You hear about the big cyber crimes—the Equifax data breach that exposed the financial information of 143 million consumers, for instance. What you don’t hear about are cyber attacks on small businesses.
But they happen—a lot.
According to a June 2016 Ponemon Institute report, 55% of small to medium-sized businesses said they had experienced a cyber attack in the past twelve months.
These attacks can be costly. The small and mid-sized businesses that reported attacks in the Ponemon survey lost an extrapolated value of $879,582 from damage or theft of IT assets and $995,429 from disruption of their normal operations.
Small businesses clearly need to protect themselves from the risk of a cybersecurity breach. You may not be able to stop all hackers, but you can definitely take steps to lessen the threats by building a strong small-business cybersecurity framework.
The most common cyber attacks reported by small and medium-sized businesses were web-based attacks and phishing or social engineering attacks, according to the Ponemon survey.
Web-based attacks are simply attempts to install malware on your network through the internet. This can include anything from spyware that steals passwords to ransomware that can shut down your system unless you pay a ransom.
In phishing and social engineering, a cyber criminal may try to trick employees into disclosing passwords, credit card numbers, or similar information by sending them emails or instant messages that appear to come from a trusted source—say their banks. Unwitting employees can be led to bogus sites that may install malware or steal password and bank account information from employees, customers, or clients.
Tom’s Guide is a good source of reviews for antivirus software products for small businesses. The table below summarizes some of this resource’s recent recommendations for antivirus software.
Premium Software for PCs | Best Mac Antivirus | Best Android Antivirus Apps |
Kaspersky Total Security—9 | Kaspersky Internet Security for Mac—9 | Bitdefender Mobile Security (Best Paid Option)—8 |
Bitdefender Total Security—8 | Avast Free Mac Security—8 | Norton Mobile Security (Best Freemium Option)—8 |
Trend Micro Maximum Security—7 | Bitdefender Antivirus for Mac—8 | Avast Mobile Security—7 |
Norton Security Premium—7 | Norton Security Deluxe—7 | CM Security Master—7 |
F-Secure Safe—7
Frontier offers F-Secure under their own brand, Frontier Secure. |
AVG AntiVirus For Mac—7 | Lookout Security and Antivirus—6 |
ESET Smart Security Premium—6 | Sophos Home—6 | PSafe DFNDR—5 |
Panda Global Protection—6 | Avira Free AntiVirus for Mac—6 | |
McAfee Total Protection—6 | McAfee AntiVirus Plus—6 |
Note: Numerical rankings next to each software program are on a ten-point scale.
Source: Tom’s Guide
The rankings are based on criteria such as how much malware was detected, how much the program slows down your system, and whether the software includes extras like password managers or theft-deterrence features. Some of the top-ranked antivirus software programs include firewall protection as well.
Create a unique password for everything that’s connected to the internet—not only computers but also routers, switches, mobile devices, and so forth. Don’t use the same password for the router and the computers, change passwords regularly, and use strong passwords—a combination of characters, numbers, and symbols that would not be guessed easily.
Also require employees to use strong passwords and to change them regularly. They need to do this for any device that might contain company information or connect to company networks, including mobile devices.
Consider going even further to protect your business from security breaches by requiring two-factor authentication (also known as multi-factor authentication). Two-factor authentication requires an employee to prove their identity with more than one factor—for instance, a password plus a one-time-use code sent to their phone.
Although small businesses can find it hard to make time for employee training, it’s critical to include it in your small-business cybersecurity plan. Some types of cyber attacks, particularly phishing attacks, rely on tricking people, and training your staff can help mitigate a breach.
Make sure you and your employees know how to recognize these attacks and avoid online risks. Become familiar with some effective tips on how to protect your business from phishing.
Only those who really must have access to data should have it. For instance, Human Resources doesn’t need to see client data, and your sales staff doesn’t need HR records. Business owners should grant access privileges only as needed and update access restrictions as people change positions across or outside of the company.
Immediately revoke data privileges anytime an employee leaves your company, or change passwords to the systems they had access to. Disgruntled employees who retain network privileges can cause tremendous damage if they can get into your database easily.
Your small-business cybersecurity plan should also include a system to back up your data. You need to be able to replicate critical files quickly if hackers attack so your business can continue day-to-day operations. Having backup data also leaves you less vulnerable to the risk of ransomware.
A firewall, which can be either software or hardware, monitors attempts to connect to your network and helps keep hackers out. Make sure you have firewall protection for your entire network, routers as well as all computers.
Antivirus software takes care of viruses that make it past the firewall, perhaps through a thumb drive or a download from a questionable site. Use high-quality antivirus software, and be sure to promptly install patches to all of your company software. Don’t make it easy for hackers to access your information by failing to stay up to date on patches.
You should also include mobile device security in your small-business cybersecurity plan. It’s convenient for employees to use their own devices for work, but you need to make sure they take steps to manage the risks associated with this use. Ask them to install security apps, encrypt sensitive data, and use password protection if they’re using a personal device for work.
Small businesses should discourage employees from using public wireless networks, where hackers can access their computers. If they want to work online outside of the office, have them use a virtual private network (VPN) or personal hotspot.
Depending on your budget, you may want to hire a consultant who works with small businesses to advise you on a small-business cybersecurity plan and provide services that address your specific security risks. Products like Kaseya VSA, Comodo One, and Cradlepoint NetCloud Engine can provide remote monitoring and security.
For more on the pros and cons of small businesses outsourcing their cybersecurity to a cloud-based service provider and what to look for in a provider, Infosecurity Magazine provides some useful tips.
You may also want to talk to your insurance provider about whether your policy covers cyber crime, and if so, to what extent. Consider buying extra coverage if your general liability policy doesn’t cover security breaches.
Cyber criminals are constantly changing their strategies, and you need continued vigilance to stay one step ahead of them.
the website of the National Cyber Security Alliance, is a great resource for information on cybersecurity threats and recommendations to help business owners protect their data. The National Cyber Security Alliance hosts regular training events for small businesses, including monthly webinars, that can help ensure your small-business cybersecurity plan is solid.
The US Department of Homeland Security also provides information on small-business cybersecurity trends and ways to protect yourself from small-business cybersecurity threats.
If you do business with sensitive government agencies, such as the Department of Defense, you may need to take extra measures to manage risks. To find out more, contact the Department of Defense Office of Small Business Programs (DOD OSBP).
*SMBs are vulnerable to cyber attacks. https://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks