If cyber security isn't at the top of your operational priorities, you could be putting your business at risk. More than 70% of cyber attacks target small firms, and the cost of recovery can force an organization out of business.
What’s more: the 2018 Hiscox Small Business Cyber Risk Report found many businesses experienced more than one cyberattack in the past year, with some businesses reporting as many as five or more attacks. In all, the report states, small businesses "estimated their average cost for incidents in the last 12 months to be $34,605," with larger companies claiming that an "annual average cost of cybercrime was $1.05 million."
You may still think your small business isn't vulnerable to hacking, malware, or other forms of cyber security threats. But the fact is that the size of a business isn’t a factor when it comes to vulnerability. Those businesses that are serious about preparedness and who undertake a small-business cyber security plan are those most likely to withstand (and survive) a potentially devastating attack.
What is cyber security?
Cyber security can be defined as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
Types of cyber attacks you should know about
Malicious attacks come in an array of forms. Innumerable computer viruses, codes, and applications of malware are unleashed on the public every single day. Some of the most common and dangerous forms employ similar tactics.
The Ponemon Institute's 2018 State of Cybersecurity in Small and Medium Size Businesses study notes that the number of cyber security threats continues to rise, "with 67 percent experiencing a cyberattack and 58 percent experiencing a data breach in the past 12 months." At the same time, almost half of respondents said they have no understanding of how to protect their companies against cyberattacks.
Cyber security threats include:
Phishing or business email compromise
Let's say you receive an email requesting money. The message appears to resemble a service provider's invoice, but if you look a bit closer, you see there's something suspicious about the email address or formatting of the request. (Or it's unlikely your service provider would make a payment request in this manner.) This is one type of business email compromise that, when successful, enables hackers to gain access to accounts, extract private information, process unauthorized requests, and redirect funds to anonymous accounts.
One of the most invaluable business cyber security tips is handling any suspicious email with great care. Experts urge people looking at iffy emails to hover over hyperlinks (without clicking on them) to determine whether they'll send you to an unfamiliar or suspicious web page. If an email that originates from your ISP, bank, or credit card company, remember that these institutions will never ask for sensitive information like your password or Social Security number.
Malware (adware, spyware, ransomware)
These insidious attacks assume many guises, the most pernicious of which is called ransomware. When opened, this malicious software seizes crucial files and keeps those files "hostage" until the victim pays ransom to decrypt them. Ransomware gets into a business system when unsuspecting users:
- Download materials from a compromised website.
- Open a fraudulent email attachment.
- Employ an unauthorized USB stick or some other external media device.
Social engineering (identity theft)
Cyber criminals exploit our natural tendency to trust a message we receive and/or assist someone we believe to be in need. By impersonating a friend or some trusted institution, they hope to persuade you to divulge passwords or financial data, or otherwise gain access to your computer and then download malicious software.
If someone you know sends you an email containing a link they want you to click on, or an attachment contains what you're told is a photo or other attachment they want you to see, don't do it if there's the slightest suspicion that something's wrong. You could end up infecting your system (and, by extension, a company's entire system) with malware that can cause irreparable harm.
Distributed Denial of Service (DDos)
Cyber criminals barrage a company's server, overwhelming it so that it slows significantly or even crashes. The system stops working at this point. This is perhaps the most common form of assault on cloud infrastructure and storage.
Password attacks (or brute force)
This type of cyberattack occurs when a hacker uses software to determine (and then steal) working passwords.
These cyber security threats loom over every business, large and small. And the proliferation of connected devices — phones, appliances and cars, for example, called the internet of things — makes cybercrime and disruption all the more tempting for evildoers.
Cyber security tips for your business
IT experts agree that employees are often the weakest link in the fight against cybercrime. They often make critical mistakes because they lack the knowledge and training to recognize warning signs or avoid improper behavior while working online.
Here's a list of tips to aid in cyber security training and greatly enhance the security of your business data:
Cyber security dos
- Do strengthen and regularly change passwords and security questions that provide access to account information.
- Do train employees to avoid making critical mistakes, such as clicking on fraudulent links included in phishing scams. If they encounter something suspicious online, encourage them to report it.
- Do limit access to personally identifiable information (PII) and protected health information (PHI). Only employees whose job responsibilities explicitly require access to PII and PHI should be granted it.
- Do secure your computer and mobile devices using an updated operating system and the latest anti-spyware and anti-virus software.
- Do pause before clicking that link! Are there typos, spelling errors, incorrect grammar, or oddly worded phrases in the message? Does the URL contain unfamiliar characters or misspellings? These are clues that a hacker might have written it.
Cyber security don'ts
- Don't download software from the internet or click on internet links that launch websites or web ads, especially if the URLs don't appear to come from a trusted source.
