The Essential Guide to Small Business Cybersecurity
Small business cybersecurity is something no firm should ignore. This is regardless of how "small” or "unimportant” an individual business may perceive itself to be.
The big cybersecurity news stories focus on things like the huge data breach at Yahoo, or 2017’s high profile ransomware hack on the UK’s National Health Service. However, far smaller organisations are the victims of cybercriminals every single day.
The statistics are terrifying: 43% of cyberattacks are specifically targeted at small businesses. Furthermore, 60% of the small businesses that experience cyberattacks go out of business within the next six months.
If you’re a small business owner and don’t take cybersecurity seriously, you're walking on incredibly thin ice.
This detailed guide will help you find out exactly what dangers you face. It will also show you how to to reduce the risks as much as possible.
How Has Business Cybersecurity Evolved?
Businesses have needed to attend to online security ever since internet connectivity became commonplace. However, the speed at which cybercrime has evolved is staggering.
According to projections made by Jupiter Research, data breaches alone will cost companies over $2 trillion per year by 2023. While this figure is eye-watering, what’s even more shocking is that the number will have quadrupled in just four years. Cybercrime has reached epic proportions. The days when company owners just had to make sure their local IT firm installed up-to-date antivirus software are long gone!
As an example, let's consider ransomware. Ransomware locks down and encrypts files until users pay hackers to de-encrypt them. This was at the centre of the huge NHS hack mentioned above. Ransomware was "invented” in 1996, and spotted "in the wild” from around 2005. It became commonplace in 2012/13. This shows how threats evolve over time. It also proves that there will always be something new waiting in the wings to hit businesses and the headlines.
Hacking can be incredibly lucrative. As such, hackers aren’t going to disappear or stop what they’re doing. This means that businesses of all sizes need to work to stay one step ahead.
How Is Business Cybersecurity Different to Personal Cybersecurity?
Small business cybersecurity is very different to looking after security on a simple home computer. If a home computer is hit with, for example, a ransomware attack, there’s a limit to the damage that can be done. If there aren’t any backups to restore, it can still prove quite a disaster, even if it only means choosing between paying a ransom or losing family photos and other memories.
For a small business, the impact can be far greater. You may have to tell clients that their data and financial information is "in the wild” and potentially being sold on the dark web. You may lose the ability to process transactions and take any money for a day or more.
Whatever the exact outcome, it’s never going to be a good one. Business cybersecurity is incredibly important, and involves a lot more than using antivirus software.
Why Does Cybersecurity Matter?
I’ve briefly touched on a couple of possible impacts of a data breach or cyberattack. Let’s look at what can happen in more detail.
Money is usually the motive behind cyberattacks. At the time of writing, nobody’s certain who was behind the WannaCry ransomware attack that hit the UK’s NHS and numerous other organisations worldwide. However, financial gain was the clear motive. The hackers demanded money, transferred in the form of anonymous Bitcoins, in return for de-encrypting infected machines.
Some organisations ended up paying the hackers, presumably because they had no usable backups. However, that sum was a drop in the ocean compared to the true financial loss caused by the hack.
The hackers are thought to have raised around $100,000 from "ransom” money. Despite this, the total cost of the attack is estimated at $1.5 billion. This is due to the huge amount of work that businesses need to undertake to recover from such events. This work typically involves restoring backups, rebuilding networks, and shoring up systems against future attacks, all while watching revenue fall away. Income is lost while businesses are unable to function properly in the aftermath. There's also the fact that customers lose confidence and back away.
Smaller businesses often run on shoestring budgets. As such, it doesn’t take a headline-grabbing figure to cause serious financial problems. A "clean-up bill” of several thousand dollars, coupled with several days’ loss of trade, can be enough to push a business to the verge of bankruptcy.
Reputational damage and financial loss often make a vicious circle for businesses in the aftermath of a cyberattack. Customers lose confidence in companies when they’ve suffered a breach, especially if personal or financial details have been compromised.
A PWC Survey in 2016 found that reputational damage "was considered the most damaging impact of a cyber breach.”
If your business is tackling a cyberattack or clearing up the damage following one, you and your team won’t have the resources to run the business as normal.
The severity of this can vary. If, for example, you process transactions via a website and have to take it offline, you will see the flow of revenue stop until you resolve matters. Alternatively, you could see staff unable to work until you fix or restore their computers.
Ultimately, there's no good impact, hence the need to do all you can to reduce the threat of cyberattacks.
