Small businesses are increasingly in the crosshairs of cyber thieves. From ransomware and spear phishing to internet of things (IoT) attacks and crime on the cloud, smaller companies have reason to lose sleep at night.
According to 2017 Ponemon Cost of Data Breach Study, sponsored by IBM, the average total cost of a data breach is $3.62 million. That is not a loss most companies can afford to take. The study also found that one in four companies will experience a breach.
Fueling the increase in business cybercrime is the growing role digital devices and data storage play in people's lives. Criminals follow the money, and for them, data means dollar signs. As crime goes, cyberattacks are fairly low-risk/high-reward endeavors, especially since services like Bitcoin make it easy for criminals to remain anonymous.
Because small businesses usually have fewer resources to invest in cyber security and IT support than their larger counterparts, they are low-hanging fruit for criminals. The first step in protecting your business is education.
Ransomware is on the rise
In ransomware attacks, criminals infect a computer or network with a virus that encrypts data. Then they demand payment in exchange for the return of that data, usually by delivering instructions in a pop-up window on the infected computer.
What happens next varies. If the business has a solid approach to backing up data, it may be able to ignore the threat, wipe the system clean, and start anew from its last backup. If not, a business may opt to pay the ransom, which typically ranges from hundreds to thousands of dollars, but that still doesn't guarantee the return of its data. (We are dealing with criminals here.)
If you factor in loss of productivity and the cost of recovering files, cybercrime costs small and midsize businesses $75 billion each year. Worldwide, ransomware attacks have increased by 36 percent, according to the Symantec 2017 Internet Security Threat Report.
Phishing gets sophisticated
Email is the weapon of choice for criminals. Symantec's study of billions of emails found that one in 131 emails contains malware, the highest rate in five years. Symantec also reports that more than 400 businesses are targeted by spear-phishing emails every day.
Mark Anderson, principal of Anderson Technologies, a St. Louis-based IT company, says that phishing emails have become increasingly challenging to identify. They are "designed to mimic legitimate communication to gain access to sensitive information, such as usernames and passwords," he explains.
While phishing refers to a broader attempt at tricking people into sharing confidential information, criminals sometimes target a particular victim with a personalized approach. This is spear phishing. For example, a fraudster might pose as your business banker and send an email asking you to confirm your log-in information or review a recent transaction. The email would be addressed specifically to you, signed by your representative, and emulate the look and feel of typical communication you receive from that business.
The role of education
One of the most important steps a small business can take to mitigate its chances of falling victim to ransomware or phishing is employee education. "It is crucial that everyone inside your network understands the inherent risks of digital communication," says Anderson. "All it takes is one wrong click from an employee to compromise your entire system. Teach everyone to think twice before opening an attachment or clicking a URL, even if it appears to be from someone they trust."
Kevin Chapman, SVP and GM of Avast's SMB Business, suggests running routine cyber trainings and restricting access to important data to only those employees who need it. "In addition, shutting down the accounts and access of former employees quickly is important, as these accounts are often not monitored after an employee has left," he says.
What's next for cybercrime?
For criminals, innovation spells opportunity in the form of security vulnerabilities. Chapman says the new generation of connected devices, known as the internet of things, is a target for cyberattacks. "Businesses should be aware that any unsecured connected devices brought into their network can be accessed. Ensuring all devices are secured with strong passwords that are regularly changed is a simple, effective way to stay safe. It's also critical to have up-to-date security software on all devices," he cautions.
As more businesses turn to cloud-based solutions, so, too, do criminals. Rather than just targeting end users, criminals can target cloud-based infrastructure, such as servers in the cloud that store data from many different companies. The Symantec report describes the cloud, along with the IoT, as the new frontier for cybercrime.
In addition to educating your workforce, take the following steps to help protect your small business from the year's biggest cyber threats:
- You could be doing everything right and still fall victim to data loss. Data breach insurance helps mitigate the costs associated with data security breaches, including legal fees.
- Use complex passwords and change them regularly. LastPass is a free password management tool that helps you generate strong passwords and keep track of them safely.
- Back up data routinely. For optimal security, back up data in multiple locations, e.g. an external hard drive, and on the cloud, via a cloud-based storage solution. Carbonite is a popular choice for small businesses. It offers automatic backup solutions for as low as $5 a month.
- Use anti-malware and ant-virus software and update it irregularly. Many solutions, including Avast and Symantec, offer solutions specifically geared towards small businesses. Price varies depending on the number of users and level of service, but begin around $4 -5 dollars per user, per month.