- Don't respond to emails, open email attachments, or click links embedded in emails that include typos, spelling errors, incorrect grammar, or pop-up windows. Beware of suspicious subject lines and "urgent" calls to action. These are all telltale signs that an email might contain viruses or other malicious software.
- Don't enter personal or financial information into web forms that don't come from a trusted source.
- Don't respond to the IRS by email or social media. The IRS does not initiate contact with taxpayers by email or social media. Any unexpected calls from someone claiming to be from the IRS, threatening arrest for failure to pay, is a scam.
Develop an effective cyber security plan
Cyber security for your business could be simplified to mean just good decision-making. And not just by employees but by business owners as well. Think: Have you taken the cyber security threats seriously enough? Do you have up-to-date software to protect your business from the types of cyber attacks that could catastrophically damage it? If the answer is no or you're unsure, develop a cyber security plan.
These tips may increase the odds of adequate data protection in your favor:
1. Regularly assess existing risks and update IT systems.
When's the last time you had a top-to-bottom evaluation done of vulnerable areas in your security system? As malicious attacks become sophisticated, it's essential to conduct a thorough assessment once a year (or every six months, preferably), with an emphasis on exposing vulnerabilities of those key assets containing confidential information and intellectual property. At the same time, commit to routine maintenance and regular software updates on all company devices in order to keep your systems clean.
2. Back up your systems in the cloud.
Cyber thieves attack small businesses in many ways, including ransomware, in which they take your business data "hostage" and demand a ransom before releasing that data back to you. If you don't pay, that information remains essentially locked away and inaccessible forever. Businesses that have a small-business cyber security plan and store data properly are far less vulnerable to this form of cyberattack. Files should be backed up daily in multiple secure locations, such as the cloud or a hybrid data center. This way, in the event of an attempt at cyber blackmail, you have continual, uninterrupted access to the data you need.
3. Undertake an aggressive employee cyber security training program.
Intentionally or not, your employees represent a key weak link in any data security effort. There's always the threat of a disgruntled employee participating in a malicious attack, but security is frequently compromised by user mistakes or carelessness. Depending on your internal resources, consider implementing a cyber security training program that takes place on a regular basis so employees understand how critically important it is to maintain vigilance and to use good judgment with sensitive business data.
Start with passwords. Hackers employ weapons like "dictionary attacks" and "brute forcing" to uncover user passwords, so ordinary passwords only make their job easier — and puts all of your data at risk. Passwords should include a complex combination of uppercase and lowercase letters, symbols, and numbers, and ideally be required to be changed every month on all devices. As reported in Small Business Trends, some experts advocate the implementation of "actual consequences for employees who don't follow password rules" because they "need to know you take password strength and integrity seriously."
4. Install mobile-device security measures.
At many small businesses, employees use their mobile devices to work and communicate throughout the company. Doing so via unsecured channels only increases the likelihood of a malicious attack. As part of your cyber security awareness training, establish policies to:
- Restrict the types of information these devices can access and share;
- Determine whether mobile devices provided by the business can be taken off-site; and
- Enforce network access control, whereby employees can access your business's VPN and email in a secure, reliable manner.
5. Plan a response to an unauthorized intrusion.
As part of your cyber security awareness training, establish procedures detailing how employees should act in the event of unauthorized intrusion like malware and phishing attempts. A comprehensive incident response plan that stresses the need to immediately contact the help desk or IT team may significantly curtail the effects of an attempted data breach.
Sadly, businesses of all sizes must live with cyber security threats. Taking a proactive, strategically defensive stance can typically minimize the risk to your business and customers, enabling you to continue to focus on other vital aspects of operations.
Make sure your business is protected
Your current business insurance coverage may not include the range of expenses incurred by many types of cyber attacks — from interruption of business operations and the need for customer notifications to comprehensive security upgrades and the effort required to restore your company's damaged brand. For these reasons, consider cyber liability insurance as part of a broader cyber security plan and in tandem with your regular business insurance and employment liability policies.
Key elements of any cyber liability insurance coverage should include:
- Coverage of all devices that might get lost or stolen.
- Support as a result of a hack or virus.
- Liability for slanderous blog content.
- Data corruption and/or theft.
- Crisis management, including public relations and brand-rebuilding assistance.
- Preventive and risk management policies.
An effective policy can enable you to craft appropriate social media practices, offer business interruption protection, and cover legal fees incurred by judgments or settlements. Contact a professional to learn more about this type of coverage, or speak with an independent agent with experience in this area.
For more information about what your business can do to protect against cybercrime, download the white paper, How to Protect Your Small Business from a Cyber Attack.
Insurance sold and serviced by Paychex Insurance Agency, Inc., 150 Sawgrass Drive, Rochester, NY 14620. CA License 0C28207.