What is Cyber Security and What Does it Mean for Your Business?
If cyber security isn't at the top of your operational priorities, you could be putting your business at risk. More than 70% of cyber attacks target small firms, and the cost of recovery can force an organization out of business.
What's more: the 2021 Hiscox Small Business Cyber Risk Report found many businesses experienced more than one cyberattack in the past year, and 1 in 6 businesses said an attack threatened their survival. The report found that small businesses in particular felt a substantial impact from cybercrime, with some small firms suffering losses of up to $308,000.
What is cyber security as it relates to your specific business? You may think your small business isn't vulnerable to hacking, malware, or other forms of cyber security threats. But the fact is that the size of a business isn't a factor when it comes to vulnerability. Those businesses that are serious about preparedness and undertake a small-business cyber security plan are those most likely to withstand (and survive) a potentially devastating attack.
What is Cyber Security?
Cyber security can be defined as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, unauthorized access, or criminal use. As the U.S. Cybersecurity and Infrastructure Security Agency notes, the first step in defending your business against a cyber security attack is having a keen understanding of the risks associated with various forms of online activity, basic cyber security terms, and how to protect yourself, your employees, your customers, and the business at large.
Why is Cyber Security Important?
Given that so much business is conducted online these days, there are near-constant risks to the security of your data, networks, servers, and devices. And just as cyber security is important to a business, it's also important and impactful to customers and their data. This may include sensitive information such as:
- Personally identifiable information (PII), such as Social Security number, bank account number, or email address combined with the password or security question and answer.
- Protected health information (PHI), such as health records, lab test results, and other medical information
- Intellectual property, such as patents, domain names, and confidential product information
Having a solid infrastructure for cyber security in place can help your organization defend itself against potential data breaches or cyberattacks, secure important information related to the business and your customers and maintain the integrity of your business.
What are the Risks of a Security Breach?
Cyber security threats loom over every business, large and small. And the proliferation of connected systems and devices makes cybercrime and disruption all the more tempting for evildoers.
In the event of a business cyber security breach, there are many potential ramifications for an organization. Some of the consequences may include:
- Revenue loss: For instance, shutting down a compromised website could hinder sales or cause website visitors to take their business elsewhere. There are also issues such as the cost of repairing damaged systems that could come with a hefty price tag. Also consider the possibility of a ransomware attack. Hiscox found that 71% of U.S. firms targeted in a ransomware attack paid a ransom to either recover data or to prevent publication of sensitive information.
- Reputational damage: The Hiscox report also noted that nearly a quarter of businesses that were attacked received negative publicity as a result — a sizable increase from the 14% who said the same in 2020.
- Regulatory costs: With recent laws enacted such as the California Consumer Privacy Act (CCPA), businesses could face penalties in the wake of a security breach. Hiscox reported that 18% of U.S. firms targeted paid a substantial fine that had a significant impact on the financial health of the business.
- Lost customers: In addition to the business's reputation being on the line, a security breach can also impede an organization's ability to attract and keep customers. Hiscox reported that 19% of respondents who suffered a cyberattack lost customers, with nearly just as many (18%) saying they had greater difficulty attracting new customers after the fact.
Types of Cyber Attacks You Should Know About
Digital malicious attacks come in an array of forms. Innumerable computer viruses, codes, and applications of malware are unleashed on the public every single day. Some of the most common and dangerous forms employ similar tactics.
The Ponemon Institute's 2020 State of Cybersecurity in Small and Medium Size Businesses study notes that the number of cyber security threats continues to rise, "with 60 percent experiencing a cyberattack and 44 percent experiencing a data breach in the past 12 months." At the same time, 42 percent of respondents said they have no understanding of how to protect their companies against cyberattacks.
Familiarize yourself with the following cyber security risks for businesses.
Phishing or Business Email Compromise
Let's say you receive an email requesting money. The message appears to resemble a service provider's invoice, but if you look a bit closer, you see there's something suspicious about the email address or formatting of the request. (Or it's unlikely your service provider would make a payment request in this manner.) This is one type of business email compromise that, when successful, enables hackers to gain access to accounts, extract private information, process unauthorized requests, and redirect funds to anonymous accounts.
