Small Business Cybersecurity – The Basics

By Vince Mazza and Scott Saxe

November 17, 2021

Too many businesses think they are too small to worry about a cyber-attack, and many small businesses don’t even think about cybersecurity until after a cyber-attack. Not having cybersecurity can cost your business money and time and can result in lost or exposed sensitive information. The damage to your business’ reputation can be just as detrimental as well.

However, there are essential proactive steps you can take.

Why do you need cybersecurity?  

If you’re connected to the internet, you’re at risk.  Just like protecting your home, you must protect your digital assets.

Cyber-attacks are the new normal for small businesses. While most media reports have focused on corporate mega breaches, small businesses are now the new frontier for cyber criminals. In fact, a Ponemon report said 58% of small businesses experienced a data breach in the last 12 months.

The average cost per attack averages $200,000 based on a recent Hiscox study.  Even worse, one report suggests that 60% of small businesses fold within six months of a cyber-attack.

Why are small businesses so vulnerable? 

There are major reasons small businesses are particularly vulnerable to cyber-attacks:

• They think they’re too small to be attacked.
• They don’t allocate enough of their budget to IT or Cybersecurity.
• They can’t afford dedicated IT staff. And if they can, training and budgets are often inadequate. There are affordable IT, dedicated cybersecurity companies and packages that can work for you on a turnkey basis to protect and inform your company.
• Inadequate or non-existent computer and network security. Small businesses can’t respond to threats quickly enough or can’t detect them at all.  Here again, there are affordable approaches most small businesses aren’t aware of.
• Lack of a backup plan. Many small businesses don’t back up their data offsite. Many of those that do don’t test and validate that data was backed up to ensure accessibility in an emergency.
• Employees unknowingly help cyber criminals attack businesses. Employees need to be more aware of attack methods as varied as social engineering calls and email scams.  Policies also need to be put in place and enforced to mitigate the risks caused by employees.
• Small businesses are easier to attack. Hackers can find entry points to access valuable data more readily because of the absence of protection. Criminals can also use the business’ credentials to attack larger targets like suppliers and clients.

Common cybersecurity threats for small businesses

There are many cybersecurity threats for businesses. Here are a few common ones:

• Email and phishing scams use email and text messages to hook victims. Fake, official-looking information asks victims to click on a link to a web page and then enter sensitive financial and personal data. Cybercriminals use the data for identity theft, further attacks, or resale.
• Passwords. Cyber criminals can get access to passwords by tapping into databases, looking at servers to find unencrypted passwords, and using email, text messages or social engineering.
• Server attacks. DOS (Denial of service), SQL injection, and drive-by attacks target websites and servers. DOS attacks overload system resources so they can’t handle the volume of service requests. SQL attacks read and modify sensitive data in databases. Drive-by attacks plant malicious code that will infect a visitor’s system to capture and transmit their sensitive data.
• Man-in-the-middle attacks involve hackers intercepting data from a victim on a fake page. These attacks may also use phishing.
• Social engineering attacks involve human interactions to acquire sensitive information. This can include attacks like phishing and physical activities. For example, a bad actor could leave a USB key loaded with malware in your business, then an unknowing employee could plug it into a company computer and now be open to malware or other malicious programs.

Tips for securing your business from cybersecurity threats 

The first step is to assess your risk.  From there, it’s important to address any vulnerabilities and mitigate potential risk to your business and your customers.

• Assess risks and vulnerabilities. Hire a cybersecurity specialist to test all systems that have external access, such as websites, file shares, and other services. You should set up a simple, external vulnerability scan for your business at a regular cadence for maximum protection. Creating procedures to follow in case of a breach and making network and computer security top priorities (on par with other key business priorities) is equally important.
• Have a plan for all devices. You and your employees are likely accessing business data from multiple devices. While it’s very convenient to check work emails on your phone, that also opens a potential vulnerability. Be sure you’re incorporating mobile device security into your cybersecurity plans.
• Employee training is key. Make sure your employees are aware of cybersecurity threats and security policies. Educate employees that the impulse to trust others is one of the social engineering hacker’s key tools. Reiterate the importance of following protocol and questioning credibility before acting. Be sure to update your training procedures as you roll out new policies continually.
• Follow best practices for passwords. It’s prudent to make all passwords strong and unique. Additionally, use different passwords for different accounts. Make using strong random passwords containing letters, numbers, symbols, and special characters mandatory. Good passwords shouldn’t be easy to remember. Also, prompt your staff to change all passwords every few months.
• Use two-factor authentication to login to apps and systems. An increasing number of apps and e-commerce websites use two-factor authentication to verify a user’s identity. Users receive a numerical code via an authenticator app and enter it along with their password to gain access. For sites that don’t support an authentication app, you can also receive codes via email or text.
• Update your software and systems continuously. Make sure you’re running the latest versions and security patches. Properly configure network security and use antivirus software.  Monthly vulnerability scans can assist you here.
• Backup all your data as protection against ransomware attacks. Use an offsite cloud provider in addition to on-site backup.

Make sure your digital tools are secure  

You can take all the right steps to secure your business and still be vulnerable to cyberattacks if your digital tools aren’t secure.

There is no such thing as a 100% secure tool.  That’s why you need to use products and services with a track record of success in the security and privacy space.  We also suggest layering tools.  In other words, use an appropriate tool for an appropriate activity.  For example, use both a password manager and a virtual private network.

What’s an incident response and recovery plan? Do I need one? 

A basic incident response and recovery plan should identify steps to assess damages and restart operations in the event of a cyber-attack. It should also determine who’s responsible for which tasks and how often to update the plan.  It should involve a cybersecurity specialist to help you through the steps and take immediate action to help your business recover quickly.

In Part 2 of our Small Business Cybersecurity article, we’ll discuss what happens to your digital systems and data in a cyber-attack and the steps to take if you are breached.

Conclusion

Your company is not too small to worry about a cyber-attack and having cybersecurity processes in place can save your business money and time and potentially save your business.

It is critical for your IT staff to develop and maintain strategies, enforce policies, and remain vigilant with essential cyber protocols. For those companies without the internal expertise, we recommend finding a trusted partner to help with your security posture.

If you want to protect your business or think it’s already been compromised, reach out to our team at Guard Street to learn more about how we can help protect all that you’ve built.

About Guard Street

Guard Street, headquartered in Wheaton, IL is a high-tech cybersecurity and protection company arming businesses and consumers with world-class products built to protect what matters most.  Guard Street products, Cyber Attack Protection Plan and Remote Workforce Cybersecurity, provide a full range of vulnerability alerts, incident response, email security and cyber liability insurance that empower our customers to be less vulnerable to cyber risk and help ensure that organizations recover when they are a victim of a cyber-attack.

Learn more at www.guardstreet.com or engage with us on our social media pages below.

© 2021 Guard Street Partners, LLC.