Small Business Cybersecurity: A Business Owner’s Guide to Protecting Your Interests Online
As a business owner, you have a responsibility to keep your employees and customers safe.
Cybercriminal tactics are constantly adapting to new defenses set in place by security professionals, causing many business owners to tell themselves to simply take the risk instead of trying to keep up.
In this guide, we review some common threats and solutions to provide you with all the information you need to keep your business safe.
What Is Cybersecurity?
Cybersecurity refers to all systems, processes and tools used to defend against hackers, cyberthreats and other types of unauthorized access. It can refer to both virtual and physical security.
An Explanation of Cybercrime
Seeing as it comes in many forms, it is also important to define cybercrime.
Cybercrime is a broad term that contains under its umbrella all criminal activities carried out online or using computers.
It is most often used in the context of hacking and data theft, but copyright infringement and forms of cyberterrorism also qualify.
For example, Assissted Living Concepts (now Enliviant) was the victim of a data breach in which thousands of employee records were stolen.
What makes it cybercrime is that the attacks were done using a computer against records held on a computer (not unlike your own employee files). It can happen to nearly any business.
Why Are People Driven to Cybercrime?
The same reasons people would be driven to any other type of crime. Cybercrime can pay well if the perpetrators don’t get caught, and it’s relatively easy money for those with the proper skill set.
Alternatively, people might have an ideology they want to push, and cybercrime gives them the means to do so. Cybercrime is, in many ways, merely an extension of regular crime to the digital world.
Business Cybersecurity Vs. Personal
It is vital to note that business cybersecurity, even when it pertains to small- and medium-sized businesses, is vastly different than personal cybersecurity.
Businesses need to use personal security measures as well as organization-wide tactics.
Why Is Cybersecurity Important?
Cybersecurity doesn’t seem important until you’re attacked. Without proper preparation, you will likely end up spending more resources on recovery than you would have on prevention.
Whether you currently believe it’s important or not, you should note the following reasons why professionals consider cybersecurity to be a top priority:
Protection from Financial Losses
While financial losses from cybercrime don’t usually come in the form of hackers draining bank accounts, your company could find itself on the wrong end of some scams.
For example, bank and credit accounts could be held up. If someone has access to company card information, fraudulent charges may appear and you may falsely suspect embezzlement, creating confusion within your organization.
Additionally, should news of this reach your customers, it could hurt sales, multiplying the damage done by the attack.
Customers do not like having to deal with stolen data and credit card fraud.
If your customers’ credentials get stolen, your business, in the eyes of the victims, will be as much to blame as the cybercriminal.
Any existing customers you have will be cautious about doing business with you in the future, and potential customers, dissuaded from the bad word of mouth, may end up choosing a competitor over your business.
This is especially the case if your business runs primarily online.
Potential Legal Liability
While few precedents have been set in the United States and the law is only emerging in Europe (through fines and damages), your business could potentially be found liable for damages if you are proven to have been negligent with cybersecurity preparations.
While few lawsuits are currently successful due to the standards of damage required for a successful suit, the question is: can your business realistically fend off a lawsuit and the bad press that would result?
Lost Productivity and Progress
If your storefront gets robbed, everyone must stop and perform damage control. A cybersecurity breach isn’t much different. New standards must be set, information must be secured and employees must be retrained.
You might be calculating the costs of such a hypothetical attack already, but to save you some time, know that it will send you back a few weeks, at least.
If trade secrets or your business plans are stolen in the attack, your competitors might gain advantages on you that would otherwise take years to get back.
Your Business Won’t Be Targeted
It is not a matter of if but when your business will be targeted. According to a KPMG survey, 60 percent of small businesses have experienced a cyberbreach.
And attack rates are rising. Kaspersky Lab indicates ransomware attacks against businesses increased by 300 percent in 2016.
The same source indicates consumers experience even more attacks.
Your Business Has Relatively Little of Value
Most businesses have more valuable information than they realize. Cybercriminals and their associates have made a career of selling illegally obtained information. They know where to find a buyer.
The KPMG survey states that more than a fifth of small businesses do not consider their data valuable. Do not make this mistake.
