We’ve all heard the horror stories: hackers stealing the credit card information from some 70 million Target customers and 56 million from Home Depot; 80 million social security numbers swiped from health insurer Anthem; 145 million eBay user records compromised. We know the damage cyberattacks do to companies in terms of consumer confidence and legal trouble, and that compromises of highly sensitive information and large sums of money can literally jeopardize people’s livelihoods. But despite this knowledge, we operate with a very false sense of security that cyberattacks happen only to the business giants. After all, they are the ones with the really big bucks and valuable client information. What could a hacker possibly want from a small business? Unfortunately, the answer is, “everything.”
For years, the average American small business was an unlikely target for a sophisticated cyberattack. Small finances and a relatively unknown brand were enough to let small businesses fly under hackers’ radar. Not anymore. The dam has broken for small business when it comes to cyberattacks. According to security company Symantec, cyberattacks on small businesses rose 300% in 2012 from the previous year. If you think you’re too small to matter to hackers, you’re wrong.
What makes small companies so attractive to cyber thieves? For starters, small businesses tend to have weaker online security. They are doing more business than ever via cloud services that don’t use strong encryption technology -- easy locks to pick. And the bigger they grow, the more enticing they become.
Cyber security isn’t just for big companies, and what you’re doing likely isn’t enough to protect your most valuable assets. Here are 5 steps you can take now to protect your business and your customers:
- Take off the blinders.
Understand that simply being online makes you a target. Cybersecurity preparedness begins with that reality. Next, understand that internal and external vulnerabilities are present in all businesses, and hackers will try gain entry using a variety of methods, including phishing and spoofing scams, social engineering malware, systems hacking, pharming, and everything in between. Do you understand these terms? Do you know where your points of weakness are? If you answered ‘no’ to either of those questions, you have serious work to do.
- Purchase cyberliability insurance.
Property and casualty, disability, professional liability, errors and omissions...they’re all great. Unfortunately, leaving just those insurances to protect your business is not enough. Small businesses need cyberliability insurance, too.
How do you know how much insurance you need? Start by asking yourself what your biggest assets are (e.g., client data), and what would happen if those assets were compromised. Essentially, what’s your worst nightmare? That should give you perspective on what kind of coverage you’ll need.
Consult with a qualified insurance professional who can guide you on the “fine print” of cyberliability insurance, including exclusion clauses and adding riders to cover those clauses. Most policies won’t pay up if the security breach was caused by employee error, yet an estimated 95% of breaches occur this way. How can you protect yourself?
- Develop a comprehensive system of security protocols.
Warding off potential attackers takes an entire system of practices. No one thing you do will be enough.
First and foremost, keep your antivirus software and security applications up to date. It sounds like a no-brainer, but this simple step is too often overlooked. Updated software will help you guard against the latest threats and keep your infrastructure secure.
Second, develop a series of “tricks” that keep you one step ahead of hackers. In other words, don’t fall prey to their easiest traps. Some suggestions include:
- verifying financial requests and confirming details by phone instead of relying on email to initiate or complete any financial transaction – whether you are dealing with your bank, vendors, clients, or employees.
- using a two-step verification process to approve outgoing funds.
- creating private email addresses -- available only to your most trusted accounting staff -- to be used when authorizing payments.
- protecting all devices. Your mobile phone or tablet is far more vulnerable on public wi-fi at the corner coffee shop than is your business computer on a protected broadband network. Don’t let convenience trump security.
- requiring the use of hard passwords throughout your organization. Use passwords of ten characters or more, comprised of letters, numbers, and special characters, for your system logins and any financial sites you access. Use unique passwords on each site. A password manager program can help you do this effectively.
- turning on two-factor authentication for any financial sites that allow it.
- Ingraine security protocols into your corporate culture.
Defining security protocols is great, but to be effective, your policies must permeate throughout every business process and decision you make. Cybersecurity must be part of the whole mentality of the organization -- from your overall business strategy to how each employee operates.
Cybersecurity training is an ongoing process, not a single event. To that end, make it part of every staff meeting using videos, games, and role play scenarios that not only educate employees on the risks, but allow them to act out responses to disaster. OnGuard Online is a rich resource, full of free media that can help build your employee training.
- Have an incident response plan and practice it.
Just like a fire drill, having a plan of action for responding to a cyber incident is crucial. Even more important, it should be practiced so that all your employees know exactly what to do in the event of a breach. Ultimately, working together will be the most powerful line of defense.
Working together doesn’t have to happen only within your own company. There are various organizations that will connect you with other business owners in your industry and law enforcement officials to alert you to threats and advise you on the best ways to safeguard against them. North Carolina InfraGard is one example, and a particularly good one since membership is free.
Cybersecurity threats continue to prevail, particularly with the growing push to develop faster methods of payment and innovative ways to transact. While these advancements are undeniably valuable, new technology breeds new security and fraud risks. As small business owners, we need to carry a sense of vigilance and responsibility regarding cyber protection as we look to the future.
