It seems that 2014 was the year of data breaches in the business world. Target, Home Depot, AT&T, JP Morgan, eBay, P.F. Chang's and other high-profile brands all fell victim to cybercriminals, compromising both the companies' reputations and their customers' information.
Because these companies are so large, they were all able to mobilize their resources and recover from the breaches. But if the same thing happened to a small business, there's a good chance it would be ruined for good. In fact, a survey by Experian found that 60 percent of small businesses that suffer a cyberattack shut down after six months.
In light of the alarming rate at which hackers are targeting businesses, every company, regardless of size, should make cybersecurity one of its top priorities in 2015. Experts offered the following New Year's resolutions that small business owners should make to keep their data safe. [For a side-by-side comparison of the best antivirus software, visit our sister site Top Ten Reviews]
Test your security system
The growing rate of cyberattacks has led many security experts to warn businesses that they should assume that they'll be targeted by hackers at some point. The more you understand about how a cybercriminal can break into your system, the better prepared you'll be to prevent a potential breach. Testing your system of protections, especially after updating your software or implementing a new technology, can help you gain these insights.
"[Have] a cybersecurity firm ... test to find weak points in your protections, [then] address them and get them fixed," said Pat Fowler, a partner with Snell and Wilmer law firm and leader of its privacy, data protection and cybersecurity group. "It's better to do it with a friendly consultant than ignore it and find out one day that you've been breached."
Secure your mobile apps
You know you need to protect your business's website and payment system, but what about your mobile app? If you've created an app for your customers to use, it may not be as secure as you think.
"Mobile apps serve as a portal to your business' system as well as your customers' phones," said Asaph Schulman, vice president of marketing at Web and mobile-app security solutions provider Checkmarx. "Making sure your app is secured before releasing it to the public will keep you and your customers happy and safe. Don't assume that your Web developer will consider security as part of their brief, unless you insist on it."
Check your vendor vulnerabilities
Every company does business with third-party vendors in some capacity. This means you're exposed to third-party risks simply by being associated with those outside groups. One important step to protecting yourself from a breach is making sure the companies you work with have also made security a priority.
"It is important that companies understand the data that is exchanged with vendors, and whether those vendors have the right data security in place," said Tim Francis, enterprise-cyber lead at Travelers, a provider of cyber insurance. "This can mean [employing] information security programs, complying with industry standards around data, limiting access to data, sharing data with subcontractors, and having cyber insurance and their own data-breach plan in place."
Keep cybersecurity in your budget
By now, most businesses have realized that cyberattacks can and do happen to companies of all sizes, every day. These companies know how devastating a breach can be, and yet some are responding to cost-cutting pressures by decreasing their cybersecurity protections. IPCopper, a provider of network forensics and packet-capture data analysis, has noticed this trend among its own clients.
"Despite all the serious talk and pronouncements from business about cybersecurity, IT still remains one of the first [items to go] when a downturn threatens," said Kathryn Ash, president of IPCopper. "Despite our customers' recognition of the importance of deploying security products ... budgetary concerns have trumped it, likely due to a scale down in their own customers' purchases. They are seeking to reduce expenditures even though there is a clear possibility they could get hit. They are simply hoping that it will not happen to them right away."
One important budgetary consideration is cyber insurance. If you already have a policy, read through the fine print to make sure your business's current security needs are all covered and met, recommended Dave Walton, a member of Cozen O'Connor law firm's privacy, data and cybersecurity department. If you don't have a policy, you may want to consider speaking with your insurance representative to see what protections your provider can offer.
"Insurance companies can be a good resource in terms of information and expert consulting," Fowler told Business News Daily. "Cyber insurance [is going to become] part of the cost of doing business. Small businesses need to decide what resources they have to allocate to improve their cybersecurity."
Invest in the right technology
Not only should you not cut your cybersecurity budget in 2015 — you should actively increase it, if possible. Hackers often use malware as an investigative tool, said Julian Waits, president and CEO of business security services provider ThreatTrack Security: Through malware, cyberattackers can survey the IT environment of an organization and scope out the company's vulnerabilities. As these hackers learn more about your business' security process, they also learn how to attack it. The best defense is investing in the most up-to-date tools to detect these vulnerabilities, Waits said.
According to a recent ThreatTrack survey, companies are aware of the need to quickly deal with targeted malware and phishing attacks. Seventy percent of respondents said they need to invest in advanced cybersecurity defenses to quickly detect malware, and 58 percent said they would invest in technology that helps prioritize security threats.
Improve your passwords
After news about the Heartbleed bug broke this past April, users of millions of affected websites were instructed to change their account passwords. But password security isn't only an issue when a big, pervasive data breach occurs: It's something businesses should always think about, especially with accounts that host sensitive information.
"Passwords represent a big vulnerability," said Chris Corde,a director of product management at remote-connectivity service provider LogMeIn. "It's the human element that forces us to default to a simple password because there are just too many to remember. Enforcing strong password polices in the cloud and limiting shared passwords across applications significantly reduces the potential threats."
Corde advised business owners to consider a single sign-on solution or password vault to help manage all of a user's passwords and allow for centralized account management across various different applications. It's much easier to practice good password hygiene using such a system, while making the entire process invisible and easy for the employees, Corde said.
Create a response plan and practice it
When you were in school, you probably conducted regular fire drills to make sure everyone in the building knew what to do and where to go in an emergency. Walton advised applying the "fire drill" theory to your cybersecurity policies.
"Get a cyber response plan on paper and commit yourself to practicing," Walton said. "[Think through scenarios like] a DDoS attack, lost laptop, etc. Do drills to put your plan into action."
Francis agreed, noting that there should be a clear protocol for dealing with breaches, including which employee manages the situation and what action should be taken, such as informing the insurance provider, etc.
Educate your employees
All the insurance, technology and planning in the world won't stop a hacker if an employee lets one wander right in. Whether it's accidental or intentional, unsafe employee practices can be one of your biggest cybersecurity risks, and your staff needs to be fully aware of and prepared for what's out there.
"Your business is only as cyber-strong as your weakest link," Schulman said. "Making sure all of your employees are on the same page through group discussions or a clear-cut list of guidelines about the company's cybersecurity policies is key to fortifying your business and protecting your assets. Any device or app that accesses any company data is a potential cyberthreat to your business. Make sure all your employees understand that and know how to protect [those devices and apps]."