Out of all the data breaches that occur each year, a whopping 43% are usually directed toward small and medium-sized businesses (SMBs). Recent studies also suggest that cybercriminals are more attracted to small businesses.
According to this 2019 4iQ identity breach report, SMBs experienced a more than 420% increase in the authentic and fresh breaches in 2018. To add a bunch of salt to already open reputation and security wounds, most of these businesses don't recover after a breach.
If at all they recover, it takes too long to get back to business. The reason? Lack of strong financial muscles to bail them out of the effects of a data breach as was found out in this InsuranceBee’s Cyber Survey, which noted that 83% of small businesses are weak financially and can't recoup the losses due to a data breach.
Why are small businesses targeted in online attacks?
Read on, as we take you through, the very reasons why cybercriminals' major targets are small businesses. This is not to scare you anyway as we're also going to walk you through the best ways of locking cyber attackers out of your business.
Reasons small businesses are targeted in data breaches
Lack of understanding of the security landscape; small businesses are more vulnerable to online attacks due to 'little' knowledge of the whole security landscape.
Because of this, they tend to invest more in promoting the business and building it at the expense of the business' online security. Well, the thieves are aware of this.
They, therefore, use automated tools that help find vulnerable company websites and databases then launch attacks on them.
Fewer resources; apparently, when starting online businesses, entrepreneurs tend to spend a lot on getting the businesses up. From hiring web developers to buying domains, hosting, bringing in employees and finalizing the paperwork, etc., it usually consumes a lot that the companies fall short when it comes to installing the necessary security measures against cyber attacks.
The best solution against this is that, if you're planning to launch an online business soon, be sure to also budget for the security aspect of your business.
False belief; It's unfortunate that small business owners view their businesses as 'small' and therefore won't be targeted in online attacks. The hackers are aware of this too. They, therefore, utilize their automated tools to scrape the web, locate their target and launch attacks.
Read on to find out what you can do as a business owner to avoid these attacks.
Measures for curbing cybersecurity risks for small businesses
1. Educating the employees
Employees are still the weakest link in companies fight against cyber attacks. The point is that if your employees can't recognize a security threat, they won't avoid it.
They will also not report it nor remove it. A good example of a security risk due to employee unawareness is Scotty's Brewhouse phishing scandal.
In this breach, 4,000 employees fell victim to a phishing scam where a scammer got copies of all their W-2 forms while masquerading as the company CEO.
Research reports also insist that there's massive need to educate employees about cybersecurity. According to this 2019 survey on the state of IT security, employee training plus email security are still the most prominent problems affecting the IT security experts.
What's more shocking is that 30% of employees don't have any clue what phishing scams are or what malware is. Perhaps this explains best why popular scams like the BEC (Business Email Compromise) scams are still prevalent, leading to losses amounting to more than $26 billion each year globally.
Now, we won't blame the employees even though they're the favored entry points for attackers. The golden rule is to train them on cybersecurity proactively.
Here are a few tips on how to educate your employees on cybersecurity:
Have regular seminars and sessions with them dedicated to explaining the possible impacts of data breaches on the company and its operations. During these sessions/seminars make them know their roles in the fight against cyber attackers.
Educate them on your company's policies in regards to online safety.
Organize for seminars and workshops where they learn about the types of online attacks and security threats etc.
Train them on how to recognize and act on online attacks using clear and easy to understand documented remediation guides.
If you get alarms, to be sure not to discourage them even if they're false positives. Find out how to work this out with them without affecting their self-esteem.
Regularly test them and see how they react to online threats. In this regard, you may go for penetration testing while focusing on the employees as a possible risk profile.
2. Use HTTPS Protocol instead of HTTP
In as much as Google recommends that you should use the HTTPS protocol on your site, it's not really up to them. Instead, it's upon you to safeguard your user data and safety. Besides, if you stay too long without switching to HTTPS and still handle sensitive data, the search engine giant may pull down your site when you least expect it.
