Protecting Your Small Business
October has been designated National Cybersecurity Awareness Month by the Department of Homeland Security. And while you may think your business is too small to be worried about cybersecurity, you’re wrong.
I recently talked to Stephanie Benoit-Kurtz, Lead Cybersecurity Faculty at the University of Phoenix and Principal Security Consultant at Trace3, about how small business owners can best protect their companies from cyberattacks.
Many small business owners and startups think their businesses are too small for cybercriminals to bother to hack. I know that is wrong. What danger do small businesses face?
Stephanie Benoit-Kurtz: Small businesses are a target for several reasons. Bad actors are aware they might not have large IT teams or systems to respond or prevent an incident. According to the FBI, cybercrime cost businesses more than $2.7B in 2020. With over 791,000 complaints, the bad actors are going where they can monetize the effort.
What cybersecurity risks should small businesses look out for?
Benoit-Kurtz: As organizations large and small are attacked, SMB attacks are growing in frequency, now closing the gap with larger organizations. According to Verizon, in the DBIR Report, smaller organization breaches have increased in frequency year after year. System intrusion is still one of the leading contributors to incidents. This is when bad actors gain access to data and systems.
What are the most common cyber threats for small businesses? Do these differ if you operate a virtual/remote business?
Benoit-Kurtz: Email and social engineering scams continue to wreak havoc on all businesses. PWC ran a phishing simulation on several financial institutions, and 70% of the emails were delivered with a 7% end-user click rate. It only takes one click to expose your organization to a bad actor. A vast number of payloads still come through email. The CISA has some great tips on how to avoid becoming a victim of phishing and social engineering.
These issues do not differ significantly between virtual or remote businesses vs. on-site businesses. Organizations need to provide regular phishing and social engineering training to reduce incidents. Several experts share that an estimated 70% of risk can be reduced by organizations that train employees to identify phishing and social engineering situations. This issue has only exponentially increased during the COVID-19 pandemic. In the 2020 Phishing and Fraud Report, F5 reports phishing attacks grew 220% during the pandemic.
The best defense is a good offense, and small businesses should invest in employee phishing and social engineering training. The services are relatively inexpensive and can provide an extra layer of protection for a small business.
Is there a password policy you recommend?
Benoit-Kurtz: The other leading threat is credential theft. Logins and passwords are exposed through an insecure connection or because they were used in a prior organization that was breached. Assume that all of your social media, personal email, and other logins and passwords have been disclosed in a breach somewhere. For your work accounts, do not reuse logins or passwords.
Often when an organization is breached, the logins and passwords go on sale on the Darkweb, where hackers purchase the lists and then look for victims in a spearphishing type of approach. The second recommendation is to make your password a little more complex. For example, do not use your child or pet’s name but a passphrase that contains special characters and numbers. Sometimes employees suffer from password fatigue. A password vault might be a better solution. This creates unique passwords and gives employees a tool to help them manage their accounts. PC Magazine published a great piece on the “Best Password Managers for 2021,” where they break down the benefits of different solutions.
Benoit-Kurtz: How do you keep data safe if employees work in coffee shops, airports, hotel rooms, etc.?
Free networks at coffee shops, hotels, restaurants, and airports are insecure. These convenient and easy-to-connect services are unmanaged and attack hackers that prey on unsuspecting users. Even if you need to enter your hotel room number or some type of passcode, it is likely an unprotected network where your personal and company data could be at risk. Look into providing employees with data plans on their cell phones or hotspots that allow for secure network access. This is where you tether your computer to a secure network connection to a cell phone or other LTE device. This type of connectivity also works for teams that need to collaborate. ComputerWorld, in the article “How to Use Your Smart Phone as a Mobile Hotspot,” provides specifics on how this simple practice can improve small business security posture.
What’s a VPN, and how does a small business set one up?
Benoit-Kurtz: If you must use public access internet while telecommuting or working remotely, a Virtual Private Network (VPN) is an excellent solution for creating an added layer of security. Think about a VPN as a wrapper around a piece of candy. The wrapper keeps the candy in and other contaminants out. VPN software provides encryption protection around your connection to the internet, making it much more difficult for hackers to intercept the communication. In addition, the software/service is relatively inexpensive, and small businesses do not need to build their own VPN. Instead, they can source a product on the market that provides security without huge costs.
How do you get employees to follow these guidelines?
Benoit-Kurtz: Part of a solid security program includes awareness training, tools, and metrics on use. Small businesses must be vigilant. Configuration management can be implemented to force employees’ machines to have endpoint protection. VPN clients must be used when you’re remote and do not allow connections to random networks. You can also make it fun, like rewarding employees with gift cards and company swag for staying compliant. Recognize the users that make an effort.
What’s the cost of a breach?
Benoit-Kurtz: Simply put, breaches are expensive. As a small business, your reputation and trust of your customers could be at risk. Small Business Trends estimates the average cost of a small business breach is $25,000. And IBM, in its annual Cost of a Data Breach Report, says in the past two years these costs have increased over 10%. However, that cost does not include loss of customer confidence and the associated loss of business when customers leave for the competition.
Is it expensive to make your small business cyber safe?
Benoit-Kurtz: No, having strong cybersecurity protection does not have to be expensive. Think about it like blankets on a bed. Cybersecurity provides layers of different technologies and processes that protect users. Training, VPN software, endpoint protection, and hotspots all greatly reduce risk and can be implemented without a large IT staff. As a small business, look for a security partner to assist you with solutions and scale that work within your budget.
There are lots of great resources to assist small businesses in their security journey. The SBA publishes numerous great materials, and there are security organizations that specialize in helping companies on their security journey. A great way to begin is to invite a security partner to provide a security risk assessment and help you get started. A great security partner will not only help you find your weak points but grow your security program as the threats landscape changes. If you do not have a security partner, do your homework and interview several organizations to find a good fit.
Of course, your SCORE mentor can help you make the right choice. Find one today.