Small businesses, including start-ups, need a cybersecurity and privacy program, period. It is a matter of driving sales, client trust, as well as ensuring financial, employee, and other data integrity over the whole business, to manage risk. The challenge is to get the size of the program right for the level of risk and budget available.
According to a report by Ponemon Institute, 76% of small businesses in the United States suffered cyber-attack in 2019. This number reflects an over 50% increase year to year in cybersecurity assaults on U.S. small businesses.
Let’s look at how small businesses can be vulnerable and some best practices to adopt in order to protect the organization.
Security and Privacy are clearly big concerns for a business with some form of online presence. However, even those companies without applications online can be quite vulnerable to cybersecurity threats. External threats include hackers launching attacks through email, SMS or social engineering and attacks over the Internet directed at your service or an Internet connection.
There is also some potential of a malicious insider (disgruntled employee) stealing data, but more likely is a non-malicious insider who mistypes an application command and accidentally deletes your only copy of the sales database. A robust security program protects you from this risk as well as malicious cyber threats.
For leadership in a small business, the topic of cybersecurity can seem a complex and overwhelming distraction from the organization’s core mission. However, a basic understanding of cybersecurity and privacy goes a long way if you are running a business in 2020 and beyond.
There are many kinds of cybersecurity tools available to small businesses. However, it would be impossible to list them all in a single blog post and the cost of them can add up. They can sometimes also act as a placebo, giving you the feeling that you have managed your risks - without actually doing so. So, let’s start with a couple of basic, commonsense protections that you probably should have in place.
Multi-factor authentication is highly recommended everywhere you enter username and password credentials. While many consumers know multi-factor authentication as something like a text SMS messaging after entering their password, many banks, and government players are moving into multi-factor authentication apps or other non-text message delivery—which is even better!
Firewalls, including some specifically for mobile devices, are servers and/or applications that act as the first or sometimes the second point of response for all incoming traffic. A firewall will defend a network, a device, or both against many, but not all kinds of cyber-attacks. This could include things like malicious code injection, denial of service (DoS) attacks, viruses, malware and potentially malicious payloads embedded in documents. A firewall will work best when custom configured onto a specific network application or device and to the specific needs of that instance.
Not using a firewall is a novice mistake as they capture and stop a large number of attacks. Also, firewalls are a requirement of most if not all compliance standards and frameworks—so you’ve got to have and use them. But make sure they are configured for maximum defense; do not just rely on the out-of-the-box defaults.
However, a smart attacker, using social engineering or even network penetration can create malicious code designed to bypass firewalls. Therefore layered cybersecurity approaches to even the smallest business can reap long-term rewards.
The threats facing a small widget manufacturer versus a small Financial Tech company are in many ways similar but there are significant differences. Different industries and technologies need to be secured in different ways. But, all small businesses need to use some common sense and basics controls like strong password rules, firewalls, https website security, multi-factor authentication, and encryption for both data storage and transmission of data.
There are three reasons to have a well thought out Privacy strategy:
- It’s the law
- Your customers expect and demand it
- It’s just the right thing to do
People provide you with their personal data, you need to protect it. By entrusting you as a steward of this data, they expect that you will act responsibly. Not only does that mean having appropriate security controls in place, it also means tracking what personal data you collect, how, what for, and where it is processed, stored and shared with third parties. You may be surprised what counts as personal data, and it does vary between legal jurisdictions. But if you handle consumer payment card data, loyalty programs, have employees, or keep lists of business contacts, you are likely to have data that is subject to specific privacy protections in law.
A common hacking attack that threatens small businesses is social engineering (SE). SE attacks account for over 50% of all cybersecurity intrusions in one form or another. This could include social media, search results, email phishing, voice (telephone) phishing, SMS (Text) phishing, and link click bait.
Social engineering attacks can occur in multiple ways. SE attacks might be directed at the CEO or CFO in the form of a targeted spear phishing attack. Another form is the Business Email Compromise (BEC) scam. Still others can be directed at the corporate website using fake comments designed to elicit a malicious action from the user. There can be fake vendors and fake customers to inundate small businesses with negative comments and tarnish their reputation.
Some SE attacks can occur through social media. LinkedIn and Facebook are often used to mine information about people in the company and staff to glean easy insight into what they do inside their organizations.
SE can be in the form of someone contacting your customer service representatives with just enough information about a certain account to request a password change. While this may be directed at a specific user or client, it affects your company directly and can result in litigation or loss of business or both.
Cybersecurity training for employees is key to protecting your business from Social Engineering.
Your reputation, the security of your brand, and your key employees are paramount to any business. Cyber security is critical and you need to pay attention to external (in internal) attacks social media. A small business might have up-to-date security controls but may still be open to reputation attacks through social media. Configure Google alerts for your brand name and key employees. Look for suspicious, sudden changes in search results which can be tied to reputation attacks. Create, adopt, and publish an acceptable use policy for social media and instruct employees to not share work related information. Train people how to identify fake accounts versus real ones.
Protecting the security of the business should be viewed as a positive thing to share with investors, partners, and clients. We all want to do business with companies who are perceived to be safe and security minded. Studies show that conservatively 20-25% of US companies that suffer a data breach permanently lose clients.
These numbers can increase dramatically if you are a financial, health care, or insurance company.
Building out a robust cybersecurity and privacy governance program is hard and takes a lot of time that you don’t have. At Truvantis our team of senior security and privacy professionals are expert at developing a security governance program that is tailored to meet your unique needs. We have developed and delivered hundreds of expert programs which keep companies secure all over the world. We can do it once and do it right in a fraction of the time that it would take you to do it internally on our own. So, call or email Truvantis today. We are happy to discuss with you our approach to this universal challenge. Our absolute goal is 100% client satisfaction. If fact, we have built our business on just that—your happiness with our service.