The HTTPS, which you switch to after installing an SSL certificate on your site, adds an extra layer of security for your web visitors. It's designed to encrypt all the data on the site, ensuring that online attackers can't sniff the information. You can use basic SSL certificates to switch to HTTPS protocol but; if you're looking for a top of the range security, then the EV SSL certificate would be the best option. It encrypts all the data shared on the site and also shows the company name on the address bar to help distinguish it from other fake websites.
Set up a firewall
Setting up a firewall is a rather basic recommendation but worth the mention. It's integral in the security of your website since it searches for and blocks malicious traffic on your site. It will also help protect your employees from navigating to potentially harmful websites.
Use a reputable antivirus/antimalware software
Using an antivirus software is one of the most reliable ways of protecting your company's machines and mobile devices from malware attacks. These tools are designed to detect potentially dangerous content before being launched on your computers.
After that, you can perform the best remediation to stay safe online. The software gets obsolete with time, so it's prudent that you update them regularly or set automatic upgrades to help you recognize the current threats automatically.
It's also important to note that the solutions you'll get from, for example, antivirus A may be different from those you'll get from antivirus B. This is all down to the various threats they're designed to handle and their effectiveness.
Nevertheless, any antivirus should have these two basic capabilities;
- Detection and prevention against spyware, malware and adware.
- All-round antivirus scanning.
Depending on your primary needs, you may also go with an antivirus which comes with extra functionalities like;
- Protection against malware using a built-in firewall.
- Site advisor, which integrates with your browser to give you alerts before visiting any potentially harmful websites.
Limit access to business data
In this day and age, where competition and online attacks are rife, confidentiality is mandatory in any business environment. It will save you from losing your clients due to broken trust or reputation damage. It will also protect you from crippling losses in the business, especially if confidential data lands in the wrong hands where they might be used in committing unlawful activities like frauds etc.
You can safeguard your company's sensitive data by following these recommendations:
- Educate your employees on the best policies for network security.
- Introduce a Bring Your Own Device (BYOD) policy where employees are instructed to keep sensitive information on their devices. You must, however, put up strict security guidelines that must be followed when employees use the devices both at the business premises and at home.
- Encrypt the data.
- Bring in Identity and Access Management (IAM), which you can use with Single Sign-on (SSO) technology to help in Identity mapping.
Protect the business Wi-Fi
From a competitive point of view, having a Wi-Fi network at your premises will increase customer satisfaction. It will also help you increase productivity in the workplace and enhance employee satisfaction, among others.
If you, however, fail to secure your business Wi-Fi network, you risk exposing your business and clients to dangerous attacks. The basic rule of thumb is to secure your guest Wi-Fi to protect all the parties connected to the network from phishing, malware and ransomware attacks, etc.
Adopt a strict password policy
Passwords acts as the keys to your business' preserved data thus should be treated with the utmost care. They shouldn't be left in the open since hackers handle every clue with care, and your passwords are obviously top of their priorities.
From Social Security Numbers (SSN) to confidential transactional data, staff data and credit cards, etc. there are a lot of valuable data criminals can steal if they get your password. Malicious individuals may also misuse the passwords to gain unauthorized access and delete critical business data or use them to perform identity theft and even impersonate the business to perform fraud and forgery etc
To avoid these, be sure to use strong passwords averaging ten characters and more. You can also use password managers to create and store long passwords that are difficult to master.
Make use of Multi-factor Authentication (MFA)
MFA is a bit more secure and sophisticated when compared to Two-factor Authentication (2FA). Usually, it requires extra verifications, which may need biometrics to make it even harder for attackers to impersonate executives and launch attacks. If you use MFA, it forces anybody trying to access your databases to go past the necessary password checks. This means that even if a data thief steals your passwords, the MFA will still ensure that the protected data is still held safe.
Data theft is still a major headache though massive strides are being made to curb this menace. The thieves are also getting savvier with each new day, therefore, security basically starts from you. If you can abide by the basic security recommendations, data theft will be reduced to significant margins.