Many small businesses are sitting ducks for cyberattacks. While large companies may be more likely to face advanced persistent threat (APT) hackers or more complex attacks, many have invested substantial resources in preventing them. Small firms simply lack the security infrastructure of large corporations. They're also more likely to outsource certain functions to third-party vendors, which can also fall victim to cybercrime.
Which is why it isn't a surprise that the influx of cyberattacks during the pandemic disproportionately targeted small businesses. Luckily, there are steps small companies can take to protect themselves from breaches. Inc. spoke to Adam Hunt, chief technology officer and chief data scientist at RiskIQ, and Phyllis Newhouse, the founder and CEO of cybersecurity firm Xtreme Solutions, in a recent Inc. stream event to find out more.
1. Don't underestimate your company's value to hackers.
Small companies may kid themselves into believing their operation isn't big enough to merit a full-scale security solution. But cyberattacks have not only become more common, they've also grown more sophisticated. Some hackers will steal one company's identity in order to gain access to another company, for example. Small businesses can also stand to lose intellectual property, research, or sensitive customer data.
"There are two types of companies," says Newhouse. "One that's been hacked, and one that's about to get hacked."
2. Back up everything.
Ransomware attacks, in which hackers use a type of malware that will prevent companies from accessing their system unless they pay a hefty ransom, have been steadily on the rise. Since 2016, ransomware attacks have risen by 6,000 percent globally, according to a study by IBM. They've continued to only increase in the wake of the pandemic, with hackers now targeting hospital or health care IT systems.
Companies are still getting locked out of their information because they're not properly backing it up, Hunt says. "Make sure that you have copies of everything that you cannot live without," he urges.
3. Perform tabletop exercises.
Small businesses should put their cyber readiness to the test. One way firms can do this is by performing a tabletop exercise, or a simulation, of an actual cybercrisis. "You wanna know how bad your people are? Do a tabletop exercise today, and it will tell you," says Newhouse.
Maybe a large chunk of employees neglect to change their passwords every 30 days, or maybe many of your workers are fooled by a simple phishing scam. Newhouse says that data breaches happen oftentimes because companies are neglecting to follow proper cyber hygiene. Tabletop exercises will help companies realize the weaknesses in their own systems and what they can do to improve.
4. Your cybersecurity budget should reflect your exposure.
Many small companies have limited resources to spend on cybersecurity. When deciding how much to invest in cybersecurity, companies should take into account how much they stand to lose if their data is stolen. Newhouse gave the example of a small law firm that was the victim of a cyberattack. The firm had one IT employee on staff who had no cyber background. It ended up paying out roughly $2 million in ransom payments.
"But if you look at the real loss for them in terms of the intellectual property and the research, et cetera, it would have been worth the investment to either have an external firm work with them to make sure the data was secure or hire someone within," says Newhouse.
5. Invest in a scanning tool.
Hunt suggests that companies invest in a vulnerability scanner, which is automated software that regularly scans your networks, web servers, and applications. Such a tool will give firms an idea of what their weaknesses are, so they know what security holes are in their infrastructure.
"Understanding what [small businesses] look like to their attackers is by far the most important thing they should be aware of," says Hunt.
Keep in mind that cybersecurity firms are a high-value target for hackers. While investing in cybersecurity tools may give firms a sense of security, it's important to also hold vendors accountable.
"Even with a trusted provider, you need to evaluate them. You need to put pressure on them to make sure that their security is evaluated very well," says Hunt. Familiarize yourself with the security protocols of your cybersecurity vendor, and hold it to very high standards.