Some of the types of information within your business accounts and devices hackers would find valuable include:
- Intellectual property
- Employee details
- Supplier information
- Contract details
- Accounts information and financial details
- Website data and assets
- Login information for expensive digital services
- Items linked to email accounts (this is a broad range)
- Information that would compromise your employees
Additionally, you need to consider that while some data might only be of value to you, hackers will realize this and could potentially hold it hostage.
People Won’t Find Out About or Care About a Breach
People will ask questions when their identity gets stolen, and the digital paper trail always leads somewhere. Additionally, in 48 of 50 states, there are laws mandating authorities be notified in the event of customer details being stolen.
According to KPMG’s study, 48 percent of London consumers state they were “extremely concerned” about having personal details stolen.
The same study states 58 percent of consumers would be discouraged from interacting with a business that experienced a breach.
Additionally, out of 599 businesses that experienced a breach, a clear majority (89 percent) felt it negatively impacted their reputation.
Compare this to the fact that only 29 percent of businesses who haven’t experienced a breach consider reputational damage as an important consideration.
Basic and Free Services Will Be Enough
Many startups decide to cut costs by using only free or very cheap security services and other IT programs. The logic being: they cost way less, but they compare with the premium options, so why not give them a try?
How do you think these types of business models work? Some use a premium model. Others use ads. Many will collect data from devices the app is installed on and sell it to others.
Consider the following about this:
- What types of measures and security do you think a security service would hide behind a paywall? Trend Micro, for example, hides its malware sweeper and blocker.
- Could the ads in security services themselves be a danger to your business? A study from North Carolina State University concluded that ads in smartphone applications were a security risk.
- If a security program is collecting data about your computer and mobile usage usage, isn’t that a security risk in itself?
- What about the customer support offered? Many free apps only have forums to help people experiencing an issue, and time is of the essence when under attack.
Free and sub-par programs put your business devices at risk. As a small business owner and professional, you need a professional program.
Physical Cybersecurity Is an Afterthought
Given the wide range of options available to hackers, why would a criminal bother getting within 100 miles of your physical business to steal your data?
There is a three-part answer to this question:
- Criminals are opportunists. If they see an opportunity for theft, they’ll steal just for the market price of the device itself.
- Smartphones are a gateway to a treasure trove of information.
- Cybercriminal activity with the device physically present is far easier than it would be remotely.
Any business cybersecurity strategy needs to account for the safety of physical devices.
The following are vital cybersecurity statistics you should learn and take into consideration as you plan your strategy:
63 Percent of Small Businesses That Experienced a Data Breach Experienced it in the Last Year
- This is according to the above-cited KPMG study.
- 60 percent of consumers were concerned about small businesses, stating that they worry smaller firms aren’t as secure.
- 93 percent of those who experienced a data breach found that the breach impacted their ability to operate.
Not Enough Businesses Are Protecting Themselves
From a study by Small Business Trends, we learn that very few businesses use the measures they should. For example:
- Only 38 percent of small business respondents made a habit of upgrading their security software solutions.
- Only 22 percent encrypt their databases.
- Out of those with a password policy, only 65 percent strictly enforce it.
The Cost of Cybercrime Will Reach $6 Trillion Annually by 2021
CSO brings up some thought-provoking information, specifically:
- This $6 trillion figure is now more than double what experts thought it would be last year.
- Cybersecurity spending is expected to exceed $1 trillion by 2021.
- Possibly 200 billion internet-connected devices will need protection by 2020.
Panda Labs found 18 million new malware samples in just Q3 2016.
Barkly sources this and provides yet even more information, most of it pointing to a bleak picture of the future of small business cybersecurity:
- Of organizations that dealt with an attack, 45 percent of them expect their cybersecurity budget to not change. Shockingly, 7 percent expect it to decrease.
- A survey from Friedrich-Alexander University states 78 percent of people claim to know the risks of clicking unknown links in emails, but the survey revealed that participants were far less knowledgeable than they thought.
Don’t fall into the same traps or habits as the above. You can prepare more and make decisions that will prevent you from becoming one of these statistics.
