Cybercriminals Love Your Small Business

By Chris Wisneski

In today's digital era, consumer data fuels businesses, making it an irresistible goldmine for cybercriminals. According to Accenture’s Cost of Cybercrime Study, while 43% of cyber-attacks target small businesses, only 14% are equipped to defend themselves. A cyber-attack not only disrupts normal operations but can also cause irreplaceable damage to important IT assets and infrastructure without the necessary budget or resources.

As a result, small businesses are struggling to defend themselves. According to Ponemon Institute’s State of Cybersecurity Report, small to medium-sized businesses around the globe report recent experiences with cyber-attacks:

• Insufficient security measures: 45% say their processes are ineffective at mitigating attacks
• Frequency of attacks: 66% have experienced cyber-attacks in the past 12 months
• Background of attacks: 69% say cyber-attacks are becoming more targeted

The assumption held by many small business owners that their size somehow grants them immunity from cyber threats is severely misplaced. On the contrary, their 'small' status makes them an even more enticing target for hackers. With fewer resources than a large corporation, small businesses typically have limited protective security controls implemented, making them more susceptible to attacks.

Furthermore, hackers are starting to target SMBs as a means to infiltrate larger corporations.  For example, Managed IT Service Providers (MSPs) provide technical support to a Fortune 500 company's regional HQ. Breaking through their sophisticated perimeter security and firewalls could be a daunting task for a hacker. However, if they can compromise a weaker, less-protected network from the MSP, this may provide them the avenue to compromise and gain access to the Fortune 500 company’s network and/or systems.

Ignoring cybersecurity can carry hefty risks. The next five years are expected to see a 15% increase in cybercrime costs, reaching 10.5 trillion by 2025 according to Cybersecurity Ventures. Stringent privacy regulations can enforce severe penalties, ranging from heavy fines if a data breach results in the exposure of consumers' sensitive personal information. Also, the FBI stated the average cost of a business email compromise attack is $130,000. Moreover, consumers increasingly demand that companies prioritize protecting their information. Failure to meet these expectations can lead to business losses, diminished consumer trust, and irreversible reputational damage.

You don’t need to have the resources of a major corporation to implement a robust cybersecurity program that will help you avoid the fallout of a data breach. The following are five actions you can initiate today:

1. Regularly update your software and apps. Too often, organizations tend to procrastinate on system updates and patches. However, software providers release patches and updates to fix known product and security vulnerabilities. Delaying these updates is akin to leaving your car doors unlocked.
2. Utilize Multifactor Authentication (MFA) on e-mail and externally facing systems. This may seem like an annoyance at first, but it's much less of a hassle than dealing with the aftermath of a data breach. MFA is an affordable (often free for e-mail) extra layer of protection that requires a unique, time-sensitive code or action to be taken, after a user enters their login credentials. And in 2023, this is becoming a requirement by cyber insurance providers in order to issue a policy.
3. Establish clear device use policies. Prohibit employees from using public Wi-Fi networks and conducting personal affairs on work devices. These practices can expose your system to malware or viruses, especially if your employees work remotely.
4. Regularly conduct security audits and risk assessments. Companies should conduct security audits and risk assessments to help identify vulnerabilities and prioritize investments in cybersecurity defenses. Additionally, companies can invest in pre-emptive solutions that can alert or block anomalous activities before they infiltrate the network.  Good examples are advanced threat detection or managed detection and response tools to identify and contain threats quickly.
5. Educate your employees. The World Economic Forum states that 95% of cybersecurity breaches are attributed to human error. Training your teams through cybersecurity awareness — which includes phishing attack avoidance, creating strong passwords, and assessing website and app safety — is paramount. Given the ever-evolving nature of cyber threats, a single training session once a year is no longer sufficient. More frequent and ongoing training is essential to ensure employees are aware of their responsibility on how to protect the organization's computer systems, along with its data, people and other assets, from internet-based threats or criminals.

Remember, just because you’re a small-sized business doesn't mean you have to accept weak security controls. Small businesses can utilize cost-effective tools to bolster their defenses considerably. In honor of Cybersecurity Awareness Month, Whittlesey Technology is offering businesses a complimentary, no-obligation cybersecurity health check for October. Contact us today to schedule your complimentary cybersecurity health check.