One of the most invaluable business cyber security tips is handling any suspicious email with great care. Experts urge people looking at iffy emails to hover over hyperlinks (without clicking on them) to determine whether they'll send you to an unfamiliar or suspicious web page. If an email that originates from your ISP, bank, or credit card company, remember that these institutions will never ask for sensitive information like your password or Social Security number.
Malware (Adware, Spyware, Ransomware)
These insidious attacks assume many guises, the most pernicious of which is called ransomware. When opened, this malicious software seizes crucial files and keeps those files "hostage" until the victim pays ransom to decrypt them. Ransomware gets into a business system when unsuspecting users:
- Download materials from a compromised website.
- Open a fraudulent email attachment.
- Employ an unauthorized USB stick or some other external media device.
Social Engineering (Identity Theft)
Cyber criminals exploit our natural tendency to trust a message we receive and/or assist someone we believe to be in need. By impersonating a friend or a trusted institution, they hope to persuade you to divulge passwords or financial data, or otherwise gain access to your computer and then download malicious software.
If someone you know sends you an email containing a link they want you to click on, or an attachment contains what you're told is a photo or other attachment they want you to see, don't do it if there's the slightest suspicion that something's wrong. You could end up infecting your system (and, by extension, a company's entire system) with malware that can cause irreparable harm.
Distributed Denial of Service (DDoS)
Cyber criminals barrage a company's server, overwhelming it so that it slows significantly or even crashes. The system stops working at this point. This is perhaps the most common form of assault on cloud infrastructure and storage.
Password Attacks (or Brute Force)
This type of cyberattack occurs when a hacker uses software to determine (and then steal) working passwords.
As previously mentioned, a business has a great deal of information, from PII to intellectual property. A data leak, which is the intentional or unintentional release of secure or confidential information to an untrusted third party, can damage both a business as well as its employees and customers.
The Small Business Administration defines viruses as malicious code or "harmful programs intended to spread from computer to computer (and other connected devices)." There are many ways that a computer virus can spread: a user can open an attachment in a phishing email, run an executable file, visit an infected website, or use an infected removable storage devices, such as a USB drive.
Cyber Security Tips for Your Business
IT experts agree that employees are often the weakest link in the fight against cybercrime. They often make critical mistakes because they lack the knowledge and training to recognize warning signs or avoid improper behavior while working online.
Here's a list of tips to aid in cyber security training and greatly enhance the security of your business data:
Cyber Security Dos
- Do strengthen and regularly change passwords and security questions that provide access to account information. Best practices for passwords suggest having a mixture of the following:
- 10+ characters in length
- Include both uppercase and lowercase letters
- Special characters
- Do provide cyber security tips for employees. This includes training your staff to avoid making critical mistakes, such as clicking on fraudulent links included in phishing scams. If they encounter something suspicious online, encourage them to report it.
- Do limit access to PII and PHI. Only employees whose job responsibilities explicitly require access to PII and PHI should be granted it.
- Do secure your computer and mobile devices using an updated operating system and the latest anti-spyware and anti-virus software. Also consider securing and encrypting your Wi-Fi network.
- Do pause before clicking that link! Are there typos, spelling errors, incorrect grammar, or oddly worded phrases in the message? Does the URL contain unfamiliar characters or misspellings? These are clues that a hacker might have written it.
- Do secure computers and networks. This involves deploying the latest security software, web browser, and operating system. Ensure that antivirus software is set to run a scan after each update, and install software updates as soon as possible.
- Do implement multi-factor authentication to augment security. Multi-factor authentication requires a user to provide additional information in addition to a password to log in to accounts.
- Do enable your operating system's firewall, which can prevent outsiders from accessing data on a private network.
Cyber Security Don'ts
- Don't download software from the internet or click on internet links that launch websites or web ads, especially if the URLs don't appear to come from a trusted source.
- Don't respond to emails, open email attachments, or click links embedded in emails that include typos, spelling errors, incorrect grammar, or pop-up windows. Beware of suspicious subject lines and "urgent" calls to action. These are all telltale signs that an email might contain viruses or other malicious software.