What Are the Key Small Business Cybersecurity Threats?
The cybersecurity threat landscape shifts all the time. New attack methods become popular while others slip out of favor. However, the key threats remain the same. Here are some of the most important ones to be aware of.
We’ve mentioned ransomware a lot already. That's because it's very current in the cybersecurity world, with no sign of its popularity waning. It’s easy for hackers to target many companies and individuals with ransomware in one hit. This is especially true of infections like WannaCry, which can spread rampantly through networks. It’s also relatively difficult for the authorities to track the source.
These factors, coupled with the clear financial potential, make ransomware very attractive to cybercriminals. Towards the end 2016, Kaspersky saw ransomware hitting one business every 40 seconds and a new individual every 10 seconds.
There is a small silver lining to this cloud: ransomware is actually quite easy to protect against. The key is to have full, up-to-date backups, and a fast, tried and tested means of restoring them. You'll still have to take action to recover from an attack. However, hackers can't cash in if you don’t need the data back from them.
NOTE: Ransomware doesn’t always involve encrypting data. Some threats involve locking down a computer or device, rendering it unusable until a ransom is paid. Provided you can reinstall a machine, it’s possible to remove the infection. The worst case scenario with ransomware is ending up with encrypted data and no backup to restore from.
Most users of technology have at least seen some phishing attempts, even if they’ve not fallen victim to them.
At a basic level, phishing involves sending out fake emails that purport to be from genuine websites and companies. These are often connected to banking or online shopping. People who are fooled by these emails usually end up on (sometimes very realistic) fake login pages. There, they input their usernames, passwords and other personal details. This hands the information directly to hackers.
Many phishing emails are easily identifiable to the trained eye. They usually come from domains that aren't genuine, such as paypalcustomersupport.com rather than paypal.com. However, cybercriminals can send out tens of thousands of them at one time. As such, hackers don’t need a high hit rate to profit from the people who fall for them.
Antivirus programs and spam filters are becoming increasingly sophisticated. They are getting better and better at stopping phishing emails, or at least filtering them into "junk mail” folders. However, some inevitably get through and serve their criminal purpose.
Basic phishing isn’t the only cybersecurity threat that small businesses need to worry about. Phishing can be far more sophisticated, and sometimes involves a human element.
Phone-based scams are particularly popular. Small businesses (and individuals) are often targeted. Hackers call a company and pretend to be from Microsoft or another big tech company. They say there’s a technical issue that needs fixing and persuade unsuspecting users to grant them remote access to a computer. Once they gain access, they can very easily install key-logging software or other dangerous programs. They can then use these to harvest personal details or gain future system access.
It gets a lot worse. Spear phishing is a highly targeted attempt to gain access to specific computers to yield a financial payoff.
It works like this. A hacker calls a company, as described above, and gains access to an office computer. From there, they work out which company machine is used for payroll. On payday, they access that computer and reroute all the wage payments to their own account.
This may sound like the stuff of science fiction, but it’s really not. What’s more, cybercriminals often specifically target small businesses with this kind of attack. There are various examples online of this happening.
Small businesses with a significant online presence, especially those that rely on websites to do business, need to consider threats to their websites. These include SQL injections and Denial of Service (DoS) attacks.
Some of these attacks have a specific motive, such as exposing personal details held within online databases. Others are far more "mindless” in nature. Their aim is to bring down websites, sometimes for little more than kudos in the hacking community.
As with the other threats, it’s wrong to assume cybercriminals only target large businesses. Over 30,000 sites are hacked every day. They're clearly not all Yahoos and Ashley Madisons!
Traditional Viruses and Trojans
"Old-school” viruses and Trojans may not hit the headlines as much nowadays, but they’re still out there. They affect poorly protected small businesses every day.
Ranging from key-loggers that harvest logins and personal details, to malware programs that help spammers send out phishing emails, viruses are still very much part of cybercriminals' armoury.
The Top Small Business Cybersecurity Mistake
The biggest small business cybersecurity mistake is to assume "it won’t happen to me.”
If you feel we’re overstating this, look at some of the cybersecurity statistics later in this article.
What Precautions Should Businesses Take?
Educate All System Users
It’s often a human point of failure that results in a successful cyberattack or security breach. Successful phishing and spear phishing is dependent on somebody being fooled into responding to a convincing email, or entering personal details into a fake website. Similarly, many viruses are unleashed when unsuspecting users double-click an email attachment and install something they shouldn’t.
