By definition, cybersecurity is the action taken to protect computer-based systems from attack or unauthorized access. Many think cybersecurity is a problem that only plagues large corporations. We frequently hear about data breaches of big corporations and government entities such as Target, Wendy’s, the U.S. Department of Justice, and the Internal Revenue Service. But what about small businesses? They are small enough to fly under the radar of cybercriminals, right?
The truth is that small businesses are just as much at risk for cyberattacks. The reasons are simple. Small businesses typically have greater financial assets and commercially usable data than an individual, and they tend to have far less security implemented than the large companies. Many small businesses also lack the awareness and training to effectively protect themselves.
In 2016 the Ponemon Institute published the research survey titled “The State of Cybersecurity in Small and Medium-Sized Businesses,” which revealed that 55 percent of participants experienced a cyber-attack in the 12 months prior to the survey. The research went on further to show that half of those attacks resulted in the exposure of customer and employee data to the cybercriminals.
The first step in thwarting breaches is the awareness that the problem exists and that your business can be targeted. In 2015, KPMG, a professional services firm, conducted a cybersecurity survey of 1,000 small business owners. The survey entitled “Small Business Reputation & the Cyber Risk” revealed that half of the surveyed small business owners (51 percent) believe that it’s unlikely or very unlikely that they would ever be the target of a cyber-attack. The report goes on to state that 22 percent of small businesses don’t consider their data to be commercially sensitive.
This a sobering reality paints an even bigger target on the back of small businesses.
Understanding the cyber threats to small businesses
Understanding the predominant attacks, flaws, and human error exploited by hackers to target small businesses can greatly decrease the likelihood of becoming a victim. Listed below are some of the most prevalent security issues that small businesses face.
1. Web-based attacks, phishing, and social engineering
These attacks can take a wide variety of forms such as finding and exploiting vulnerabilities found in the victim's’ software, email scams designed to trick the user into divulging critical information or launch attacks such as viruses, ransomware, and system takeovers.
2. Disgruntled and/or negligent employees or contractors
Many data breaches are caused by theft or the malicious distribution of sensitive data by disgruntled employees. Numerous breaches are also caused simply due to negligence or a lack of training of well-meaning, dedicated employees, or contractors.
3. Outdated or inadequate security
Cybercriminals can and will take advantage of vulnerabilities in outdated or inadequate security. These vulnerabilities typically take the form of insecure human practices such as failing to patch software, neglecting regular system backups, failing to build an adequate firewall, or the transfer of infected files.
4. A dedicated computer for banking
Many small businesses fail to use a dedicated system for their banking. Company computers used by employees for social media, web surfing, and email can be open to vulnerabilities which could result in the theft or destruction of banking data.
5. Secure password policy
Many businesses lack a secure password policy. As a result, systems can be breached by brute force methods, exhaustive automated generation of passwords, or by simply guessing passwords based on knowledge which can be acquired through the use of social engineering techniques.
6. Secure network usage policy
Having a policy in place does not guarantee employees will follow it. It does, however, raise the awareness of security and potential threats. An effective policy also promotes a proactive stance for the company should legal issues arise.
7. Budgeting for security
A large number of companies fail to sufficiently budget for security or simply have no budget at all. In many cases, this is due to the belief that they are unlikely to be a target. In other cases, they believe that their current security practices are sufficient. Small businesses must weigh the cost of an adequate security budget against the potential costs of a breach which could be devastating.
The sheer number of attacks that cybercriminals have at their disposal is growing exponentially. Small businesses run the risk of not only losing critical customer and financial data, sales, and productivity, but they also run a substantial risk of losing significant amounts of money. In the worst case scenario, companies may be forced out of business. It is critical that small businesses take all the necessary steps to secure and protect their business data, technologies, and ultimately, their customers.
Ron Smith is an Infusionsoft Sr. Quality/Security Engineer. Having served in the USAF as a security specialist, he became passionate about security. During his 20 year career, he has worked for very large companies such as Microsoft, Intel, and Pearson, but his love for small business carried him to Infusionsoft. He is also the father of five boys and an avid Harley Davidson rider and home brewer.