One advantage of being small: you're beneath the hackers' notice. That's how it used to be, anyway.
But as large companies shore up their security systems in response to high-profile data breaches, that means "the bad guys are moving down the food chain, where folks are not as prepared," says Brian Casazza, CIO at Vistage, a training organization for small- and mid-sized businesses. "It's not okay to think just because I'm a small business owner, I'm not an interesting target. Because now they [are] attacking the smaller organizations, aggregating their information, and then profiting from that."
As part of a survey of its membership released to coincide with Small Business Week, Vistage reports that more than 40% of small business owners say they are unprepared for a cyber attack. Just 29% report having a CIO to handle such high-stakes issues; others contract out the job to consultants or delegate it to non-specialist employees, such as office managers. "So not many small and medium-sized businesses have the types of resources or specific skill sets to be able to address this properly," Casazza says.
The average revenue of Vistage members is $37 million, which is roughly $10 million above that of the Inc. 500: Inc.'s annual list of the 500 fastest-growing U.S. companies. A survey of the 2015 Inc. 500 indicated that 79% were worried about a cyber attack on their businesses. To prepare themselves, a third reported hiring internal personnel or an outside consultant; 73% had invested in security software; and 50% had implemented a risk-management plan. Fifteen percent said they had done nothing--a relatively small but still worrying number.
Casazza notes that smaller companies are unable to spend at levels necessary to make themselves ironclad. He offered these five recommendations for small- to mid-sized companies to guard against a cyber attack.
Understand what is your company's sensitive data. For a great many small- and mid-sized businesses, the obvious target is credit-card information, which can be compiled across companies and easily sold. "If I can get 100 numbers from one small business and 100 numbers from another, I can put that into a list that is worth a lot of money," says Casazza.
Avoid storing extremely sensitive data yourself. Yes, every time you hand your data to someone else you incur some risks. But in general "it makes sense to let people who are really good at dealing with, let's say, credit-card information do that," says Casazza. "Versus trying to handle that on your own when you are a $10 million company."
Look at the perimeter of your network. If you've not already done so, says Casazza, "it's important to put some basic firewalling in place."
Fortify your people. Many attacks on small companies over the last 18 months have exploited simple human error. "An email shows up in the CEO's mailbox that looks like it comes from the CFO that says I need some money wired right away," says Casazza. "Or somebody clicks on something and their machine is compromised and they get a message that says pay us and we will unlock this data for you." To fight back, educate employees about vulnerabilities and create policies requiring strong password protection and other protective tactics.
Understand how secure your partners are. Companies in the $10 million to $50 million range are important links in supply chains, with smaller vendors feeding into them and large customers making demands on them. "It works in both directions," says Casazza. "It's not OK to just assume that a partner is going to be taking care of your credit card data properly. You've got to do your homework." Meanwhile "large organizations working with smaller companies are demanding [strict security measures] as it becomes a more critical component to how business is getting done."