Data breaches at major corporations like Yahoo, Equifax, Target and Sony Pictures may capture the big headlines, but small businesses also face significant financial, operational and reputational risks from cyberattacks.
Malicious computer viruses and hacks of sensitive information can hobble any business, potentially exposing even a mom-and-pop shop to customer lawsuits, government fines, IT repair costs and bad publicity.
While many entrepreneurs have taken steps to guard against cybercriminals, countless others remain ill prepared to fend off email phishing scams, ransomware and other troublesome incursions.
“Cyberattacks are foremost in our minds. It seems that nearly every month there is a new cyber scare that causes every business owner to shiver a little. Protecting our data, our work efforts, and our computer systems should be a process we think about all of the time,” said cybersecurity expert Penny Garbus, president of Soaring Eagle Database Consulting.
Only 5 percent of CEOs in a recent survey said their companies were fully secure against cyberattacks, according to The Alternative Board, which queried more than 200 primarily small-business owners.
More than half reported having been hit by cybercriminals in some way, but fewer than half had put measures in place to protect their businesses against them, the survey found.
Some business owners thought their companies were less vulnerable than others because they’re too small to be targeted, their data isn’t worth hacking, or their online presence is limited. A substantial cyberattack could be ruinous for many businesses, however.
Thirty-six percent of CEOs said their businesses could remain profitable for one to three months after a cyberattack that causes a permanent loss of data, money reputation and trust, and another 11 percent said their companies would become unprofitable in less than a week, according to the TAB survey.
Nearly 25 percent of companies that have sustained a cyberattack lost business opportunities as a result, one in five lost customers and almost 30 percent lost revenue, a 2017 Cisco survey found.
Ransomware, a malware that allows cybercriminals to essentially hold data hostage, hit one in five small and medium businesses over a recent 12 month period, according to a Bitdefender survey of 250 IT professionals. A quarter of the companies lost their data, and only 45 percent of those that paid the demanded ransom actually regained access to their own files.
The Federal Trade Commission offers an online center with comprehensive information on protecting small businesses and consumers from cyberattacks, including an article on small business computer security basics, a blog on securing all areas of your business, and a guide for responding to a data breach.
The Federal Communications Commission also offers cybersecurity tips, and the Small Business Administration provides a web course on the topic.
Among other advice, government experts recommend that small businesses train employees in good security practices; keep software updated; use strong passwords and two-factor authentication; password-protect all devices; and never leave laptops, phones or tablets unattended or locked in cars.
Think before sharing information, whether requested by email, phone, web form or text, they caution. “Scammers will say or do anything – or pretend to be anyone – to get account numbers, credit card numbers, Social Security numbers or other credentials,” the FTC warns.
Government experts also suggest backing up important information; providing sensitive data only over encrypted websites with “https” in the URL, and encrypting data on wireless networks by using WPA2; protecting computers with security software; and adopting payment card best practices.
Trave Harmon, CEO of Massachusetts-based IT consulting firm Triton Technologies, has several recommendations for small businesses:
Use a commercial-grade firewall from a firm like Sophos, SonicWall, Fortinet, Cyberroam or Cisco.
Forgo retail antivirus software and choose a cloud-based, commercial-grade option that updates every few minutes, requires almost no user input, and provides reporting on potential threats to your network.
Backup your data online with a program that uses “versioning,” which allows you to see different versions of files. While you may prefer to do local backups, Harmon said, viruses, crypto viruses and malware often look for and encrypt local devices.
Keep your software up to date. “Almost all network hacks come from unpatched exploits,” Harmon said. Devoting 30 minutes a week to software updates may be annoying, he said, “but it is cheaper than spending weeks rebuilding what you lost or closing up shop because it is now been locked down with a crypto virus.”
Monitor employee activity, as many hacks come from user mistakes or ignorance. “Don’t click on that link to receive a shipping label because it’ll probably bring you to a compromise website that will download malware to your computer,” he said.
Tim Singleton, owner and president of Strive Technology Consulting, considers a layered approach the best way to handle cybersecurity.
“We have antivirus on our computers scanning our files and emails all the time. But most ransomware attacks come in via email, so we also have a service that filters all of the email before it gets to us,” Singleton said. Another filtering service checks for infections on websites that employees visit.
“We have the built-in firewall enabled on all of our computers, and we also have a high-grade network firewall protecting all the computers at the network’s edge. Layering on security like this helps fill the cracks that any one vendor may leave open, creating a more secure protection,” Singleton said.
Training is also important. “Everyone should be watching the links they click on and looking carefully at the ‘from’ address of the emails they are reading to ensure they are actually communicating with whom they think they are. There are great services out there that will train people in this type of awareness and do ongoing testing to ensure they really get it,” Singleton said.
Garbus, of Florida-based Soaring Eagle Database Consulting, also notes the importance of firewalls, virus protection, and closing public ports. Her firm also trains employees on security issues, rules and protocols, reviewing procedures throughout the year and updating them as needed.
Garbus recommends giving employees access to data on a “need to know” basis, encrypting laptops containing sensitive data in case they’re lost or stolen, reminding staff never to download files or open emails from unknown sources, and adopting a procedure for employee terminations so that access ends quickly.
“We make sure to always back up everything. If our employees have spent hours or weeks writing proposals, reports, etc, we have them save them into files where management has access,” using cloud document file sources to share and store information, she said.
Soaring Eagle also has a disaster recovery plan, said Garbus, who noted companies need to protect data from storms, fires, computer breakdowns and human error as well as cyberattacks.
“If something bad happens in the home corporate office, we can ramp up from another location and get back to work,” said Garbus. “We learned during the hurricane season that if we protect our business and have the systems set up, then our employees can concentrate on protecting their homes. Instead of spending valuable time in the office, they can get their families out of harm’s way.”
Gojko Adzic, who travels frequently as a partner in UK-based Neuri Consulting, uses VPN (virtual private network) for protection on unsecure airport or hotel WiFi networks.
“Big public networks visited by millions of people can be quite lucrative targets for hackers,” Adzic noted. “If an untrusted or publicly available network is compromised, we don’t end up leaking important data. We use a very simple VPN setup on Amazon AWS network, but there are plenty of commercial options around for people that do not want to set up their own system.”
PromotionCode founder and Chief Technology Officer Mike Catania, meanwhile, takes a hands-on approach by setting cyber traps for his Florida company’s dozen employees.
“I actively try to phish passwords from them at least once a month even though they’ve all undergone extensive cybersecurity training, regardless of their position,” Catania said.
“Like most banal training, it can be easy to glaze over things that seem obvious, so hammering them in practice solidifies good practices. Although I’ve busted a few of them in the past 10 years, we’ve never had an outside breach, so I think the overkill has paid off.”