Your small business is perfectly immune from cyber attacks, right?
You know, cyber attacks like those targeted against Equifax in which they lost sensitive data for 143 million US customers, or the 3 billion Yahoo accounts that were breached, or when Target lost payment data for 40 million cards?
Why would hackers target small companies when there are so many huge corporations ripe for the picking?
If you think cyber attacks aren’t a serious threat for your business, think again: 60% of all targeted attacks are towards small to medium-sized organizations. And out of those data breaches that are successful, 90% impact small to medium-sized companies.
What explains the higher success rate? Research shows 82% of small to medium-sized businesses are not adequately protected from cyber attacks.
Cyber attacks are a PR nightmare. They are often so damaging to your reputation with customers that it’s impossible to recover. In fact, of small and medium-sized businesses that are breached, as many as 60% go out of business within six months.
These staggering statistics show it’s absolutely imperative to take cybersecurity seriously so you aren’t the next business with a huge, expensive headache on your hands, a seriously damaged reputation, or worse.
These 9 cybersecurity risks are very real risks for small and medium-sized businesses. It’s difficult to take all the necessary safety measures to keep your business and data safe, so your company probably has at least a few of these to address.
Can you afford not to know whether your business is protected?
9 Cybersecurity Risks Common For Small Businesses
1. Lack of adequate training
We’re mentioning this one first for a reason—it’s incredibly prevalent, but it’s easy to do something about it and often is your first line of defense to protect against these risks.
Most cybersecurity breaches are a result of human error. With “phishing” emails, hackers trick employees into giving up their passwords and other information by sending communications that appear to be legitimate. For example, an email may appear to be a routine credit card statement or order confirmation from Amazon, but it’s actually a fake email from an opportunistic hacker.
Employees click these emails because they are inadequately trained to identify and avoid these communications. And even if they suspect something is fishy, they may not know the appropriate steps to take.
What to do about it: We recommend regular security education, including periodic training sessions and email bulletins about the most common cyber attacks.
Why it matters for small businesses: It’s easier to drive these training initiatives for large businesses who have entire teams of people devoted to cybersecurity and compliance. For small businesses, training can slip through the cracks and there may not be someone internally who is qualified to deliver the training. But that doesn’t mean it isn’t crucial.
2. Inadequate protection against malware and ransomware
Hackers have been targeting businesses with malware (computer “viruses”) for years.
Ransomware is a particularly nasty iteration you’ve probably heard mentioned in the news recently and has become a lucrative business for the bad guys. Essentially, hackers take control of your data or devices, lock you out, and only restore your access once you pay their “ransom” fee.
Imagine being faced with a choice between paying a hacker $2,500 (or more) or never being able to access your customer data again. What would you choose?
It’s best of course to avoid the situation entirely by protecting your business against ransomware and other typical malware threats that compromise your data and device security.
What to do about it: Employee training is the most important component of an effective malware and ransomware prevention strategy. Further, companies should maintain protection solutions to avoid device infections and continuous cloud backups for disaster recovery if something slips through the cracks.
Why it matters for small businesses: Just one virus on an employee device could give hackers access to all your company’s data and control over what to do with it. From there, they can sell the data on the black market, encrypt it (via ransomware) to sell it back to you, among other nefarious strategies — none of which are good for your company.
3. Outdated or unpatched software
Keeping software up to date is tricky, and hackers love that.
Many software updates and patches are released to fix security issues. This is why software vendors try so hard to enforce automatic updates and regular update intervals.
Cybercriminals learn quickly, so your software may be perfectly secure now but introduce a huge security hole in just a few weeks.
What to do about it: Establish and stick to a regular patch and update schedule for all your applications. If you don’t currently follow any regimented policies, identify the applications with the most sensitive data and tackle those first.
Why it matters for small businesses: Small businesses have a smaller IT staff to ensure regular software updates, and this comes at a cost. Outdated software exposes your small business to a 3x greater risk of a security breach.
4. Poor data management practices
Chances are, your business has a lot of data you’d prefer to restrict to the appropriate personnel at your company, such as financial data, trade secrets, customer information, or proprietary processes.
Many small businesses pass sensitive spreadsheets, account credentials, and other protected information back and forth by email regularly.
Email is the most convenient option, but that convenience ends when the data ends up in the wrong hands.
What to do about it: Your small business needs a written policy about backing up and securing your data, and your employees should be educated regularly. Periodically, consider evaluating awareness and compliance via surveys and audits.
Why it matters for small businesses: Since just one data breach puts 60% of small companies out of business, it doesn’t make sense to pass customer spreadsheets, trade secrets, and confidential plans back and forth by email or other insecure file sharing solutions. Unfortunately, the practice is all too common.