It’s therefore essential that everyone who works for your small business is well-educated regarding cybersecurity. You also have to keep them up-to-date on new threats. Levels of technical knowledge and competence vary hugely. As such, never assume that your staff are equally savvy when it comes to the realities of life online.
Use up-to-date Security Software, Patches and Hardware
Good quality, up-to-date antivirus software is a must on all company computers. This means commercial software, as free versions often lack important features. Furthermore, software companies sometimes make money from personal data and browsing histories if they’re not getting paid for actually selling their products.
Protecting against cyberattacks also means using tough firewalls on websites and company systems. You also need to patch everything regularly. By "everything,” we really do mean everything – from plug-ins on WordPress websites to operating system updates on company computers.
One reason the huge WannaCry attack spread so fast is that it was able to move between thousands of un-patched Windows computers. Better update management could have done much to slow down its propagation.
Remember Mobile Devices
Smartphones and tablets are widely used. Thus it’s essential to include them in your cybersecurity strategy. There’s no shortage of "mobile malware,” and millions of devices do get infected.
It may seem bizarre to think that mobile phones need antivirus, but company devices holding company information should be treated no differently to computers.
Sidestep Easily Avoidable Dangers
People who make simple errors in how they use technology make life easy for cybercriminals. Despite cybersecurity regularly hitting the headlines, people still use passwords like "123456” and "qwerty.” Outlaw practices like this in your small business immediately!
Similarly, many people connect to unsafe public Wi-Fi networks without a second thought, using them to work on company data. Staff should always use a suitable Virtual Private Network (VPN) if they’re going to do this.
Think About Physical Security
Cybersecurity isn’t only about installing antivirus software and using firewalls. If you want to make it easy for a hacker to access business data, just leave an office window open, or a company laptop unprotected in a busy bar.
Encrypt Company Devices
It’s well worth enforcing the use of full disk encryption on all company devices. If a hard drive or SSD is encrypted, anyone who steals a machine will only be able to see garbage if they don’t have the passwords or encryption keys.
It’s easy to encrypt your devices. Modern Apple Macs come with the ability to encrypt as standard. Microsoft includes the ability to do so with "Professional” versions of Windows. There are also third-party tools to enable this. Even Android phones can be fully encrypted.
Want to encrypt internet traffic to multiple devices? A VPN router is an ideal solution, click the link for more information.
Keep up to Date with Cybersecurity News
Keeping abreast of the latest cybersecurity news can protect you from falling victim to the next big breach or hack. In the case of the WannaCry breach, the vulnerability that was so widely exploited was publicised extensively over a month before the hack hit the headlines – and there WAS a patch available.
Companies that stayed up to date with such news had the time and knowledge to protect themselves.
Small Business Cybersecurity Statistics
Just in case this article hasn’t already scared you into action, here are some recent cybersecurity statistics to give you the scale of these threats:
- 55% of companies surveyed in a recent study had experienced some kind of cyberattack in the previous 12 months.
- 65% of small businesses don't enforce a password policy, despite the fact that doing so is an easy way to shore up IT security.
- Despite the clear importance of user education, a study of UK businesses found that 81% don't provide their staff with any cybersecurity training.
- Ransomware demands have increased by 266% in the past year.
- One BILLION online account records were breached in 2016 – three for every US citizen.
- There are 37 million apps currently out there that contain malware.
- 43% of cybersecurity threats are aimed at small businesses.
Small Business Cybersecurity Tips
We end with some quick-fire tips to reiterate the key points of this article and provide some additional advice.
- Don’t forget to educate your staff and stakeholders on cybersecurity. A clued-up team can do much to help protect your small business.
- Dedicate time, effort and resource to cybersecurity. This immediately places you one step ahead of the many small businesses who fail to do so.
- Don’t make simple mistakes that can put your company’s data security at risk. Enforce the use of strong passwords, and VPNs for public Wi-Fi, by making it company policy.
- Don’t rely on free software to protect company devices. The price of commercial options pales into insignificance compared to the cost of recovering from a breach.
- Always adopt a highly sceptical approach to revealing any personal information online. Ensure your staff do the same.
- Back up your company data regularly and consistently. The ability to restore from a backup can help you to recover from any breach far more quickly. You’ll find a guide to small business backup here.
- Take the time to identify your current cybersecurity shortcomings and make a plan to rectify them. If you don’t have the knowledge to implement what’s required, pay a trusted consultant to do it for you.