Cybersecurity is a hot topic for businesses and consumers alike. In the wake of multiple corporate breaches over the last few years, all users are on higher alert about the safety of their sensitive data. But cyberattacks don't just happen to big companies; small businesses need to be prepared for the possibility of hackers infiltrating their network, too. Here's an overview of everything you need to know to protect yourself.
Why do hackers target small businesses?
While breaches at big corporations like Target and Home Depot make the headlines, small business are still very much targets for hackers. Stephen Cobb, a senior security research at antivirus software company ESET, said that small businesses fall into hackers' cybersecurity "sweet spot": They have more digital assets to target than an individual consumer has, but less security than a larger enterprise.
The other reason small businesses make such appealing targets is because hackers know these companies are a bit more lax about security. An infographic by Towergate Insurance showed that small businesses often underestimate their risk level, with 82 percent of small business owners saying they're not targets for attacks, because they don't have anything worth stealing. The 2015 Business Risk Index from insurance provider Travelers confirms this, with just 23 percent of small businesses saying they "worry a great deal" about cyber risks and data breaches.
While it's true that a hacker may not target your small business specifically, it's highly plausible that you could get swept up in a broad-reaching attack, Cobb said.
"Attacking is typically done by software at scale," Cobb told Business News Daily. "There are small businesses who think, 'Why would some hacker be trying to get into Fred's Gardening Store?' He wouldn't, but the hacker may have written a software that's scanning everything it can find. If you put up a website today, it's going to get scanned for vulnerabilities by bad guys. Your website is a server that can be taken over."
Types of cyberattacks
In almost every case, the end goal of a cyberattack is to steal and exploit sensitive data, whether it's customer credit card information or a person's credentials, which would be used to misuse the individual's identity online. There may be different levels of targeting — for instance, the hacker could be a cybercriminal who launches an indiscriminate attack to gain as much information from as many people as he or she can, or a vengeful ex-employee who wants to ruin his or her former employer. But regardless of the motive, many attackers will use one of several common tactics. This is by no means an exhaustive list of potential cyberthreats, especially as hackers' techniques continue to evolve, but businesses should at least be aware of the most frequently used attacks.
APT: Advanced persistent threats, or APTs, are long-term targeted attacks that break into a network in multiple phases to avoid detection. This Symantec infographic outlined the five stages of an APT, which are reconnaissance (researching and understanding the target), incursion (delivering targeted malware), discovery (mapping the target's internal defenses), capture (acquiring data over an extended period) and exfiltration (exploiting captured information).
DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests, with the goal of shutting down the target's website or network system. Users will not be able to access your site or network, resulting in a partial or complete shutdown of your business operations, depending on how heavily you rely on the Internet.
Inside attack: For this type of cyberattack, a sophisticated software program may not even be required: Someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Ex-employees in particular present a threat if they left the company on bad terms, so your business should have a protocol in place to revoke all access to company data immediately upon an employee's termination. Inside attacks can also happen in the form of a hacker posing as a representative of a company your business works with to gain access to sensitive data.
Malware: This umbrella term is a portmanteau of "malicious software," and covers any program introduced into the target's computer with the intent to cause damage or gain unauthorized access. There are many different types of malware, including viruses, spyware, worms, ransomware, Trojan horses and keyloggers, to name a few. More about the different varieties of malware can be found on How to Geek.
Password attacks: Cracking a password is the simplest way for hackers to gain access to their target's accounts and databases. There are three main types of password attacks: brute force attack, which involves guessing at passwords until the hacker gets in; dictionary attack, which uses a program to try different combinations of dictionary words; and key logging, which tracks all of a user's keystrokes including login IDs and passwords. More about each type of attack (and how to avoid them) can be found in this Scorpion Software blog post.
Phishing: Perhaps the most commonly deployed form of cybertheft, phishing involves collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. As people become more aware of common phishing techniques — for instance, a notice from a financial institution with a mismatched or unsecured URL — hackers have become more sophisticated, so it's essential to keep up with the latest tactics to protect yourself. TechRepublic shared 10 signs to help you spot a phishing email.
Small business security mistakes
In a larger company with a larger budget, security issues can be dealt with swiftly and efficiently. Small businesses, on the other hand, often lack the budget and man power to adequately prepare for a cyberattack. But having fewer resources is no excuse for ignoring cybersecurity: If you haven't been targeted yet, there's a good chance you will be in the future.
"There's more data online now, and therefore more hackers trying to get at that data," said Bill Carey, vice president of marketing for password-management company RoboForm. "In addition, computers are getting faster with more processing capabilities, so hackers can run astronomically more hacking attempts than they could just a few years ago. Therefore, it's easier for hackers to crack passwords. It's honestly as simple as that."
Here are a few key mistakes that small business owners make when it comes to protecting themselves from a breach.
Not planning for a breach.According to the Towergate infographic, 31 percent of small businesses lack a plan of action for responding to a security breach, and 22 percent say they don't know where to start in terms of cybersecurity. The likelihood of a cyberattack on any size business continues to increase as technology and hacking techniques advance, and without a response plan in place, your business is more likely to falter and mishandle a breach when — not if — one occurs.
Assuming they're protected. There are two major assumptions about fraud protection that small businesses get wrong. One is that the government will cover you if your business bank account gets hacked; the other is that your general liability insurance will cover repercussions of a data breach. Both of these are incorrect: Federal regulations protect only personal financial accounts from fraud, and general liability doesn't directly cover losses due to breaches or exposure by third-party service providers.
