Why small businesses need to take cybersecurity seriously
Developing and implementing a cybersecurity plan has never been as important as it is today, given mounting threats putting small firms in jeopardy.
Forty-three percent of all breaches target small businesses. And there’s a reason, say experts.
Studies show hackers go after small businesses because they know most lack computer systems and data protection. Despite the risks, 83% of small business owners still have not implemented cybersecurity, according to Advisor Smith research.
When hacked, according to a Security Magazine report in May, some 60% of small businesses who become victims of a data breach permanently close their doors within six months after an attack.
“We hear business owners say it’s never going to happen to them because it has not happened yet,” said Soni Lampert, CEO of KLH Consulting in Santa Rosa.
“Some say, ‘Why would we be a target?’” Lampert said. “Our response is, what’s important is finding ways to avoid the high cost of doing nothing, which is greater than the cost of mitigating the risk – especially when it comes to ransomware and the value of lost, highly sensitive or proprietary information. At the same time, we inform them that no security system is 100% bulletproof.”
Backup is essential
“Business owners should assess their vulnerabilities and the potential liabilities they can face. Until a hacking incident occurs, most firms don’t see the need for change. While attacks can cost a lot of money, the true cost is harm to customers and business relationships,” said Sausalito-based security consultant Craig Hancock.
Most of the people he works with have experienced a financial intrusion. “The first question I ask is ‘have you established a backup system – and did you use it.”
A typical hacker is on a random hunting (or “phishing”) expedition to see what perimeter weaknesses can be exploited. The question is what can be done to identify, address and prevent risks to reduce business costs?
“We talk in terms of developing a security strategy involving policies and procedures, providing user education and adopting both basic and advanced security technology that can be implemented now and expanded in layers or tiers over time within the scope of the available budget,” Lampert added.
Special intrusion protection
Intrusion prevention tools often include anti-spam filters, email fraud detection, antivirus software, firewalls, virtual private networks (VPNs), encryption, network intrusion alerts and security monitoring.
Some advanced solutions utilize system behavior engines, penetration testing, packet analyzer scanning, employee monitoring software and offsite managed services. Workers would be watched to determine key computer behavior such as application use, websites visited and log-on activity.
“When presenting to owners, we focus initially on the human factor and benefits of cybersecurity showing why each action is important backed up by evidence and statistics,” said David Mercer, founder of David Mercer Consulting in Napa.
Limit data access
A lot of “attacks” start with company personnel involvement when someone does something accidentally or on purpose, Mercer said.
“Employees at small companies can be a weak link by having access to software, files and vital data that are usually locked down in the corporate world,” Mercer said. Vital data include credit card and Social Security numbers, financial reports, personnel records and supplier contacts.
“Sensitive data must be controlled and limited with a strict distinction made between which employees have access to what data. This can be spelled out through formal training sessions,” Mercer said.
Emphasis should also be placed on showing staff members how to detect possible scams, why they should not click on, or reply to suspicious emails, as well as the need to record each attempt, and report it to management. Employee education can also lead to a reduction in cyber liability insurance costs.
“We suggest spreading cybersecurity costs across the entire employee base on a spreadsheet to see how much such a plan would be per person, per month,” Mercer said. “Working with clients is not a one-time shot. We support small businesses on ongoing cycles, through periodic audits and reports to gauge progress, effectiveness and fine-tune the process.”
Begin with risk assessment
Company-wide risk assessment is often the first step when developing a plan.
“Audits are necessary to identify possible vector access points and to determine weak points,” Hancock said. Having zero-trust security requires early detection, verification, pinpoint identification of threats and the ability to respond quickly using heuristic tools that scan for anomalies on the network included on a company’s cyber assessment profile.”