A Cybersecurity Plan Can Be a Key Productivity Hack for Your Business

It’s in the news almost daily now, cyberattacks. Making the big headlines are those instances that paralyze the operations of some of the world’s major corporations. What you don’t often hear — and these attacks are far more frequent — are those that impact small and midsized businesses.

Numbers can vary from year and study, but according to research conducted by Paychex for its guide on cybersecurity, cyberattacks on small and midsized businesses are on the rise from the 70-plus percent in 2020. However, a recent report by CNBC based on their study showed that 56% of small-business owners say they are not concerned about being the victim of a hack in the next 12 months, and only 28% have a response plan in place in the event of a cyberattack.

This confidence that an attack won’t occur flies in the face of the 2021 Hiscox Small Business Cyber Risk Report that found many businesses experienced more than one cyberattack in the past year, and 1 in 6 businesses said an attack threatened their survival. The report found that small businesses in particular felt a substantial impact from cybercrime, with some small firms suffering losses of up to $308,000.

Is your business prepared to withstand a cyberattack? Having a strong cybersecurity posture can help your organization defend itself against cyberattacks, secure important information related to the business and your customers and maintain the integrity of your business.

Cybersecurity Tips for Your Business

Cybersecurity can be defined as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, unauthorized access, or criminal use. The Small Business Administration (SBA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission are excellent resources that offer additional tips for combating cyberattacks.

IT experts agree that employees are often the weakest link in the fight against cybercrime. They often make critical mistakes because they lack the knowledge and training to recognize warning signs or avoid improper behavior while working online.

Here's a list of tips to aid in cybersecurity training and greatly enhance the security of your business data:

Cybersecurity Dos

• Use strong passwords and regularly change them. Also, use strong password managers (security questions)
• Use good internet browsing practices
• Keep software up to date, including latest anti-spyware and anti-virus software, that secures your computers, phones, and tablets
• Enable authentication tools (e.g., authentication apps, multi-factor authentication, and more)
• Enable your operating system's firewall, which can prevent outsiders from accessing data on a private network
• Limit access to PII and PHI. Only employees whose job responsibilities explicitly require access to Personal Identifiable Information (e.g., Social Security number, bank account number) and Protected Health Information (e.g., health records, other medical information) should be granted it.

One key component is to provide cybersecurity tips for employees such as training and encourage reporting of suspicious emails or online content. Implement regular courses through a Learning Management System and update the training regularly.

Cybersecurity Don’ts

• Downloading software from the internet or clicking on internet links that launch websites or web ads
• Don't respond to emails, open email attachments, or click links embedded in emails that include typos, spelling errors, incorrect grammar, or pop-up windows. Beware of suspicious subject lines and "urgent" calls to action.
• Don't enter personal or financial information into web forms that don't come from a trusted source.
• Don't respond to the IRS by email or social media. The IRS does not initiate contact with taxpayers by email, social media, or even by phone. Any contact in this manner is a scam.

What are the Risks of a Cybersecurity Threat?

Cybersecurity threats loom over every business, large and small. And the proliferation of connected systems and devices makes cybercrime and disruption more tempting for those intent on committing a crime. A story reported by the BBC in February of 2022 cited new analysis that nearly 75 percent of the money made from ransomware attacks in 2021 went to hackers linked to Russia, and other statistics report that ransomware in Russia is a projected $21 billion industry in 2022.

In the event of a business cybersecurity breach, there are many potential ramifications for an organization. Some of the consequences might include:

• Revenue loss: Shutting down a compromised website could hinder sales or cause website visitors to take their business elsewhere. Repairing damaged systems could come with a hefty price tag. Hiscox found that 71% of U.S. firms targeted in a ransomware attack paid a ransom to either recover data or to prevent publication of sensitive information.
• Reputational damage: The Hiscox report also noted that nearly a quarter of businesses that were attacked received negative publicity as a result.
• Regulatory costs: With recent laws enacted such as the California Consumer Privacy Act (CCPA), businesses could face penalties in the wake of a security breach. Hiscox reported that 18% of U.S. firms targeted paid a substantial fine that had a significant impact on the financial health of the business.
• Lost customers: A security breach can impede an organization's ability to attract and keep customers. Hiscox reported that 19% of respondents who suffered a cyberattack lost customers, with nearly just as many (18%) saying they had greater difficulty attracting new customers after the fact.

Types of Cyber Attacks You Should Know About

Digital malicious attacks come in an array of forms. Innumerable computer viruses, codes, and applications of malware are unleashed on the public every single day. Some of the most common and dangerous forms employ similar tactics.

