- Cybersecurity is an important concern for small businesses.
- Cyberattacks are expected to double by 2025, yet 60% of businesses have no cybersecurity policy in place.
- A cybersecurity breach can result in a business losing valuable information, money and brand credibility.
- This article is for small business owners who want to protect their company with a cybersecurity plan.
Statistics show that cybersecurity is a legitimate threat to small businesses, but owners don’t always act on that knowledge. According to PurpleSec statistics, cybercrime has risen by 600% during the COVID-19 pandemic, and cyberattacks are predicted to double by 2025. This is clearly a serious issue, yet a survey by the Cyber Readiness Institute has suggested 60% of businesses have no policy in this area.
It’s not fair to conclude that small businesses don’t care about cybersecurity, but they do seem willing to ignore concerns. Despite alarming statistics and articles peppering the internet, many smaller firms consistently underplay the risk of cyberattacks.
Logically, this makes sense. While cybersecurity threats can be as bad as physical ones, online threats aren’t always obvious. Bad password protection and poor site maintenance may leave your business vulnerable to attack, but there isn’t the same tangible threat as leaving a store unlocked or allowing a stranger to walk around your offices unsupervised.
Unfortunately for small businesses, this “out of sight, out of mind” mentality can have consequences. If you fail to protect your business from cybersecurity threats, you may lose critical company information while also damaging your brand and losing money. Cyberattacks can be so severe that companies simply can’t cover the cost; IBM calculated that the average cost of a data breach was $4.24 million in 2021.
Why your small business needs cybersecurity
“Small business owners cannot think their business is too small to be hacked,” said Monique Becenti, product marketing manager at Zimperium. “While the breaches that make headlines tend to be associated with large enterprises, no business is immune to cyberthreats.”
If in doubt, ask.
One of the big reasons small firms avoid putting resources toward cybersecurity is a lack of understanding and concern. Even the term “cybersecurity” can be intimidating, yet there are plenty of experts ready to offer advice in layman’s terms. If the reason your business avoids taking cybersecurity measures is a lack of knowledge, there are experts out there willing to visit your business, either for training or to share options for cybersecurity plans. Ignoring cybersecurity because your team lacks technical knowledge isn’t a legitimate excuse.
If you are strapped for time or have a team of remote workers, you can take online cybersecurity classes to better train everyone, and to understand where your business lacks online protection. Here are a few of the top free online cybersecurity classes.
- SANS Cyber Aces Online: This is great for beginners because much of this content is as basic as it gets. If your team is generally ignorant when it comes to cybersecurity, consider taking advantage of this free course.
- Cybrary: Free access to Cybrary includes hundreds of courses related to cybersecurity and IT. The courses are sorted by difficulty, helping to determine which are best suited to you.
- Foundations of Cybersecurity: Springboard’s free course includes a whopping 37-plus hours’ worth of materials. You don’t need to watch all of it to gain a better understanding of cybersecurity best practices, but one hour of viewing per week would provide tremendous insights.
Tip: Don’t assume cybersecurity begins and ends in the office. Our recent feature on creating a secure home office is especially relevant to companies whose staff routinely work from home.
There are plenty more phish in the sea.
Among the most common types of cyberattacks against small businesses are phishing attacks. Fishermen use bait to lure their prey close, and when the fish bites the hook with the bait on it, the tug on the fishing line tells the fisherman to reel the fish in. Phishing emails work similarly. Cybercriminals try to trick users by using bait, often in the form of an email.
A cybercriminal might create a fake email address that closely resembles that of your CEO – we’ve seen this a few times at our company. The email may say something like, “Hi, message me immediately with your cell phone number. I need your help on a project and want to give you a call.” The goal is to make you think you’re emailing back and forth with your CEO before you submit personal information to the hacker without even realizing the threat.
Other phishing attacks ask for more personal information, like your credit card number. Avoid sending personal financial information over email. Instead, share confidential data with companies or individuals over the phone or in person. Phishing is one area where training your employees in best practice can prevent crippling cyberattacks. According to Verizon research from 2021, phishing is responsible for over a third of all data breaches.
Don’t be held for ransom.
Businesses should also be prepared for ransomware attacks, which occur when malware infects your computer and locks it down until a ransom is paid. Anti-malware software is a quick way to prevent these attacks.
If your business is attacked, never pay a ransom, regardless of the threats or promises made. If criminals can lock down your system once, they could do it again. Plus, there’s no guarantee they’ll return data even if you meet their demands. They might simply ask for more money.
Did you know?: You can largely eradicate the threat of ransomware by conducting regular data backups to a secure cloud service. We recently explained how to back up documents and data to Google Drive.
How to quickly improve your cybersecurity
Introducing and implementing a comprehensive cybersecurity program will inevitably take more than an hour. You won’t be completely protected by making the quick changes below, but you can take drastic strides in 60 minutes or less by implementing these techniques. Here’s a checklist of the things you should do ASAP:
1. Perform a cybersecurity audit.
Start by figuring out where your business stands. Are you well protected against cyberthreats? Are you secure in some areas but lacking in others? Figure out how secure you are (or aren’t) now so you understand where you can improve.
