Gene Marks
According to a recent report from financial services provider Mastercard, 46% of the small and medium-sized businesses they surveyed worldwide reported experiencing at least one cyberattack and nearly one in five of those attacked had to close or declare bankruptcy afterward.
Although the report found that 86% have conducted cybersecurity risk assessments and set up prevention plans, only 23% are very satisfied with their strategies, and just 23% are confident in their ability to detect real threats
Cyber threats come in all forms, including phishing, malware, viruses and social engineering. And their impact is significant. An incursion can potentially shut down a business for weeks — or even permanently. Or it could open up potential liabilities if sensitive data is lost or stolen.
And yet, there are defenses against many of these threat. And it’s not as if most small business aren’t aware of their impact. But unfortunately, many aren’t doing enough to protect themselves.
Mike Molsen, a consulting at TekMyBiz, an IT firm based in Elk Grove Village, thinks many small businesses aren’t paying enough attention to this threat.
“Small businesses think they are immune because they think they are too small a target or their data is not interesting enough,” he said. “But they’re wrong.”
Joe Engelking, a cybersecurity services expert at LME Services in Hoffman Estates, agrees.
“Getting small businesses to understand and admit that they are not prepared for a cyber emergency is one of our biggest challenges,” he said.
So if you’re running a small business how can you make sure you’re minimizing the risk of getting hacked? Here are some things to consider.
Get training
Engelking believes employee awareness training is critical “so that every employee knows how to spot the basic tactics of a hacker from a mile away.”
He’s not wrong. According to a recent report from cybersecurity company firm Mimecast, 95% of all data breaches in 2024 involved human error, including misplaced emails and policy missteps.
We’re all busy and doing a million things at once. We’re downloading things we shouldn’t download, clicking on things we shouldn’t click on and — thanks to AI — starting to believe the bot on the phone who is pretending to be a human. It’s critical that our employees — and management — are regularly trained to look out for dubious requests and potentially harmful links and files being sent to us.
The training is important because bad actors are getting better at creating emails and other communications that are becoming more and more human.
Chris Higgins, an IT consultant at Rolling Meadows-based CCS Technology Group, warns “the biggest thing today is phishing and ransomware attacks that are just getting harder to identify. The better grammar is making it harder to identify the bad ones.”
Setup up multi-factor authentication (MFA)
We’re all familiar by now with being asked to receive a text message or email and then adding in a code to access a site. This is called multi-factor authentication, or MFA and serves as an extra layer of security to augment our usernames and passwords. MFA is not completely infallible but it’s a strong defense against someone stealing a passwords and getting access to our systems. It’s become a must-have and many of my clients are either using the text or email approach or setting up their systems with apps like Google Authenticator, Microsoft Authenticator, or Authy.
“Everybody should have (MFA) turned on — either on their 365 or their G Suite,” Higgins said. “It’s the one thing you can do on your own.”
Finally … strengthen technical controls and insurance
Unfortunately, being protected isn’t free, nor is it cheap.
Business owners have to be prepared to make sure their operating systems, routers and other devices are updated with the most current versions of software. Third party security software has to be running and monitored. Usually, an IT firm or a managed cloud service provider has to be involved to not only make sure all of this stuff is up to date, but also to provide training and security reviews as needed. Finally, every business needs to have cyber insurance and business interruption coverage in case an attack on their systems is successful.
John Bambenek, who runs an IT services firm in Schaumburg, recommends installing strong endpoint detection and response applications and making sure that alerts are set up and the systems are monitored. He also recommends not being too reliant on the security promises of cloud service providers.
“Many of the cloud applications and services that organizations use to run their businesses only protect their data so much,” he said. “Businesses are a little complacent thinking these cloud companies protect their data, but they only protect against specific attacks, not things like employees getting their accounts taken over.”
In the end, there’s no such thing as 100% security. But for a small business, taking a few simple steps can significantly minimize the risk of a cybersecurity problem. And the problem is growing.
“SMB’s need to know they are being targeted by criminals in third-world countries that are after the wealth that they cannot find in their own country,” said Molsen. “Many SMB’s are stuck in past thinking that Anti-Virus is a good protection. Nope.”
• Gene Marks is a CPA who owns and operates The Marks Group PC, experts in customer relationship management technologies.
