It seems like a day doesn't go by without news of a major cyberattack. In the last year alone, attacks on Sony, Yahoo!, Target, and LinkedIn dominated headlines.
What you don't hear about are the thousands, or even tens of thousands, that are thwarted every day. What you also don't hear about are the cyberattacks that hit small businesses.
What is often lost in these headlines is the fact that nearly half of the cyberattacks worldwide were against businesses with fewer than 250 employees.
One reason may be that smaller businesses aren't as concerned as they should be about the problem. A recent study commissioned by Oracle, What's Keeping SMB Leaders Up at Night, had security issues near the bottom of their overall concerns, with only 13.5 percent citing security issues as their biggest concern.
In many cases, the hacked information is held for ransom, released only when the owner of the small to midsize business (SMB) pays a significant price to get it back. Hacked information is also used to rob bank accounts via wire, steal personal identity information, hijack websites, and file for fraudulent tax refunds.
A few examples that come to mind include:
· Wright Hotels: All it took was a hacked email to open the door for $1 million to be stolen from its bank account.
· PATCO Construction: Thanks to a Trojan Horse attack that invaded the company's systems, thieves captured banking credentials and stole nearly $600,000 from the company's accounts through ACH transfers.
So, what can SMBs do to protect themselves?
1. Provide Training for Employees at Every Level
The vast majority of successful cyberattacks are due to human error. This is precisely what happened at Target, where a breach of Target customer data was traced back to a HVAC vendor that worked at a number of the retailer's locations. Other employee errors include disposing of devices without first wiping the data, opening phishing e-mails, and losing laptops and phones housing sensitive data.
While human error will always come into play, businesses can minimize incidents by implementing training and awareness programs. These should be conducted during onboarding for new employees and should also be conducted on an ongoing basis for employees at all levels--even the C-suite.
2. Back Up Business Data Regularly
With ransomware on the rise, the best defense is to constantly back up data. That way, even if data is stolen, it is not lost.
The smartest way to do this is to automate the data backup process, storing copies of word processing documents, databases, spreadsheets, human resources (HR) files, and other key files and data either in the cloud or offsite.
3. Provide Employees Access on a "Must-Have" Basis Only
Businesses often get lazy when it comes to providing access to data. Rather than examine who needs what information, employees get access to much more information than their jobs require. Employees should only be given access to the specific systems that they need for their jobs and should not be able to install any software without permission. Administrative privileges should only be given to key and highly trusted personnel.
In addition, employees should be strictly prohibited from engaging in "rogue IT" practices where they install any software they think they need on their computers or other devices used for work without the go-ahead from someone authorized to provide such permissions.
4. Secure Devices and Networks
Provide equipment and networks that have the most up-to-date versions of security software, web browsers, and operating systems at all times.
Be diligent about installing patches and updates as soon as they are available to best protect against ransomware, malware, viruses, and other cyber threats.
5. Establish Stringent Passwords and Authentication Policies
Hackers make a living from people who use weak passwords like their names, sports terms like "baseball" or "football," the word "password," or even sequential numbers like 123456. To fight back, use unique, complex passwords that include uppercase and lowercase letters, numbers, and symbols, and make sure you and your employees change those passwords every few months.
To be even more secure, think about requiring additional information beyond just the password to gain access. It may be something of a nuisance, but the extra security is certainly worth it in the long run.
6. Be Mobile, but Be Smart
Even the smallest companies conduct much of their business remotely and with mobile devices. Sales people hit the road, more and more people work from their homes, and employees need to be available 24/7.
These devices hold critical information and can access corporate networks. As such, they need the same protections as desktop devices found in a home office.
This means all devices should have up-to-date security apps installed as well as data encryption and password protection. There should also be action plans in place for lost or stolen devices.
The Bottom Line
Face it, your employees may find these precautions to be bothersome, time consuming, and distracting. But they are also 100 percent necessary.
While it is asking a lot for SMBs to tackle all of the tactics discussed here, you might pick and choose the measures most relevant and suited to your business, and then implement additional ones as you go.