cyberattacks as larger organizations — perhaps even more so, because many lack proper security measures. And that makes them easy targets.
Indeed, a recent study by the Ponemon Institute found that more than 50 per cent of SMBs have been breached in the past 12 months (the most prevalent attacks being phishing or social engineering). Of those surveyed, only 14 per cent rated their ability to mitigate such attacks as highly effective. The reason: lack of budget, technology and personnel.
If you’re a small business owner or an IT pro working for an SMB, this comes as no surprise. You may well be aware that security risks are lurking around every virtual corner, but you simply don’t have the budget to invest in technology or personnel.
And while security is a concern, it’s often not a priority — though the aftermath of an attack can be devastating, particularly for SMBs.
“The cost of recovery is staggering and in most cases, it leads to the shutdown of businesses,” writes Oscar Marquez in an article for Security Magazine. “The average cost of recovery from SMB data breaches is $36,000 and can even lead to a loss of up to $50,000. This amount may even be the total value of small businesses. Recovery may be near to impossible if you are a data breach victim.”
How can you protect your small business?
Though the threat landscape is constantly evolving, security is not a lost cause. Following some straightforward protocols, investing in the right technologies and perhaps even turning to a trusted partner can help to mitigate cyberattacks.
First off, it’s important to create a formal security policy — and then enforce it (that means putting someone in charge of it). According to the Ponemon Institute report, 65 per cent of SMBs have a password policy — requiring employees to use strong passwords that change every 60 to 90 days, for example — but don’t strictly enforce it. Clearly, password protection isn’t going to be effective if everyone is ignoring it.
Once you create a security policy, make sure you train your employees (possibly with the help of a security consultant). Since many cyberattackers target employees through phishing and social engineering scams, training employees to avoid risky behaviour and recognize the signs of a breach, if it does occur, are key to any IT security strategy.
This isn’t foolproof — would-be attackers can still trick even the savviest of employees. But investing in employee training can reduce the risk of cyberattacks by up to 70 per cent, according to a study by Wombat Security Technologies and the Aberdeen Group.
A security strategy also includes a technology layer — just don’t rely on technology as the be-all-end-all. Antivirus software can help, but three out of four SMBs reported that exploits evaded their anti-virus software, according to the Ponemon Institute report. Make sure software is patched and up-to-date, as older versions of software are full of vulnerabilities.
Firewalls add another layer of protection by preventing unauthorized users from accessing the network. But cyberattackers can sneak past your firewall through a ‘back door’ and gain access to the network — and you may not even know it for weeks or even months. Advanced persistent threats, for example, attack a network over time and in multiple phases to avoid detection.
This is why we’re seeing the rise of ransomware, where cyberattackers slip through a back door and use malware to encrypt sensitive data — essentially holding that data hostage until the victim pays up.
“After extorting millions from consumers over the past few years, file-encrypting ransomware creators are increasingly focusing their attention on victims who are more likely to pay up: small and medium-sized businesses,” writes Lucian Constantin in an article for PCWorld. That’s because data is critical to their operations, and they can typically afford to pay the ransom.
Should you pay the cyberattack ransom?
Paying the ransom, however, isn’t recommended. There’s no guarantee that you’ll get your data back, or that you won’t be targeted again.
That’s why a data backup strategy should be part of your overall security strategy. So, if data is lost, stolen, compromised or held for ransom, you can recover it from an alternate location, such as a secure cloud (so long as it’s not connected to the network).
Breaches are going to occur; no security tool or technology is 100 per cent effective. Your security strategy should also map out how you’re going to deal with a breach before it gets out of control.
There’s no one-size-fits-all security solution, so consider hiring an IT security consulting firm to run a risk assessment and pinpoint your organization’s vulnerabilities. It doesn’t have to cost a small fortune to fix those vulnerabilities: there are several managed security service providers (MSSPs) that will do all the heavy lifting for you, for the cost of a monthly subscription fee.
Don’t assume your organization isn’t big enough to be attractive to cyberattackers. Assume it is, and have a solid defence in place when they come.