There’s going to be a lot to accomplish when securing your business online. Below you’ll find tips and resources to guide you along that process:
1) Use the Best Tools Your Business Can Afford
As a reminder, you should generally not use free services. Whether you need server protection or basic security programs for the office, cutting costs will only cost your business more in the long run.
2) Use Strong Verification Measures
This means your business needs to get in the habit of using strong passwords that change regularly, PIN numbers and two-factor authentication.
By habit, cybercriminals try the most common passwords first when attempting unauthorized access.
A more complete guide to creating the best passwords can be found here.
3) Secure Your WiFi Networks
Depending on your type of small business, you might provide WiFi to customers, clients or guests. Keep it separate from what your employees use.
As mentioned, hackers often use public networks to mine data from customers and businesses alike. You can learn more about this type of attack here.
4) Don’t Forget Mobile Security
Do not neglect smartphone use and abuse in your business. Most employees take personal smartphones into work, and they might unintentionally use them for business purposes, which can compromise information.
If business must be conducted outside the office, have employees use Virtual Private Networks (VPNs) on public networks as well as standard mobile security software for all work-related activities (even checking email).
5) Account for Human Error
Human error is involved in most data breaches. An extremely skilled cybercriminal isn’t going to try to crack your encryption so much as they are going to try to crack the people using your systems.
Training and retraining your employees in basic cybersecurity practices is vital. Be open with questions and review training every six months.
You can get ideas for what to teach employees here.
6) Adapt and Update
There is no such thing as resting on your laurels in the field of cybersecurity.
Whatever defenses you had six months ago have likely been cracked and are now virtually obsolete. New exploits are found and countered each day.
Take your training programs and your defenses and make sure they’re up to date. Cybercriminals rarely use old tricks for long, especially when they don’t work.
7) Your Business Needs a Detailed Cybersecurity Plan
If you should take away one thing from this guide, it’s that you should have a detailed cybersecurity document for your business.
It makes cybersecurity a professional endeavor instead of an afterthought.
Once you have your cybersecurity plan, you need to enforce it. Employees might not like it, but they’ll dislike dealing with a data breach more.
Online Security Solutions for Small Businesses
The following are some essential tools nearly any business needs to safeguard its information:
If you use a website to conduct business or do anything more than simply providing hours and your address, you owe it to both your customers and your business to install an SSL certificate on your website to provide an extra layer of encryption.
When in use, it encrypts data transmitted and received by visitors to your site. It also authenticates the website, guaranteeing visitors they’re not on a false webpage.
You can find out more about SSL protection here.
Security Suite Programs
General security suite programs are the backbone of cybersecurity. They protect your system from malware and let you customize your protection.
You’ll want to look for a plan for small businesses that covers multiple devices. Computer Weekly has an excellent guide to help you choose a package for your business.
A loss of all your data is a nightmare. If it does not destroy your small business outright, it will set you back for months and can lead to conflicts with your employees and customers alike.
While you should absolutely consider using physical storage for an immediate backup and storage solution for your business, that isn’t enough.
Investing in a safe online backup service will give you peace of mind and prepare your business for any event.
You will want to find one that can store all your data, uses a high level of encryption, automatically performs backups and has easy recovery options. This page will help you decide what’s best for your business.
Virtual Private Networks
In short, a Virtual Private Network (VPN) will connect a device to an offsite secure server, encrypting the data and using a protocol to make it appear that the device is connected to the internet from a different location. They are used for privacy and security alike.
To learn more about VPNs, this is an excellent resource. If you’re looking for information on which VPN might be best for you and your business, you’ll find what you need here.
These are all excellent places to start, but perhaps your business needs other tools as well. Other useful resources can be found here once you have the above set up.
Conclusion: Now Is the Time to Create a Plan of Action
The information above is all you need to get started on crafting a cybersecurity plan for your business. Your interests are too important, and your customers are too valuable to put at risk.
Your cybersecurity plan will be unique. You may not use every tool listed above, and you might add others.
The important takeaways are that you need to make cybersecurity a priority and that you need to create some plan of action.
Then you need to stay the course.
Do you have any thoughts on cybersecurity for businesses? Do you have any additional tips on how they can defend themselves? Please leave a comment below and join the conversation. We would love to have you.