Smishing

Smishing is the latest technique by bad actors to gain access to information. It’s like phishing but comes via text where there are fewer protections in place and uses all the hallmarks of phishing; demands for urgency, appearance that text is coming from trusted source, links to malicious websites.

Phishing or Business Email Compromise

One of the most invaluable business cybersecurity tips is handling any suspicious email with great care. Experts urge people looking at iffy emails to hover over hyperlinks (without clicking on them) to determine whether they'll send you to an unfamiliar or suspicious web page. If it is an email that originates from your ISP, bank, or credit card company, remember that these institutions will never ask for sensitive information like your password or Social Security number. According to FBI statistics for 2019, business email compromise accounted for $1.7 billion in fraud losses.

Malware (Adware, Spyware, Ransomware)

These insidious attacks assume many guises, the most pernicious of which is called ransomware. When opened, this malicious software seizes crucial files and keeps those files "hostage" until the victim pays ransom to decrypt them. Ransomware gets into a business system when unsuspecting users:

• Download materials from a compromised website.
• Open a fraudulent email attachment.
• Employ an unauthorized USB stick or some other external media device.

Social Engineering (Identity Theft)

Cyber criminals exploit our natural tendency to trust a message we receive and/or assist someone we believe to be in need. If someone you know sends you an email containing a link they want you to click on, or an attachment contains what you're told is a photo or other attachment they want you to see, don't do it if there's the slightest suspicion that something's wrong.

Distributed Denial of Service (DDoS)

Cyber criminals barrage a company's server, overwhelming it so that it slows significantly or even crashes. The system stops working at this point. This is perhaps the most common form of assault on cloud infrastructure and storage.

Password attacks (or Brute Force)

This type of cyberattack occurs when a hacker uses software to determine (and then steal) working passwords.

Data leaks

A data leak, which is the intentional or unintentional release of secure or confidential information to an untrusted third party, can damage both a business as well as its employees and customers.

Viruses

There are many ways that a computer virus can spread: a user can open an attachment in a phishing email, run an executable file, visit an infected website, or use an infected removable storage devices, such as a USB drive.

Develop an Effective Cybersecurity Plan

Cybersecurity for your business could be simplified to mean just good decision-making. And not just by employees but by business owners as well. Think: Have you taken the cybersecurity threats seriously enough? Do you have up-to-date software to protect your business from the types of cyberattacks that could catastrophically damage it? If the answer is no or you're unsure, develop a cybersecurity plan.

These tips might increase the odds of adequate data protection in your favor:

1. Regularly assess existing risks and update IT systems.

It's essential to conduct a thorough assessment once a year (or every six months, preferably), with an emphasis on exposing vulnerabilities of those key assets containing confidential information and intellectual property. Also, commit to routine maintenance and regular software updates on all company devices.

2. Back up your systems in the cloud.

Businesses with a cybersecurity plan that store data properly are far less vulnerable to ransomware. Files should be backed up daily in multiple secure locations, such as the cloud or a hybrid data center, to ensure you have continual, uninterrupted access to the data you need if an attack occurs.

3. Undertake an aggressive employee cybersecurity training program.

Security is frequently compromised by user mistakes or carelessness. Consider implementing a cybersecurity training program that takes place on a regular basis so employees understand how critically important it is to maintain vigilance and to use good judgment with sensitive business data.

4. Install mobile-device security measures.

Use of mobile devices to work and communicate throughout the company increases the likelihood of a malicious attack because the channels are unsecured. Establish policies to:

• Restrict the types of information these devices can access and share
• Determine whether mobile devices provided by the business can be taken off-site
• Enforce network access control, whereby employees can access your business's VPN and email in a secure, reliable manner.

5. Plan a response to an unauthorized intrusion.

A comprehensive incident response plan that stresses the need to immediately contact the help desk or IT team might significantly curtail the effects of an attempted data breach. Taking a proactive, strategically defensive stance can typically minimize the risk to your business and customers, enabling you to continue to focus on other vital aspects of operations.

Make Sure Your Business is Protected from a Cyberattack

Your current business insurance coverage might not include the range of expenses incurred by many types of cyberattacks — from interruption of business operations and the need for customer notifications to comprehensive security upgrades and the effort required to restore your company's damaged brand. For these reasons, consider cyber liability insurance as part of a broader cybersecurity plan and in tandem with your regular business insurance and employment liability policies.

An effective cybersecurity policy can help secure business interruption protection and cover legal fees incurred by judgments or settlements. Contact a professional to learn more about cyber liability coverage.