Failing to monitor "insiders." In a tight-knit small business environment, you may not think your employees or business partners would ever dream of betraying your company. But the reality is, insider fraud does happen, and it happens more often than you might think. According to the Association of Certified Fraud Examiners, insider fraud in 2014 was a $3.7 trillion issue across the globe.
Matt Carey, vice president of marketing solutions at financial process automation company Bottomline Technologies, noted that insider fraud is very difficult to detect, but carefully monitoring employee behavior — and paying attention to unusual changes — can help tip you off. For example, an employee who is accessing information in systems more frequently than normal, conducting broad and frequent searches within and across applications, or accessing systems without then completing the transaction in its usual manner is likely trying to commit fraud, he said.
Not investing in security software. The worst mistake a business can make regarding its cyberprotection is not having any at all. A robust security solution is a must-have for any modern company, especially those who conduct most or all of their business online. This is especially true when small businesses use the same device for all their business operations.
For example, if your point-of-sale system is run on the same computer used to check company email, and an employee clicks on a malicious link or opens a malicious attachment on that computer, he or she has given a hacker access to all the customer information on the POS, said Charles Henderson, vice president of managed security testing at security services provider Trustwave.
"One time, we even saw employees using the back office computer as a video game console," Henderson said. "They downloaded a pirated video game that happened to have malware on it. As a result, the business was breached.Many small businesses do not perform security scanning and testing on their networks, applications and databases, and for those that do, it's typically just once a year. Security scanning and testing helps identify and remediate security weaknesses before criminals can exploit them."
Read on to find out what types of business security software you should consider.
Security solutions and what to look for
There are a few different basic types of security software on the market, offering varying levels of protection. Antivirus software is the most common, and will defend against most types of malware. For a side-by-side comparison of the best antivirus software programs for small businesses, visit our sister site Top Ten Reviews.
Firewalls, which can be implemented with hardware or software,provide an added layer of protection by preventing an unauthorized user from accessing a computer or network. In an eHow.com article, author Sam N. Austin noted that some computer operating systems, such as Microsoft Windows, come with built-in firewalls. These protections can also be added separately to routers and servers.
Cobb said businesses should also invest in a data backup solution, so any information compromised or lost during a breach can easily be recovered from an alternate location; encryption software to protect sensitive data like employee records, client/customer information and financial statements; and two-step authentication or password security software for their internal programs to reduce the likelihood of password cracking.
It's important to remember that there's no one-size-fits-all security solution, so Henderson advised running a risk assessment, preferably through an outside firm. This will help you determine your business's unique threats and risks, which in turn will allow you to decide on the best programs to use to protect yourself. In general, though, you should look for a solution that protects you from both internal and external threats.
"You must invest in a solution that can deliver the needed security within the walls of your business," Matt Carey said. "One common mistake companies make is directing their primary security investments toward protecting the outer perimeter while overlooking internal vulnerabilities. Look to implement [a] solution that is flexible, easy to deploy, and can evaluate and respond to behavior using real-time analytics."
One important nonsoftware solution that many small businesses overlook is cyberinsurance. As mentioned above, your general liability policy will not help you recoup losses or legal fees associated with a data breach, so a separate policy covering these types of damages can be hugely helpful in case of an attack.
Tim Francis, enterprise cyber lead at Travelers, said that small businesses often assume cyberinsurance policies are only designed for large companies, because those businesses are the most frequent targets of hackers. But many insurance carriers are beginning to offer tailor-made cybercoverage for smaller companies to meet their budgets and risk-exposure levels, he said.
Francis advised business owners to look for a combination of first- and third-party coverage. First-party liability coverage includes any general costs incurred as a result of a breach, such as legal expertise, public relations campaigns, notifying affected customers and business interruption. Third-party coverage protects you if your company is at the center of a breach that exposed sensitive information. This type of protection covers defense costs if the affected parties sue your company.
When it comes to choosing a provider, Francis said to look carefully at its reputation and coverage offerings, and to work with an agent to find out what your company actually needs.
"Coverage is more than words on a page," Francis said. "Make sure your carrier is well-regarded financially and has a good reputation in the industry. There's tremendous variety in policies, [and] ... you need an agent who understands the differences."
Best practices for your business
Ready to protect your business and its data? These best practices will keep your company as safe as possible.
Keep your software up to date. When your antivirus software or other security application notifies you that it's about to expire or needs a patch, don't delay in updating your system. Hackers are constantly scanning for security vulnerabilities, Cobb said, and if you let these weaknesses go for too long, you're greatly increasing your chances of being targeted.
Educate your employees. A well-educated staff that knows about the potential cyber risks your business could encounter is your best line of defense against hackers. Make your employees aware of the ways cybercriminals can infiltrate your systems. Teach staff members to recognize the signs of a breach, so you can identify and address one as soon as possible. You should also educate employees on how to stay safe while using the company's network.
Implement formal security policies. Bill Carey noted that having company-wide security policies in place can help reduce your likelihood of an attack. He advised requiring strong passwords — those with a combination of upper- and lowercase letters, with numbers and symbols — that should be changed every 60 to 90 days. Hold your employees accountable for cybersecurity, he said, and make sure all employees understand their responsibilities in using both company-issued and personal devices for work purposes.
Practice your incident response plan. You already know you should have a plan of action ready to go in case of a data breach. But have you practiced that plan with your employees to make sure all employees know what they're doing? Henderson recommended running a drill of your response plan (and refining if necessary) so your staff can detect and contain the breach quickly should an incident occur. For more information on how to handle a data breach, visit this Business News Daily guide.
Ultimately, the best thing you can do for your business is to have a security-first mentality, Henderson said. He reminded small businesses that they shouldn't assume they're exempt from falling victim to a breach because of their size.