In our digitally-networked world that covets data, breaches are an everyday reality. A cybersecurity breach that targets a well-known brand name becomes a top news story garnering headlines and shock. The media often depicts malcontent masterminds going after corporate monoliths. Breaches that target small or medium-sized businesses (SMBs) rarely make headlines even though they can be equally devastating. The fact is there’s an increase in SMB attacks; they’re just not making the news.
The truth is that when a cybersecurity breach hits a smaller business, the impact of lost revenue from halting operations, the cost of remediation, and the loss of reputation in the aftermath of the breach, can result in the company closing up shop, permanently. According to Malwarebytes, in 2017 ransomware attacks caused nearly a quarter of SMBs hit to stop operations completely.[i] 2018 statistics show that approximately 60% of SMBs forced to suspend operations after a cyber attack fold within six months.
Another truth is that often the big-name breaches that appear on your newsfeed involved smaller businesses, and by breaching the SMBs, the hackers can get to the big corporations. For example, the Target breach of 2013 was actually caused when hackers used a smaller HVAC vendor to access the retail giant’s point of sale system.
However, according to an AT&T survey, amongst companies with fewer than 50 employees, only 53% place a high priority on cybersecurity and only 30% have an employee training program and incident response plan in place.[ii] It’s unimportant whether this lack of preparation is because of unwanted cost expenditure or derived from the belief that because they are small, they won’t be targeted. A scarcity of cybersecurity incident response planning and education is dangerous for businesses of all sizes, small, large or anywhere in between.
Jack Bienko, director of entrepreneurship education at the Small Business Administration, says, “There are two kinds of small businesses, one that’s been breached and one that doesn’t know it’s been breached.”[iii] The statistics don’t lie. As larger companies are better fortifying their cybersecurity defences, cybercriminals are targeting SMBs in increasing numbers. According to a Verizon data breach report, 58% of cyber-attack victims were small businesses.[iv]
Why are SMBs an irresistible target for hackers?
· They tend to lack sufficient cybersecurity measures and trained cybersecurity personnel
· SMBs can store data that is of interest to hackers (financial data, credit card numbers)
· Often, they fail to use a third-party service or offsite source to back up their files, thus making them vulnerable to ransomware
· They are sometimes connected to the supply chain of a more extensive company which can help hackers gain access to the larger company’s system
· Often SMBs lack incident response plans and employee cybersecurity education programs
A recent report, surveying over 1300 SMB CEOs showed that 62% of the respondents admitted to either not having an updated incident response plan or any kind of cybersecurity incident response plan in place. Not a favourable statistic when you consider that a cybersecurity attack can be so costly as to put a company out of business.
Many SMBs are under the impression that using technology to protect against breaches and ransomware is more effective than educating employees.[v] However, the vast majority of cybersecurity breaches begin with a socially-engineered phishing campaign. That means a human employee lets the intruder into your company’s network via a malicious email, app, link, or text, bypassing the cybersecurity technology you’ve put in place. Employees are the first line of cybersecurity defence and need to be educated on how to identify and deal with cybercrime tactics.
Here’s a scenario:
It’s April, which means it’s tax season. Your director of Human Resources gets an email from the CEO – but, it’s not the CEO, it’s a hacker who has obtained access to the CEO’s email or has created a close, virtually indistinguishable, approximation of the CEO’s email address. The HR director believes that the email is real and therefore also believes that the message’s request to email over copies of all employee T4s is also real. The director complies. Now the hacker has T4s with which to file fake tax returns. At the very least, they have acquired the names, addresses, and social security numbers of the employees.
If the employee had have known what to look for in the email or verified the request (because it is not a typical request), with the CEO before following through, then this breach could’ve been easily negated. Employees, educated about cybersecurity and phishing schemes, are a vital component to fortifying your SMB’s cybersecurity.
As the leader of your SMB here are some simple cybersecurity best practices you can adopt:
· Assume that your business is a target
· Educate and train your employees, making them aware and vigilant against potential cybersecurity threats
· If you lack technology resources in your company, find a provider who can help your company conduct a risk and vulnerability assessment
· Develop and practice an incident response plan
Cybersecurity planning and incident response need to be part of your overall business planning process. If you fail to plan for cybersecurity properly, then your business might face a future cyber threat that could have been prevented.
Address the risk before it becomes a crisis
If you are a SMB CEO or shareholder, it’s time to make cybersecurity a priority. You have pride of ownership, you’ve invested time and money into building your business, so protect it. You need to be proactive and create an incident response plan tailored to your small or medium sized business.
Rieva Lesonsky, small business consultant and CEO of GrowBiz Media and SmallBizDaily.com advises that business owners “Sit down and try and think of as many things as can happen, or spend the money to have a one-time consultation to find out where you’re vulnerable. Then take steps to fix those vulnerabilities.” Most importantly, she says, “don’t make it easy for cybercriminals.”[vi]