Your Small Business Cybersecurity Guide
Small business owners who believe their organizations fly below cybercriminal radars because of their size are in for a rude awakening.
Small businesses were the victims in 58 percent of cybersecurity attacks in 2017 according to Verizon’s annual Data Breach Investigations Report[1]. That’s because small businesses are repositories of valuable data about employees and customers, bank accounts, finances and intellectual property, the U.S. Small Business Administration (SBA) notes[2]. Small business IT systems also can link to larger networks, such as supply chains.
In addition, small businesses often lack the budget for robust cybersecurity technology or personnel devoted to business network security.
All of these factors make small businesses prime targets for cyber security attacks. Small business owners must take cybersecurity seriously.
Types of security attacks
The SBA breaks down cyber threats facing small businesses into four categories: Malicious codes and viruses, website tampering, data theft and denial-of-service attacks.
- Malicious codes and viruses are perhaps the most publicized threats. With these type of threats, cybercriminals use the Internet to find and send files, find and delete critical data or lock up the computer or system. They cloak codes and viruses in programs or documents where they are designed to replicate and install themselves, monitoring and recording keystrokes to send to a collection point. Cybercriminals also use ransomware through phishing emails to gain control of computers until a ransom is paid.
- Website tampering includes website defacing, system hacking and compromising web pages. Defacing is designed to negatively impact a company’s reputation or image. Hacking is how cybercriminals get to a small business’ valuable information and IT systems. And if a website is compromised, it is possible for anyone who accesses it to download a virus or malware. Using compromised websites, hackers can steal log-ins and passwords or access customer identities.
- Data theft also comes in several forms, depending on the type of data stolen. It includes theft of computer files, inappropriate access to accounts, theft of laptops and computers, intercepted emails and online transactions, phishing emails and identity theft. The No. 1 cybercriminal data theft tactic is malware through email, often through email attachments. Symantec’s 2018 Internet Security Threat Report estimates[3] 88 percent of malicious emails use malware attachments to break in.
- Denial-of-service attacks is an attack on a computer or website that freezes the computer or crashes the system. Its goal is to stop or slow workflow, cease communications and terminate eCommerce. The most common methods cybercriminals use in denial-of-service attacks are volumetric attacks and TCP State-Exhaustion attacks.
No matter the attack method, the SBA cautions small businesses against exposure to common system vulnerabilities. These include outdated or unsecure computer hardware and software; poor or missing security policies that do not establish security protocols; missing procedures for securing information; lack of oversight; and loose enforcement of existing policies.
Plan, prevent and protect
Small business owners need a cybersecurity plan to fend off cyber-attacks. To address system vulnerabilities and IT security for small business, the SBA has some tips[4] every small business owner should employ:
- Use software to battle viruses, spyware, and other malicious code – Install antivirus software and antispyware on computers and update often. Setting to automatically download and install the latest updates is a good idea.
- Protect networks – Use a firewall and encrypt information to secure Internet/Wi-Fi connections. Generic Wi-Fi name, WPA2 and complex passwords should all be used.
- Safeguard data with employee policies – Create standards for how staff should handle and protect sensitive data. Establish and enforce consequences for breaking those standards.
- Keep employees updated on cyberthreat information – Teach employees about online threats and how to protect data and then keep them accountable.
- Require strong passwords and update them frequently – Use multifactor authentication that requires additional information beyond a password.
- Take advantage of third-party financial security– Use the most trusted and validated tools and anti-fraud services your bank or card company offer. Do not use the same computer to process payments and surf the Internet.
- Backup sensitive data – Regularly backup critical information to off-site storage, such as financial and HR data, on all relevant computers.
- Monitor network and hardware usage – Prevent unauthorized access to business computers. Create separate user accounts for each employee and only give administrative privileges to trusted IT staff and personnel.
- Don’t forget mobile – Demand users password protect their work mobile devices, encrypt data and install security apps.
- Shield each website page – Every page of a company website is vulnerable, not just the pages where transactions occur.
The information provided is intended to provide a general overview. This information is not legal advice and should not be relied on as such. EMPLOYERS® makes no warranties for the accuracy, adequacy, or completeness of the information provided, and will not be responsible for any actions taken based on the information contained herein. If you have legal questions or need legal advice, please consult an attorney.