When you were a kid, how many of us closed our eyes or covered our heads with a blanket thinking no one could see you? The magic of being a child. Unfortunately, when it comes to cybersecurity, too many SMB owners have a similar belief. If they don’t acknowledge the threat or they “close their eyes” the bad actors will simply overlook them – which of course is not the case.
Keeping one’s business safe from nefarious actors is one place where often times size truly does not matter. It’s easy to think it would. After all, why should cyberthieves go after a “small fish” when there are bigger prizes out there?
Yet, as Verizon’s 2023 Data Breach Investigations Report points out, there is essentially no longer any significant difference between the rate and type of data breaches experienced by SMBs compared to large 1000+-employee enterprises. Among reported incidents, roughly half of both groups had their data exposed and exploited.
And the pattern of breaches was also relatively the same for both. The vast majority involved system intrusion, social engineering and basic web application attacks. As one would expect, the overall motive was financial gain, with 90 percent of the threat actors coming from outside the organization.
System intrusion refers to hacks into a network; typically, unauthorized code is inserted into a device; this ransomware can be used to shut down the entire network or an individual computer unless the victim pays off the hacker—and even then some threat actors do not decrypt. While the average ransomware attack nets the perpetrator around $10,000 (with some ransomware attacks bringing in more than $1 million) according to the 2023 DBIR, the impact on a small business to recover from such an attack can be proportionally significantly higher than for a larger enterprise.
Social engineering attacks typically involve emails that coax the recipient into believing that a company needs more personal information, such as one’s bank account or social security number before they can deliver a package. Another tactic is to claim that one’s bank account has been breached and the password needs to be reset. Today the median amount stolen from these attacks has grown to $50,000.
One of many forms of web application attacks involves the breaching of online accounts by guessing poorly created passwords, allowing the attacker to use the discovered sign-on credentials to drain cash from accounts or order expensive goods. Those are just two examples of the things an attacker can do once a system is breached.
While the breach methods are oftentimes common across businesses regardless of size, what does differ, however, is what a company can do about it. Large businesses can often employ teams of people to ensure that systems are locked down; that data is encrypted when stationary and in transit; and educate employees on cybersecurity best practices, teaching people that emails that state that a package was delayed or one that asks them to verify a PayPal charge for goods never purchased are definitely bogus.
Small businesses typically don’t have the resources necessary to maximize their ability to protect their networks and educate their employees. Some may not even have the time, skills, or resources to screen their new hires to ensure that an employee’s background is not suspect. That’s an important omission because, as the 2023 DBIR shows, almost 20 percent of all breaches are caused by company employees, whether for financial gain, an innocent error, or a grudge against the company, which provides threat actors the opportunity to access sensitive data.
Yet there are steps that most SMBs, regardless of size, can take—either directly or by using a data security firm—to help limit their exposure to bad actors and serious financial losses. They include:
Security awareness and skills training—a program should be instituted to educate employees about the importance of security skills, teaching them how to avoid situations, and observe and report suspicious behaviors of fellow employees.
Data Recovery—All companies should back up their data on secure servers, ideally across multiple locations. If a network is breached, the proper backups can allow the systems to return to a pre-breach state.
Access Control Management—criteria need to be established that create, assign, manage, and revoke access credentials for all users, regardless of executive level.
Design a System Specific to Your Industry—different businesses will face different types of breaches. A company that sells laptops online will typically confront one type of threat compared to a small restaurant with a meager web presence that takes in most of its revenue from point-of-sale terminals.
Use a Firewall—Software firewalls can help protect thieves from accessing a network. Make sure that the software firewall you use is from a reputable firm and that it’s installed in all devices (including computers, tablets, and smartphones) used by your employees, regardless of location.
Secure Employees’ Mobile Devices—all employees’ mobile devices should be password protected, use only encrypted data with security applications installed. Two-factor authentication should be mandatory, and password changes should be implemented multiple times per year.
Limit Physical Access to All Digital Devices—in addition, password protect all devices, lock them up when not being used by authorized personnel and create a separate user account for each person. That action will also allow a company to narrow down likely suspects in case of an internal data breach.
Cybersecurity breaches hurt businesses of all sizes, but financial and credential theft can proportionally hurt SMBs even more. Such breaches can devastate a small business, costing thousands in lost revenue, and customer breach of trust.
By following the suggestions listed here, SMBs can both minimize the number of cybercrimes to which they’re subjected, and mitigate the effect of any intrusions that unfortunately may still occur.
Aimee Novak is the Vice President of Nationwide Small Business for Verizon.