man on laptop with security icon
From managing passwords to implementing two-factor authentication, there are many free and low-cost options for small businesses to protect against cybercrime. — Getty Images/COMiCZ

Small and growing businesses are in a good position to protect against cyberattacks. They just don’t know it.

Too often, the free and low-cost data security tools at their disposal sit idle on the shelf, putting companies at needless risk of lost revenue, fines, legal action and extensive business disruption that come with the fallout of an attack.

This complacency vexes security experts, who question why otherwise vigilant business leaders to take such audacious risks when it comes to data protection.

Too often, small and midsize companies mistakenly believe they are not in the crosshairs and that large enterprises are more attractive targets, experts told CO—. While 66% of small businesses polled by Ponemon Institute said they did not think they were vulnerable to cyberattacks, 67%, in fact, were attacked in the previous 12 months. The average cost of a U.S. data breach is $8 million ($3.92 million globally) and yet only 9% of respondents identify cybersecurity a top priority.

“Hackers see small business as low-hanging fruit,” said Bradford Willke, acting director, Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division of the Department of Homeland Security, during a June webinar. “I’ve heard: ‘I’m so small. Why would they care about me?’ But you are a gateway into the supply chain of others.”

Larry Ponemon, founder of the Ponemon Institute think tank, agreed: “These cyber criminals are hunting for smaller organizations because they are a lot easier to crack rather than going for the big fish,” he told CO—. “The small organization, if it’s hacked, can provide a gateway directly to big organizations’ IT infrastructure, networks and all that good stuff.”

Too small to fight

Splashy headlines about data breaches such as Equifax and Facebook feed complacency among SMBs, that mistakenly believe if deep-pocketed companies fall victim to cyberattacks, then there is nothing smaller companies with lean resources can do to protect their digital assets.

Such thinking creates analysis paralysis, said Peggy Eisenhauer, attorney and founder of Privacy & Information Management Services, a law firm that offers privacy and security assessments, and advises on compliance and privacy strategies. “I see a lot of ‘We didn’t know what to do — so we didn’t do anything,’” she said.

While Eisenhauer’s practice focuses on large enterprises with robust data security protocols, it’s her clients’ smaller vendor partners that often neglect basic blocking and tackling, the weak link that exposes everyone to cyberattacks.

While growth of cloud computing, Internet of Things (IoT) and mobile commerce create new ways for cybercriminals to attack, it’s the fundamentals that are free or low cost that all companies should prioritize, she said.

“Absolutely, there are things to do. And they are easy things. Free or low cost,” she said. Eisenhauer named a few things your company can do to prevent cyberattacks.

First, get informed. The Federal Trade Commission offers practical tips and tools for managing network access control, passwords and other key areas — presented in a user-friendly format that anyone can understand, she said. Designate one employee to peruse the FCC blogs. Just as companies designate office fire marshals to ensure co-workers exit a building safely in the event of a fire, a data security marshal keeps abreast of best practices and shares with the team. Technology-savvy young employees are a good fit for this role, she added.

Second, use the security features you already have. Default passwords like “admin” or “password” preloaded on software and devices are meant to be overwritten with new, secure passwords; but too often, companies skip this step. “Enable the security features that you’ve already paid for,” said Eisenhauer. “It sounds so stupid and so trivial and yet my clients deal with breaches that would have been avoided had the vendor turned on two-factor authentication.”

Software companies routinely issue security patches to close newly discovered vulnerabilities, and yet companies fail to install them, due to time constraints or unwillingness to take systems offline for such updates, said Ponemon.

Organizations should identify critical business information and develop a plan to immediately and regularly back up system information.

Vincent Voci, cyber policy director, U.S. Chamber of Commerce

What to watch out for

Vincent Voci, cyber policy director at the U.S. Chamber of Commerce, said small businesses are particularly vulnerable to two specific cybersecurity threats.

The first is ransomware. Ransomware and ransom threats are types of malware that you typically receive through email and are activated when you open a link or download an attachment. Ransomware installs locking software on your computer and prevents you from accessing your files until payment is made to those executing the attack. It is particularly dangerous to businesses because it can be spread from computer to computer.

Voci says there are three key things small businesses can do to protect against ransomware.

  • Securely back up your systems. Organizations should identify critical business information and develop a plan to immediately and regularly back up system information. These backups must be stored offline and securely from core IT infrastructure and tested regularly to ensure integrity and restoration.
  • Reinforce basic cybersecurity awareness and training with employees. Ransomware leverages increasingly sophisticated spear-phishing campaigns and human weaknesses to succeed. Training employees to identify and report suspicious inbound emails to appropriate IT staff is critical. Before trusting emails with unknown attachments or suspicious links, employees should verify the sender’s identity and authentic business communications before clicking.
  • Develop and exercise incident response plans. Understanding what to do and who to call when an incident occurs can make the difference between a prolonged system outage to a manageable restoration process. Depending on the organization, a cyber incident response plan might include having a corporate media engagement plan, developing a decision matrix for involving company leaders, lawyers, regulators and law enforcement, and mapping business relationships (customers, partners, vendors) that might be impacted with a system interruption.

[Read: 3 Things to Do Immediately If Your Business Is the Victim of a Cyberattack]

The second common threat to small businesses is called business email compromise. In this scenario, cybercriminals pose as CEO or another high-ranking company official and email an employee with instructions to wire money to a third party. They do this by either spoofing the sender’s email address or by accessing their real email account and sending the email from the account.

To prevent this form of cybertheft, employers should have a process in place for employees to confirm that requests like this are legitimate before acting on them and email passwords should be secure and changed regularly.

For a daily update on U.S. companies — big and small — that have fallen victim to cyberattacks and data security breaches of all flavors, peruse Privacy Rights Clearinghouse, which has tracked incidents made public since 2005 and puts the current tally at 11.6 billion data records compromised to date.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

Published September 24, 2019