Small business owners must guard against cyber attacks or risk suffering potentially catastrophic financial loss.
Nearly one-third of fraud cases affected companies with fewer than 100 employees in 2016, according to a global fraud study conducted by the Association of Certified Fraud Examiners. That percentage is worrisome enough for small business owners, but it becomes alarming when considered alongside two more numbers revealed by the report:
The median fraud loss for businesses, no matter the size, is $150,000.
And 60% of small business fraud victims recover nothing from their losses.
While the term “fraud” encompasses all forms of deceitful activity and theft – skimming, billing schemes, corruption, check tampering, non-cash misappropriation and more – the recent increase in cybercrime activity has created a dangerous new front in the fight against business fraud.
A 2017 report from the anti-malware firm Malwarebytes showed that cyber attacks on small companies increased by 500% from March 2016 to March 2017. Another study conducted by digital security company Keeper Security and data security consultation firm Ponemon Institute showed that half of all small and medium-sized businesses experienced a cyber breach from June 2015 to June 2016.
The numbers are significant and they are growing. Small business owners cannot afford to be careless when it comes to cybersecurity.
Why Companies are Vulnerable
According to the U.S. Small Business Administration (SBA), businesses become vulnerable to cyber attacks when they:
- Operate with outdated or insecure hardware and software
- Fail to establish solid security protocols or security policies
- Fail to establish procedures for properly securing information
- Conduct no oversight or careless oversight
- Fail to enforce existing security policies
When business owners overlook necessary security procedures, they leave their companies vulnerable to a large and growing range of cybersecurity risks. Threats can originate within a firm’s own walls or as far away as the other side of the globe.
Internal threats need not be malicious. Improperly trained employees might not know how to avoid exposing a company’s digital network to outside threats. That said, it is in the interest of a business owner to thoroughly monitor computers and other digital assets to ensure they are secure and used only for business purposes.
External threats are more widespread and potentially more destructive. Potential external threats to a company’s cybersecurity include:
- Website tampering – This can include hacking a system, defacing a website’s appearance, installing invisible code to disrupt a specific web page and allow the installation of spyware.
- Data theft – This can include interception of emails and other sensitive transmissions, theft of private files, “phishing” emails that trick users into revealing personal information and more.
- Denial-of-service attacks – This kind of cyber attack is intended to overload and overwhelm networks, such as those used by e-Commerce companies, and slow or shut down any web activity.
- Viruses and malicious code – These destructive programs or bits of code are designed to attach themselves to a computer system and hide there, recording and transmitting specific information or locking specific files.
- Ransomware – This malicious code allows a cyber attacker to take control of a set of files or even an entire network, then destroy the files or permanently lock out the owner unless a ransom is paid.
How to Secure Your Business against Cyber Attacks
The SBA, the U.S. Department of Homeland Security (DHS), the Federal Communications Commission (FCC) and other federal, state and local government agencies provide guidelines for business owners to confront cyber attacks.
The FCC also provides a helpful list of cybersecurity tips for small businesses. These include:
- Train employees on principles of cybersecurity.
- Provide proven firewall security for the company’s internet connection.
- Back up all important business data and store the backups separately.
- Require all employees to create unique passwords and use multi-step authentication where feasible.
The DHS has begun to recommend that companies consider purchasing cybersecurity insurance, in addition to the standard business insurance. Cybersecurity insurance is a relatively new addition to the cybersecurity tool box, and not all insurance providers offer stand-alone coverage for cyber attacks.
Of all the safeguards a small business owner can take to guard against cyber crime, proper training and vetting of employees is perhaps the most effective. Training should be ongoing, and alerts should be issued on a regular basis as new cyber threats emerge.
The basic training should focus on awareness and best internet and email practices, according to the SBA. Security steps should include advising and reminding employees not to:
- Use an administrative account to visit unfamiliar, potentially unsecured websites
- Download software from unfamiliar sources
- Respond to pop-up ads or windows requesting immediate downloads
- Open attachments on emails from unfamiliar senders
- Reply to unsolicited emails
- Click on links within emails
Other security measures employees can take are regularly changing passwords, guarding passwords and other company information from outside users and using only secure connections to conduct company business.
The SBA suggests that all business owners conduct internal audits of their cybersecurity preparedness at least once a year. No security measure has proven 100% effective, so every company owner should prepare a plan to recover after an attack. A recovery plan should include:
- A procedure to immediately lock down and protect any unaffected data from areas of the network infected by a cyber attack
- A communications method that quickly lets employees and stakeholders know that an attack has been detected and is being dealt with
- A way to measure and assess losses
- A procedure to efficiently re-boot the network, scan all potentially infected areas to determine the extent of the attack and prepare the system to come back online
- Post-attack assessment that helps update the current plan to include information gathered during and after the most recent attack