Most consumers today have been a victim of theft. While not everyone has had the harrowing experience of a home burglary or stolen car, a compromised email password or Social Security number has affected almost everyone. The FCC reports the theft of digital information has surpassed that of physical theft in the U.S. to become the most rampant type of fraud today.
As a small business owner, your cybersecurity business risk is even greater. Any commercial task you conduct through the internet is especially prone to exposing your customers to this often-devastating criminal activity. How then, should a responsible company approach cybersecurity? Here are some of the best practices that wise entrepreneurs are implementing today.
Understand the Value of Data
While no single piece of stolen information can be damaging on its own, fraudsters are experts at aggregating data to create whole online “personas” that can then be used to make purchases, wire money, or even claim benefits. An email here and a password there can result in a major headache for customers, if in the wrongs hands. While it usually takes a couple of pieces of info to do major damage, even credit card numbers without the accompanying security code (the 3-digit number on the back of VISA/Mastercard and the 4-digits on the front of AMEX), can be used in “no card present” transactions. Because of the potential for harm to your customers, it’s wise to treat every single bit of data as sensitive. Don’t allow customer info to be shared, stored, or used in anything but a secured environment.
Train your Employees
You are only as secure as your most careless worker. Shared passwords, log-in info, or even desktops should be discouraged. Keep each employee accountable for their own tasks and data trails. Know where and when info is being accessed. Also, all employees should understand the ramifications of properly securing data, even if they don’t deal with it during the course of their workday. Have an easy process for reporting suspected data breaches, and regularly update workers on best practices – as well as new security concerns that could affect the company.
Don’t Skimp on Security
Even the small company with just a few computers needs to invest in solutions that are secure. Consider hiring a professional to implement a security protocol and ensure networks and devices are properly secured and maintained. Set up reminders to update tools regularly, and avoid using “freeware” or unproven software products for your firewall, antivirus, and browser protection. Recognize the difference between the types of risks, such as malware, spyware, viruses, and ransomware.
Take Security on the Road
If you have road warriors working for your company, ensure they know the drill for connecting to public wi-fi and using computers at hotel business centers. Know the difference between working on a secured “intranet” and standard “internet.” Regularly check work laptops and phones for malicious programs and apps, as part of a work device maintenance program. Have conversations with your team about what’s acceptable to discuss in public (on a cell phone call, for example) and what should remain in the boardroom.
Backup, Backup & Backup Again
If you had a qualified and dedicated IT, team, they should be performing weekly (if not daily) backups of your data. Ask about what options are available for backing up information to both physical drives and the cloud. For smaller companies with just a few computers, it’s still necessary to create a means for retrieving data in a computer crash, power loss, or service outage. Look at creating a plan that keeps data both secure and accessible for when the worst happens.
Get Serious About Social
Have you heard of social media cyber-vandalism? It’s a new but scary occurrence of a hacker getting control of a business’ social media account and using it in an unauthorized manner. Not only can this type of cyber-hijacking cause damage to your brand’s reputation and messaging, but it can also put customer and fan information at risk. The SBA has created a comprehensive guide for how to prevent cyber-vandalism on platforms such as Twitter, Facebook, Instagram, and more. The basic standards for securing your accounts include:
- Create a team to develop, execute, and respond to social media communications and issues
- Understand each platform and the limitations
- Implement and communicate best-practices for each platform
- Utilize two-step authentication, when available
- Use templates and pre-approved messages, when possible
- Regularly monitor accounts for suspicious activity
- Recover compromised accounts promptly by working with social media teams, platform customer service, and your own internal security stakeholders
While a compromised social media account can be embarrassing, and sometimes damaging to your company’s sales or reputation, a quick and efficient recovery plan can make all the difference.
What if, despite your best efforts, you do experience a security threat? Fortunately, you are not alone, and there have been developments made in the ability for small businesses to get on track. One of these opportunities is through insurance coverages. While most companies have insurance plans that cover liability and some types of damages, standard plans often don’t protect against cyber-attacks. Specialized cyber insurance is the only way to recoup damages from cyber-attacks, Despite this fact, however, only 21% of small US companies (fewer than 250 employees) have invested in cyber insurance – compared to 58% of larger companies. Ask your insurance agent if this type of coverage is appropriate for your business.
What to Do If You’re Targeted
The cost associated with cybercrimes is high, and both the FCC and the SBA have dedicated significant resources to ensuring that today’s businesses are prepared for the newest cybersecurity crime (whatever they may evolve to look like.) If you find yourself the victim of a crime, inform local police, as well as your state attorney general right away. Stolen finances or identities should also be reported to the IC3 unit, and fraud should be brought to the attention of the FTC. Hopefully, your report can help others avoid a similar incident.
