Small Businesses at Risk to Cybersecurity Attacks
In my last article, I wrote about October being National Cybersecurity Awareness Month. We have just finished week 3 and are about to move into week 4. Week 3′s theme was “It’s Everyone’s Job to Ensure Online Safety at Work.” Week 4′s theme is “Safeguarding the Nation’s Critical Infrastructure.”
When thinking about the workplace and the prevalence of small business throughout New England, the story is not a pleasant one. Too many small businesses think they are not at risk for a cybersecurity event. However, consider in 2017, 61 percent of small businesses reported a cyberattack, up from 55 percent the year before. The average cost of these attacks exceeded $1 million, enough to bankrupt many small businesses.
All industries are impacted by cyberattacks, but the most targeted industries are financial services, technology and communications, manufacturing, retail and professional services. The reasons for the attacks vary widely, from financial fraud to identity theft to the theft of intellectual property, the lifeblood of many businesses.
The attack methods vary and defending against these attacks often feels like a game of leap frog. The bad guys figure out a way to penetrate a network and the technologists figure out how to block that attack. The problem is the attackers are sophisticated and have access to increasingly powerful computing resources, so they figure a new way around the defenses and the cycle starts over again, millions of times a day.
Defending your business is not a trivial task, but in the quest to secure businesses, especially small businesses, the most often overlooked thing is employee training. You must invest in training your staff to understand their role in protecting your business. From what they say on social media about their job to the email messages they open and the links they click, people are the last and most important line of defense.
I have heard too many stories where someone in an accounting department gets an email asking them to login to a website to check something. It could be anything from an invoice to a tracking number or to update security information about their account. Messages like this are easy to spoof and get the person targeted to try to login to what looks like a legitimate site, but they often get an error telling them their login failed and to try again. The problem is the site was fake and hacker just captured the username and password the person was using. The hacker is often then able to access and monitor that accounting person’s email traffic and eventually will trick that person, or one of their colleagues into initiating a fraudulent transaction that could cost hundreds if not millions of dollars.
The news is awash with stories similar to the scenario above. Law enforcement is overwhelmed with reports like this. If you haven’t lost millions of dollars, likely tens of millions, it’s unlikely law enforcement will be able to act on your case fast enough to help recover any funds. This is how real and present a danger these cyber threats are.
While this may all seem daunting, there are several things a small business is able to do to help protect themselves. Take the time to take inventory of your critical data and systems. Be sure you understand what you can live without and what you can’t. If you do ever suffer from a cyberattack, be sure you know what you need to continue operating while you assess the damage and recover. Also, be sure you have a communication plan ready to inform your staff, your business partners, your customers and if necessary, the public about what has happened to your business. Get in front of the matter, so your business does not suffer damage to its reputation and not just its technology.
Today’s cyberattacks are evolving nearly in real-time. Businesses large and small across all industries need to understand their risk profile, take appropriate steps to protect their technology infrastructures, educate their employees how to help protect the business and have appropriate response plans in place for when, not if, you are attacked. Try not to feel overwhelmed by the risks. Be prudent in your approach. There are plenty of talented professionals out there to help you understand and mitigate your risk. Just don’t ignore it.