With smaller teams, older technology and fewer resources, small businesses face an increased risk of cyber attacks. In fact, 50% of cyber attacks target small businesses. Small businesses also have a more difficult time recovering from a cyber attack - 60% will close within six months following a cyber security incident.
Here are some common tactics cyber criminals use, and ways to strengthen your business’ cyber security:
Common Cybersecurity Challenges
Phishing
During a phishing attack, scammers will send you fraudulent - though often quite convincing - text messages or emails to con you into revealing personal or financial information, or installing malware. Phishing is the second-most common type of cyber attack that small businesses face. Companies with fewer than 100 employees receive 350% more social engineering attacks, including phishing, than larger companies.
To strengthen your company’s cyber security against phishing attacks, make sure your employees are trained to detect phishing and know what to do if they suspect an attack. You can even run a phishing simulation to see if your employees know what to do.
Some tell-tale signs of phishing include grammatical errors, imitation of a known brand, spoofed links, spoofed websites, compressed attachments and embedded files. The greeting may either be very generic or very personalized, depending on the type of attack. When encountering a suspicious email, employees should not click on any links or attachments. They should notify the IT/security team immediately. If the message appears to be coming from a legitimate business or known individual, the employee can reach out to the person/business through official channels (i.e. official website, phone number or email). The employee should not respond to the suspicious email.
Ransomware
During a ransomware attack, hackers will gain access to your company’s data and effectively hold it hostage. The data breach may occur through fraudulent emails with malicious links or files, server vulnerabilities, infected websites or online ads. Once the hackers have your data, they will demand money or cryptocurrency to get it back. The trouble is, even if you pay, the hackers may still keep the data or even destroy it. Not to mention, your business operations will be at a complete standstill during the breach.
St. Margaret Health, a small rural hospital in Spring Valley, Illinois closed permanently in 2023 in part due to the lasting impacts of a ransomware attack that took place two years earlier. During the attack, the hospital was unable to submit claims to insurance, Medicaid and Medicare for more than three months. Providers also did not have access to patient’s online medical records during that time.
To protect your business from ransomware attacks, make sure your cyber security is up to date, train your staff on what to look out for and how to respond, back up your data and have a plan in place. In the event of an attack, disconnect all infected devices from your network, alert the authorities and notify your customers, in accordance with state and federal laws, if their data was compromised.
Insider Threats
Inside threats are when a known entity such as an employee or former employee puts your business at risk either intentionally or unintentionally. Unintentional threats fall into two categories: negligence and accidental. Examples of negligence could include disregarding cybersecurity policies, misplacing a device with sensitive data on it, or ignoring security updates. Accidental insider threats include an employee mistakenly clicking on a malicious link or file. Intentional threats could involve an employee changing data or inserting malware.
Insider threats, whether intentional or not, can halt business operations, compromise sensitive customer data and lead to reputational damage and financial ruin.
To protect your business from insider threats, train your employees to detect fraudulent emails, encourage them to use strong passwords and multi-factor authentication, keep your security systems up to date, and only allow access to data on a need-to-see basis.
Weak Passwords
If just one of your employees uses weak or default passwords, it could mean trouble for your entire organization. Some of the ways hackers steal passwords include running guesses through software and bots until the right match is found, by using phishing techniques to get users to reveal their passwords, or by using malware that records keystrokes or login credentials.
A major east coast city's Law Department suffered a data breach in June 2021 after a single employee’s email was stolen. The department was not using multi-factor authentication and as a result, sensitive data was compromised and trials were delayed.
In addition to using multi-factor authentication, passwords should be at least 12 to 16 letters long and every password should be unique. To create a strong password, use a random combination of mixed case letters, numbers and symbols. To keep your company’s passwords secure, consider investing in a password manager.
Outdated Software and Systems
Outdated software can leave your business exposed to cyber security threats. Small businesses in particular are at risk, due to their reliance on firewalls and basic antivirus software. More advanced security options at higher price points are often out of reach. But even larger companies don’t always keep their systems up to date.
In 2017, credit agency Equifax had a major data breach that exposed the personal data of nearly 150 million Americans because they did not install a software upgrade. In addition to regulatory fines and reputational damage, Equifax also paid a $380.5 million settlement to affected consumers.
Using more advanced security software means a higher price tag up front but could save your company thousands or even millions of dollars in the long run, were you to have a data breach. As hacking strategies evolve, it’s important that your security does too. Even top-notch security software needs regular updates and occasional patches to be effective.
Malware
Malware is software intended to disrupt, damage or gain unauthorized access to a device. Types of malware include viruses, trojans, spyware and ransomware.
Cyber criminals often trick users into downloading malware by bundling it with free downloads such as apps, games, or movies. Once malware has been installed on your device, the cyber criminal can steal sensitive data, lock you out of the system, remotely access your systems, or even destroy the computer system.
To protect your business from malware, use security software and a next generation firewall. Set your security software, browser and operating system to install updates automatically. Educate your employees on safe browsing practices such as only installing well-known software from official sources, not clicking on links in emails but typing the URL into a browser instead, not clicking on pop-up ads, not using USB devices, but if they have to, security scanning these devices before using them and paying attention to any security warnings.
Compliance Challenges
Handling customer data with care is not only important for your business’ image, it is also required by law.
If your business suffers a data breach due to insufficient cyber protection or improper protocols, your business may be subject to fines and penalties. Non-compliance with data protection regulations such as PCI or HIPAA can result in hefty fines.
The data breach could also result in a class-action lawsuit. Costs associated with legal advice, litigation, and settlements can be substantial. Some of the steps you can take to ensure your business remains in compliance, are to keep your cyber security software up to date, conduct a risk assessment, monitor who has access to what, encrypt any data you send, develop cyber security policies and procedures and regularly train employees on these policies and procedures.
Strategies for Enhancing Cybersecurity
As hackers come up with new ways to steal information and wreak havoc on businesses, it’s critical to make sure you are continuously enhancing your cyber security.
- Security Policies - Develop a security policy that ensures compliance with any applicable cyber security regulations. Regularly educate employees on these policies.
- Password Management - Use a password management system to keep passwords secure and educate employees on how to create strong passwords.
- Regular Software Updates and Patch Management - Set software to update automatically and install patches when needed.
- Backup and Recovery Plans - Regularly back up your data and develop a recovery plan in the event of a data breach. To develop a plan, conduct an IT inventory, identify what data is critical to your business operations, consider what factors pose a threat to the data, and assign staff roles and responsibilities in the event of a breach. Don't forget to test your back-ups to ensure they will work properly should you need them.
- Use of Security Tools and Services - Install antivirus software and use a firewall to protect your data. Consider hiring a professional cyber security firm.
Make Sure Your Small Business is Protected
Cyber security is a critical part of running a business, no matter how big or small your business is. Small businesses often have fewer cyber security resources, making them a prime target for hackers.
To see if your business has adequate cyber security, conduct a risk assessment. You can also run a simulation to see if employees know what to do in the event of a data breach.
Working with a professional cyber security firm like JANUS, allows you to focus more on running your business and leave your business’ cyber security to the experts.
In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs. Contact us today to see how we can help protect your business.
CONTACT JANUS ASSOCIATES
With over 35 years of experience, JANUS Associates is well-equipped to assist you in achieving your security, privacy, and compliance objectives.
Contact us today to discover how we can help safeguard your organization from data breaches and ensure a secure digital environment for everyone involved.
