A word of caution to all Connecticut small businesses—you WILL be hacked. It’s not a question of if but rather a question of when. Cybercriminals are tenacious, and they attack companies of all sizes looking for data they can convert into cash, or systems they can use to launch an attack on someone else and hide their tracks, and small to medium-sized businesses (SMBs) tend to be easy targets.
Malware, for example, affects companies of all sizes. Ransomware has become particularly pervasive. The FBI reported a 300 percent increase, from 2015 to 2016, in ransomware attacks, which now average more than 4,000 reported incidents each day. Ransomware is just one of the many cyberthreats that SMBs face.
More than 70 percent of cyberattacks target SMBs. Hackers are looking for data that can be sold on the dark web. Although rates vary, the median price for someone’s identity is $21.35. Stolen credit cards are worth less, because they have a short shelf life, but patient records and Social Security numbers are extremely valuable, because they can be used to steal prescription drugs and for Medicare fraud.
SMBs Are a Susceptible Target
A recent survey of Connecticut SMBs shows that 78 percent of business owners are worried about data breaches, and while 79 percent have increased cybersecurity, only 57 percent have a disaster recovery plan. Other research shows that 31 percent of SMBs take active measures against security breaches, and only 22 percent are willing to step up cybersecurity, even though 60 percent of hacked SMBs go out of business within six months.
Unlike larger companies, SMBs lack the resources to set up strong protective barriers and monitor for potential threats. SMBs’ lack of awareness of cyberthreats and inadequate steps to protect themselves have contributed to an increase in attacks, and the price tag for remediation is rising as well. For SMBs, the average cost of recovery from a data breach is $36,000, and losses can be as high as $50,000.
“An Ounce of Prevention…”
The best way for SMBs to minimize the impact of a data breach is by implementing the necessary security protections in advance. Most SMBs take obvious steps, such as maintaining anti-malware software and updating network firewalls, but those steps provide only minimal protection. There are many more things that SMBs can do to protect themselves:
- Update all your security protocols. The first step is to clean house. Take a hard look at your computer networks and systems and assess them for potential vulnerabilities. Start by reducing the amount of data you have to store and manage. Most businesses have repositories of unnecessary files, archived email, and other material they don’t need. Also, make sure you aren’t using sensitive information such as insurance IDs as employee or customer credentials.
- Strengthen user authentication. Weak and unsecured passwords are a major weak spot for all networks. Never reuse passwords, and be sure to use best practices when creating passwords (e.g. use special characters, random sequences, etc.). Also, consider two-factor authentication for online access, which requires an additional step to log in, such as a code sent to your email or cell phone. Users tend to be the greatest security weakness in any computing system, so you want to implement as many protocols as possible to promote system security.
- Train employees. Be sure to raise awareness within the company by providing basic security training. Phishing attacks, for example, are one of the most common causes of a security breach, so you have to teach users how to spot malicious spam. Password protection is another area that needs training (e.g. don’t leave passwords on Post-its attached to your monitor).
- Separate your financial systems. One security strategy is to use a dedicated computer or device for financial transactions, and make sure that that computer is not used for other activities, such as sending email or surfing the web. This minimizes the likelihood of exposing company financials by visiting a malicious website or being infected via social media.
- Have a backup procedure and a disaster recovery plan. If your system is compromised, how long will it take to get your company back online? Every company needs a disaster recovery plan that covers natural disasters, fires, power outages, and compromised network systems. Be sure to maintain a clean backup copy of business-critical data, including customer records, inventory files, financials, and databases. If you are hacked or ransomware locks up your database, restoring from a clean backup may make it simpler and faster to get back in operation.
- Rely on an expert. With all the other operational concerns, most SMBs don’t pay enough attention to security. An outside security expert or managed services provider can be an invaluable resource and can lighten the burden of systems security. A security expert can perform a security audit to identify areas of potential weakness and help plug security holes in the infrastructure. That expert also can provide remote monitoring for potential threats, maintain off-site backups, and maintain security software licenses and system updates to keep out security threats. A managed services provider can advise you about potential cloud-computing strategies; storing sensitive information in secure, hosted data repositories; and providing remote backup services.
Data security should be a serious concern for businesses of all sizes. In fact, the smaller your operation, the more susceptible you may be to a disastrous data breach. There is no reason to go it alone. Security experts can provide the support you need to keep your systems safe for a fraction of the cost that you can provide the same protection in house.