2022’s Latest Cybersecurity Risks to Business
Since the pandemic began, the cybersecurity business risk landscape has been focused on what the work-from-home trend has opened up in terms of vulnerabilities, and in 2022, that trend has continued.
According to Gartner, the top cybersecurity threats in 2022 are:
- Expanded places where attacks can take place (“attack surface”). Due to 60% of knowledge workers being fully remote, companies are now more vulnerable to uncovered security threats.
- Hackers using identity systems, like passwords or other login systems, to access confidential information and entire networks.
- Attacks on software providers, especially software-as-a-service (SaaS) and cloud providers, that can have an effect on any business that uses them.
- Human error, which has always been the biggest threat to cybersecurity at any business.
What is Phishing and How to Keep Your Business Safe
Phishing is the act of using digital means, like an email or text message, to present false premises to gain access information, such as login credentials, passwords, customer data, or even bank account details or money. Cybercriminals who use phishing tend to do it over email, and can be very convincing in their demand for information, often posing as a trusted official or threatening legal action. These emails are often sent to unsuspecting employees who follow the directions out of fear of doing something wrong.
A common phishing email may have a spoofed return email address that looks like it’s coming from an internal department to your company, like human resources or even the CEO. Some phishing emails look as if they’re coming from the IRS or another official government agency. They tend to have tones of urgency and speed, which makes them harder to ignore. A phishing email may contain:
- a link to log in to a spoofed site which will steal your login credentials
- an attachment that, when opened, will release a virus into the system
- demands that an employee send money or gift cards to an address or bank account for an urgent reason
The best way to protect your business is to make sure employees know about phishing emails and how to spot them. Some common ways to spot phishing emails include:
- Bad email addresses — cybercriminals can change the display name of their return email address to look like it’s from someone inside your company (e.g. “HR@mycompany.com”), but when you hover over it you’ll find that it’s a different email address, and often a free account from Gmail or Yahoo.
- Bad links — if you hover over a URL, you can see where the link will actually send you, which will often be a spoof site or a complicated URL.
- Attachments — viruses can be sent as PDFs pretending to be an invoice or statement, making them tempting to download or open.
- Typos or awkward language — phishing emails may contain typos or awkward sentence structures that don’t sound natural, including overuse of capitalized words or exclamation points.
- Unexpected contact — cybercriminals may pretend to be someone important to get an employee to respond to a phishing attack, and it may be someone who normally wouldn’t contact you for the reasons the phishing email says.
- Urgency — the phishing email may contain language demanding that something has to be done immediately, or else.
Make sure that you and your employees know how to avoid phishing, including:
- Verify email addresses and links
- Check with the “sender” via telephone or another communication channel before doing the requested task, especially if there’s sensitive data on the line
- Never download or open attachments until you’ve verified them
- Trust your gut on awkward language, typos, or weird requests
- Report phishing to IT security so they can investigate and block senders’ email addresses as necessary
Are Cybersecurity Attacks on the Rise?
As more and more companies use cloud computing, distributed workforces, and supply chain software, more vulnerabilities open up and cyberattacks continue to rise, especially ransomware attacks and malware attacks. According to ThoughtLab, cybersecurity attacks increased 15.1% in 2021 over the previous year, as part of a trend that they see continuing in the coming years.
What’s worse is that only half of U.S. businesses have a cybersecurity plan in place, and of those, nearly a third haven’t changed their incident response plan since the pandemic changed the work landscape, based on findings from cybersecurity firm UpCity.
Cybercriminals are not just increasing their number of attacks, they’re also getting more sophisticated, using social engineering to access sensitive information. They are consistently (and successfully) targeting bigger companies and government organizations for larger sums of money and information. In fact, according to Positive Technologies, 93% of company networks are now vulnerable to cybersecurity breaches.
What is the Future Scope of Cyber Security?
So how can companies manage the increasingly sophisticated barrage of cyber attacks and security risks coming their way?
Four risk management trends may address these issues, according to Gartner:
- Consolidated security products that address all attacks on a broader scale while cutting costs and increasing efficiency.
- A new approach to cybersecurity architecture called a cybersecurity mesh that handles security for assets regardless of where they are.
- Distributing the cybersecurity decision chain throughout an organization, rather than putting these big choices on the shoulders of one security officer, essentially deputizing members of the entire company to take responsibility for cybersecurity.
- Investing in cultural change throughout the company to move beyond compliance-based training and awareness and really get all employees involved in cybersecurity.
If you’re looking to expand your cybersecurity budget but don’t have the funds, small business loans or business credit cards may help open up your cash flow. Open a free account with Nav to see your best options today.
This article was originally written on July 6, 2018 and updated on February 8, 2023.