As a small business owner, it may be easy to brush off cybercrime as an enterprise problem – why would criminals target small operations? Yet, small businesses are often the easiest targets for cybercriminals because they're the most vulnerable. Forty-three percent of all cyberattacks in 2015 were targeted at small businesses, according to cybersecurity technology company Symantec.
"I think a lot of SMBs are aware that security is important, but it easily falls to the bottom of a long to-do list," said Tony Perez, GoDaddy's general manager and vice president of security products. "The biggest question is always, 'Where do I even start?' That's the big thing GoDaddy is working to address by making it simple and easy for SMBs to implement proven security protocol."
If you're a small business owner with a website and no security measures or practices in place, you could be at risk. The exact situation is different for each business, but Jorge Rey, chief information security officer for accounting firm Kaufman Rossin, said it's important for all business owners to assess their vulnerability and determine whether security solutions are needed.
"A lot of times, we don't make decisions because we believe it's not going to happen to us," Rey said. "Small businesses really have to think about how their customers are going to feel after a data breach or how their business is going to be impacted." [Read related article on our sister site Business.com: Best DDoS Protection Services]
Assess your own risk
Security problems can arise in two main ways: as outside hackers or internal threats. While it's important to consider outside data breaches, you should look at your internal IT infrastructure policies as well.
"Within your own network, do you know where your sensitive information is? Do you know who has access to it? Have you thought about how access should be restricted?" Rey asked. Small business owners may not "put too much attention on the back office, so you're not thinking about all of the things that could go wrong."
Once you've analyzed your internal risk, Rey suggests looking at what data you work with and consider its worth to a cybercriminal. If you run a successful e-commerce business where you process and store sensitive credit card information, your security measures will be different from a small business that only has a Google listing online.
A more concrete way to consider your cybersecurity situation is to use the Gordon and Loeb model. Perez said that breaking down estimated loss and risk, and identifying investments and savings can help a small business get a full view of their cybersecurity situation. The model may involve some complicated math, but ballparking potential savings and the cost of investment can give you an idea of where your business stands. Perez provided this basic chart to help.
Estimate your loss if a breach were to occur ($Loss)
Estimate the probability of loss from said breach (%Risk)
What investments could you make ($Invest)
For each investment, estimate reduction in probability of breach (%save)
Potential savings = ($Loss) X (%Risk) X (%Save)
How to protect your customer's data
Once you've assessed the risk and considered possible attack scenarios, you can work to mitigate areas with different technology and general best practices.
Restrict access. Michael Baker is a founder and managing partner of Mosaic451, a cybersecurity service provider that is among the top providers in the U.S., according to Inc.com. Baker said that the first step in ensuring customer data is secure is to limit employee access.
"Employees at a small business should be able to access only those systems and data that they absolutely need to perform their jobs," he said. "So that all activity can be traced to a particular user; each employee should have a unique access ID and should be authenticated using a strong password."
Keep technology updated. Baker also said companies should make sure their security software, operating systems and other technology (like POS systems) are up-to-date. Updates ensure that your technology is patched with the latest software to combat security threats.
"Because cybersecurity is a constant 'spy vs. spy' battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats," Baker said. "For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule."
Invest in new technology. Depending on the type of business you run, you may need different types of technology to mitigate risk. These types of solutions include firewalls, antivirus software, encrypted backups, DDoS appliances and more. Rey said it's important for small business owners to be aware that the degree of security needed is specific to each business and that installing a firewall or antivirus software may not always be enough.
"Pretty much, those are the three or four things that [small businesses] put in place to make sure that their data and their information is protected," he said. "The first thing we have to challenge everyone on is that's just part of security – that's not all security."
The challenge with investing in new technology is ensuring that you're spending the right amount for your business. As a small business owner, accurately assessing risk and determining realistic strategies can be difficult – it can be easy to be oversold (or undersold) on technology.
The Better Business Bureau did a study on the state of cybersecurity among small businesses in North America. It found that median investment per company was $200 for organizations with up to five employees and $500 for companies with six to 10 employees. The investment jumps to close to $5,000 for organizations with 11 to 49 employees.
The study "isn't an indicator of what [SMBs] should spend, but it does provide a measuring stick relative to what other SMBs are spending," Perez said. "It helps provide context by shedding light on why smaller businesses might have so many online security problems."
Partnering with a cybersecurity professional
Protecting your business can be a daunting task, so depending on the type of information you handle, you may want to consider working with a third-party cybersecurity agency. These companies can help you properly assess vulnerabilities and install the right technology for your business. Baker said to be careful, though, as the complicated nature of the topic can be used against naïve small business owners.
"Keep in mind that third-party professional services (paid for by the hour) encourage waste and inefficiency," Baker said. "If you're going to pay an unethical tech firm $250 per hour for something, why wouldn't an unethical tech firm pretend that it's working really hard and charge you for 10 hours, especially if they can pay the human who actually did the work for 30 minutes?"
Handling cybersecurity is like handling anything for your small business – value sound business logic and decision-making over blind trust. Don't lunge at the latest and greatest technology, but don't leave yourself and your customer's information vulnerable and exposed.
Security and ensuring the protection of your customer's data is a gray area, one where it can be difficult to navigate between overspending on advanced technology and leaving your business vulnerable through underspending. Depending on how you proceed, it's important to at least consider your own internal practices and judge the value of data your company holds.
Baker said taking things step by step and being aware of the potential risks is a good starting place for small businesses.
"With basic due diligence – outsourcing email, using a major cloud-storage provider, using multifactor authentication on things that you care about – you might not be able to outrun the bear, but you'll outrun all your peers, which is enough," he said.