By Todd O’Boyle
While cyber attacks on large enterprises dominate the headlines on a daily basis, no business is too small to evade a cyber attack. According to a recent Ponemon Study, 55 percent of small and midsize businesses (SMBs) have experienced a cyber attack in the past 12 months. In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets and an additional $955,429 due to the disruption to normal operations.
Employees at small businesses often wear many hats, but few have the security know-how to successfully protect their organization from attackers. It’s time to take those first steps toward protecting your business. Here is a plan small businesses can implement to better protect their data, customers and employees.
Understand Common Motivations and Tactics
The first step towards better security is understanding what exactly you’re protecting against. To do that, you must first understand the basic motivations and tactics of attackers. Attackers can typically be separated into two groups those that want to shut your business down and those that want your money.
Some attackers are interested in your valuable intellectual property (IP), financial data, and customer information. These attackers will use phishing e-mails to get in and then advanced malware to stay in. Once they’re able to access sensitive data, they sell it on the dark web to other criminals or your competitors. What would happen if your product schematics or customer database were sold to your competitors?
The other type of attacker is motivated to steal as much money from you as possible. The most common way these attackers do their dirty work is through Ransomware. This malware renders your business inoperable for days or weeks while you try to recover (or pay).
Employ Best Security Practices
Now that you know what you’re protecting against, it’s time to take steps toward better security. There are several tools and best practices that are widely available, easy to deploy and affordable for most small businesses that will provide adequate protection against security threats.
- Perform off-site backups and regularly practice recovering from the backup.
- Install an antivirus solution then schedule signature updates.
- Utilize multi-factor authentication for employee access to systems and applications.
- Ensure your mail service provides spam and phishing defenses.
- Install an automated malware protection tool to safeguard against ransomware attacks.
Have an Incident Response Plan in Place
Those in the security industry love to say “It’s no longer if you’ll be breached, but when.” It’s important to take a step back and think about how prepared your organization would be if it were attacked. If an attacker was able to get through all the layers of security you have in place, what would you do? And how would you even know? Having these conversations in advance and having a clear plan in place will help to quiet the chaos should an attack occur, making it easier to get your business back up and running smoothly sooner rather than later.
A good first step is to have discussions with partners and advisors in order to put the right plan in place. Ask your managed service provider (MSP) or trusted IT advisor what their role would be following an attack. Talk with your lawyers about the laws you would be subject to in the event of a breach. Disclosure laws vary by state and by industry, so make sure you’re aware of what your legal responsibilities – both to your customers and your partners – would be in such a situation. Talk to your agent about cybersecurity insurance, which covers losses and costs due to cyberattacks. Finally, think about your communications strategy. How will you proactively communicate with your customers so they don’t leave once the malware is gone?
Educate Your Employees with Security Awareness Training
Employee education goes a long way and cultivating a culture where everyone is a stakeholder in protecting the business. Teach employees about the common motivations and tactics of attackers and empower them to make decisions around security. Get your people talking to one another about phishing emails they get. Form that “human shield” to protect your business.
A lack of resources is never an excuse for lax security. It’s challenging enough to run a successful business so don’t make it that much harder by keeping the door to your safe wide open to cybercriminals. Take these first steps to better protect your business and stand up against the attackers that want to destroy your hard work.