- Don't enter personal or financial information into web forms that don't come from a trusted source.
- Don't respond to the IRS by email or social media. The IRS does not initiate contact with taxpayers by email or social media. Any unexpected calls from someone claiming to be from the IRS, threatening arrest for failure to pay, is a scam.
Develop an Effective Cyber Security Plan
Cyber security for your business could be simplified to mean just good decision-making. And not just by employees but by business owners as well. Think: Have you taken the cyber security threats seriously enough? Do you have up-to-date software to protect your business from the types of cyber attacks that could catastrophically damage it? If the answer is no or you're unsure, develop a cyber security plan.
These tips may increase the odds of adequate data protection in your favor:
1. Regularly assess existing risks and update IT systems.
When's the last time you had a top-to-bottom evaluation done of vulnerable areas in your security system? As malicious attacks become sophisticated, it's essential to conduct a thorough assessment once a year (or every six months, preferably), with an emphasis on exposing vulnerabilities of those key assets containing confidential information and intellectual property. At the same time, commit to routine maintenance and regular software updates on all company devices in order to keep your systems clean.
2. Back up your systems in the cloud.
Cyber thieves attack small businesses in many ways, including ransomware, in which they take your business data "hostage" and demand a ransom before releasing that data back to you. If you don't pay, that information remains essentially locked away and inaccessible forever. Businesses that have a small-business cyber security plan and store data properly are far less vulnerable to this form of cyberattack. Files should be backed up daily in multiple secure locations, such as the cloud or a hybrid data center. This way, in the event of an attempt at cyber blackmail, you have continual, uninterrupted access to the data you need.
3. Undertake an aggressive employee cyber security training program.
Intentionally or not, your employees represent a key weak link in any data security effort. There's always the threat of a disgruntled employee participating in a malicious attack, but security is frequently compromised by user mistakes or carelessness. Depending on your internal resources, consider implementing a cyber security training program that takes place on a regular basis so employees understand how critically important it is to maintain vigilance and to use good judgment with sensitive business data.
Start with passwords. Hackers employ weapons like "dictionary attacks" and "brute forcing" to uncover user passwords, so ordinary passwords only make their job easier — and puts all of your data at risk. As mentioned above, passwords should include a complex combination of uppercase and lowercase letters, symbols, and numbers, and ideally be required to be changed every month on all devices.
4. Install mobile-device security measures.
At many small businesses, employees use their mobile devices to work and communicate throughout the company. Doing so via unsecured channels only increases the likelihood of a malicious attack. As part of your cyber security awareness training, establish policies to:
- Restrict the types of information these devices can access and share;
- Determine whether mobile devices provided by the business can be taken off-site; and
- Enforce network access control, whereby employees can access your business's VPN and email in a secure, reliable manner.
5. Plan a response to an unauthorized intrusion.
As part of your cyber security awareness training, establish procedures detailing how employees should act in the event of unauthorized intrusion like malware and phishing attempts. A comprehensive incident response plan that stresses the need to immediately contact the help desk or IT team may significantly curtail the effects of an attempted data breach.
Sadly, businesses of all sizes must live with cyber security threats. Taking a proactive, strategically defensive stance can typically minimize the risk to your business and customers, enabling you to continue to focus on other vital aspects of operations.
Make Sure Your Business is Protected
Your current business insurance coverage may not include the range of expenses incurred by many types of cyber attacks — from interruption of business operations and the need for customer notifications to comprehensive security upgrades and the effort required to restore your company's damaged brand. For these reasons, consider cyber liability insurance as part of a broader cyber security plan and in tandem with your regular business insurance and employment liability policies.
Key elements of any cyber liability insurance coverage should include:
- Coverage of all devices that might get lost or stolen.
- Support as a result of a hack or virus.
- Liability for slanderous blog content.
- Data corruption and/or theft.
- Crisis management, including public relations and brand-rebuilding assistance.
- Preventive and risk management policies.
An effective cyber security policy can help you craft appropriate online practices, secure business interruption protection, and cover legal fees incurred by judgments or settlements. Contact a professional to learn more about cyber liability coverage, or speak with an independent agent with experience in this area.