5. Lax access control
It’s not just important to transmit data securely—your business should also have an intentional policy around who has access to certain data in the first place.
With so many risks associated with data security, it’s best to restrict access to parties who really need it.
In the cybersecurity world, this is called the principle of least privilege—give users access to the permissions and data they need, and nothing more.
What to do about it: Audit which employees have access to the data and applications on your network, making adjustments according to the principle of least privilege. Going forward, create and follow an access control template to keep your data secure.
Why it matters for small businesses: Your company’s competitive advantage may hinge on certain processes or information remaining secret, or the wrong data breach could jeopardize customer trust forever.
6. Insecure network
Whether you host data on your own network or in the cloud, security is vital.
At your office, guest devices, employee mobile devices, or personal laptops should not be permitted to connect to any network that also stores any sensitive data.
And if you use cloud data storage or cloud applications, managing access is critical as well. Hackers are quite effective at probing every possible opportunity to get their hands on your sensitive data.
What to do about it: Conduct regular audits of your company network and cloud security. Put the right policies in place to design new systems with security in mind. Leverage access control best practices and use a “whitelist” system for application access to your network (only explicitly permitting those applications that need access and are verified to be secure).
Why it matters for small businesses: The right hack could jeopardize vital business operations for days or weeks, and small businesses feel revenue and productivity losses especially hard.
7. Weak password policies
It doesn’t matter how secure your business technology is if your employees give away the keys with insecure passwords.
Many think password security is no longer an issue, but as recently as this year, a study found an average of 19% of business passwords are easy to compromise.
Think about that: without the right password security policy, at least one in five of your employees could be holding the door wide open for hackers.
Even if employees use secure password, that means very little if they use the same password for other platforms or personal use. In that case, their password to access your secure data only remains secure until those other platforms are breached.
What to do about it: Implement a regular interval at which employees must change their account passwords, such as every six months. Add system controls to ensure passwords meet certain strength requirements, such as length and avoiding dictionary words. For access to particularly sensitive applications and data, consider two-factor authentication for an extra layer of defense.
Why it matters for small businesses: Since a higher percentage of employees will naturally have access to sensitive information, they need to be your first line of defense.
8. No disaster recovery plan
Are you ready for an outage or hack? Are you sure?
Accidents happen. As much as you can and should try, it’s impossible to anticipate and avoid any incidents affecting the security and availability of your data and systems.
Your business needs rigorous, thorough “disaster recovery” plans, so if your data falls in the wrong hands, a critical application goes down, or an employee poses an insider threat, you and your team are ready to spring into action.
What to do about it: This is certainly a bigger issue to tackle—but one of the most important. Identify the biggest threats to your business by asking “what if…” and start by establishing policies and plans to answer those questions.
Why it matters for small businesses: As a small business, it’s less likely you have backups and contingency plans than large companies who pay people to think about those risks all day. And outages and disruptions can be incredibly detrimental to your revenue and customer trust.
9. Lack of documented and enforced security policies
You need written IT security policies, plain and simple. As of now, do you have any?
If you do have them… are they communicated to your employees? Do your employees actually understand?
In our experience, the answers are “not really”, “no”, and “definitely not” in the small business space. These are tricky concepts to grasp and this is a rapidly evolving space.
For most small businesses, it doesn’t make sense to have a cybersecurity specialist on your payroll full-time. And your IT team (if any, depending on your company size) is busy with activities critical to running your company today.
What to do about it: After you assess your exposure to the risks in this post, consult with experts and develop documented policies and procedures. Then, train your team and put the appropriate measures in place to track and improve compliance. The future of your company just might depend on it.
Why it matters for small businesses: For small companies, security is a real team effort. The best way to navigate cybersecurity is to make it second nature for everyone working for your company—get everyone on the same team protecting your business from rapidly changing risks.
Now What?
Feeling overwhelmed?
That’s understandable. The stakes are high. And for many small businesses, these concepts are completely new—and until now, off the radar.
After reading this post, we bet you feel compelled to take action to protect your small business. The first step is conducting assessments and audits to determine how exposed your business really is. The second step is putting new policies in place that will protect your company going forward.
We provided some helpful resources and first steps in this post to get you started. IT Ally™ also has your back. We offer several cybersecurity assessments that can get your business on the right path in no time.
The assessments check for many of the risks covered in this post.
IT Ally believes in delivering enterprise value to small businesses, so our assessments are comprehensive and offer the same value a Fortune 500 might get by engaging exorbitantly priced IT consultants.
Your small business needs an Ally — we’d be honored to help. Get in touch to start the conversation or schedule a 30-minute consultation with one of our key advisors.
[This article was originally published on itallyllc.com.]