“While most measures that a small business can take require more than an hour to implement, it may be worth spending an hour doing a quick audit of what cybersecurity measures you already have in place,” said Heather Paunet, senior vice president of product and marketing at Untangle, which provides network security to small businesses.
“Cybersecurity includes policies as well as systems. Formulating an acceptable use policy for devices, data and the network can be an important first step if you don’t already have one in place. If even this is too daunting, spend that hour locating an IT professional in your area who can help you out.”
Don’t be afraid to call in outside assistance from cybersecurity experts. Going on a cybersecurity course or taking a class will give you an insight into the key threats, which you can then disseminate to your workers.
2. Train your employees to recognize common cybersecurity threats.
Teaching staff how to identify threats is central to a proactive and positive company-wide cyber security policy. Specialist cybersecurity firms can send your staff a bogus email of the type a spammer or hacker might produce. If they click on a link or open an attachment, they’re shown a message along the lines of “this was a test, but next time you might have infected the network with a virus.” Staff will remember this, discuss it and – most importantly – learn from it.
Some businesses might picture an overseas hacker taking extraordinary measures to break into a small business’s network, but that’s not usually the case. In many scenarios, a crude phishing email could compromise your small business. Basic safety measures often prevent attacks from being successful.
“If SMBs spent one hour training staff on basic internet hygiene – spotting phishing emails, good browsing practices, not downloading suspicious files or clicking links – cybersecurity would be greatly improved,” said Sean Allen, digital marketing manager at Aware. “Employees and emails are still the leading causes of breaches for SMBs, rather than master hackers.” [Learn about the different types of cyberattacks in our small business guide to cybersecurity.]
3. Improve your password strength.
It’s shocking that, in 2022, the world’s most-used password is still “123456.” If you’re feeling a sudden flush of embarrassment reading that last sentence, now is the time to overhaul your passwords. Too many employees and executives use passwords that are easy to hack, often sharing them across several platforms and websites. If one password is compromised, the potential harm increases exponentially. [Related article: Preventing and Avoiding Network Security Threats and Vulnerabilities]
“I would recommend changing your password to a complex password,” said Taylor Toce, CEO and founder of Velo IT Group. “The simple act of changing your password will lock out anyone who might have it. For example, if your password was compromised as part of a security breach, or if you simply shared it with too many co-workers, you could tighten the security on those accounts by using a new password. A complex password is your best defense against the common dictionary or brute-force attack methodologies.”
- Brute-force attacks are when hackers run automated programs that plug in various potential password combinations. They’re particularly effective against obvious username data and simple passwords.
- A dictionary attack is a refinement of brute-force attacks, trying every word in the dictionary as a potential password. For instance, NordPass’ 2021 list of the most common passwords showed that “dragon” was used over 2 million times.
Strengthening your organization’s passwords immediately reduces the risk of a successful cyberattack against your business, and it doesn’t take long. You can change a weak password to a secure one in seconds.
“All passwords should have at least 10 characters or more, including at least one uppercase, one lowercase, one number, and one special character,” said Myles Keough, CEO of Spade Technology. Since each online account or service should ideally have a different password, it’s often easier to use a password manager tool to remember them all through your web browser.
Long passwords with different symbols and capitalization of letters combat brute-force attacks because every extra character or symbol hugely increases the number of possible combinations. Using strong passwords is a critical step in improving cybersecurity and preventing cyberattacks. Passwords represent the frontline of cybersecurity.
Did you know?: Cybersecurity company NordPass publishes annual lists of the world’s most popular passwords. The top five in 2021 were “123456,” “12345,” “qwerty” and “password.” “Password123” came in 20th, while a popular two-word expletive was 56th.
4. Implement multifactor authentication on business accounts.
“One quick win for small business owners is setting up multifactor authentication on their accounts, especially those related to financial transactions,” said Stacy Clements, founder of Milepost 42. “Multifactor authentication provides an extra layer of security beyond a username and password to protect your accounts, usually by requiring you to enter a code sent to your mobile device or provided by a separate hardware security key.
“Most banks and credit card online services offer this capability, as do most email and social media services. Enabling this extra security protection only takes a few minutes and protects your important accounts. It helps to ensure that it’s really you accessing the account, not a cybercriminal who stole your password.”
Two-factor authentication means a criminal would have to deeply embed themselves in your system architecture to gain access, and there’s a good reason that blue chip brands like Google have started implementing it by default.
There’s no excuse for small businesses to completely ignore cybersecurity in 2022. Over 300,000 new pieces of malware are created every single day, and many of these malicious software codes don’t discriminate between larger or smaller enterprises. Irrespective of its size, your business can – and must – protect sensitive data by improving cybersecurity.
Neil Cumins contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.