By 2021 cybercrime is expected to cost the global economy $6 trillion, according to research by Cybersecurity Ventures.
Hackers are mining for data, passwords and other bits of information that can open the door to a company’s assets. Email scams, password and login theft, malware and ransomware are among the cybercriminals’ primary weapons.
While Google, Facebook and Microsoft can spend $1 billion a year, a small company may not have the budget to hire a firm and keep up with all the technology available to thwart hackers.
Yet the loss of just a few thousand dollars can be devastating to a mom and pop shop, and the hackers don’t discriminate when casting a wide net. While searching for bigger targets they’ll happily bleed a small company dry.
Keith Crawford, senior cybersecurity consultant for IT management and consulting firm Edafio, and Ted Clouser, president and CEO of PCA Technology Solutions, said it’s not an “if” that a small company will eventually be targeted, it’s a “when.” And the attempts will keep on coming.
“It doesn’t matter if you’ve protected yourself today,” Clouser said. “They’ll come back next week.”
But small businesses are not defenseless. With some diligence and common sense, an owner can affordably achieve preparedness.
EDUCATION AND COMMUNICATION
A company should make its employees aware of threats, the email phishing expeditions and other methods used and stress security regularly.
A firewall is no defense if your people aren’t prepared and aware, Clouser said.
“The No. 1 causes of breaches is people,” he said.
Ongoing communication can help when there is turnover that opens the door for a hacker to attempt email impersonations, exploiting employees’ unfamiliarity with new personnel.
Get your staff to buy in and be an active part of your small business’ cybersecurity apparatus, Crawford said.
“You want to create frontline champions out of all your employees,” Crawford said.
BLOCKING, TACKLING AND CYBER-HYGIENE
People should protect passwords and change them regularly, Clouser said, and have a separate password for every account. Crawford recommends long passwords like an easily remembered phrase, rather than simply tweaking those you have been using.
Employees should be careful about opening emails from unfamiliar sources or those that appear to be from company leadership but involve some kind of monetary transaction.
Firewalls, anti-malware updates and mock phishing expeditions to test a company’s security are all part of good “cyber-hygiene,” Clouser said.
Password protection, setting your computer and devices to automatically get updated security patches and data backup are part of the fundamentals that Crawford calls “basic blocking and tackling.”
“If you do these things, 90% of your problems go away,” he said.
A company should partner with a trusted internet technology adviser, Clouser said, and not go it alone. Business owners have too much to worry about to be expected to keep up with all the nuances and changes in cyber threats and cybersecurity.
Crawford said every business owner should take two affordable steps, use a password manager like LastPass ($3 a month) and use free multi-factor authentication (MFA) apps or options like Authy or Google Authenticator.
Enable MFA on your email and banking services first, Crawford said, then move on to shopping and social networks.
There is a good chance your company, despite its efforts, could suffer a security breach. A small business owner should be aware and back up data regularly, create backups on reliable media or in the cloud and, if using media for backups, keep the devices in a secure, off-site location.
“What happens is small businesses don’t think they are susceptible,” Clouser said. “They think it’s only for the big boys, which makes them a bigger target.”
Crawford recommends affordable backup solutions like BackBlaze, available for $6 a month per computer. Also, he said, not enough small businesses call the FBI when hacked and not enough use cybersecurity insurance. Both can help with recovery after a hack.
“Cyber insurance varies widely and it is not standardized, so shop around and ask questions,” Crawford said.
Crawford said a business owner should leverage the free resources available through a number of national and government cybersecurity organizations like the National Cyber Security Alliance, the National Institute of Standards and Technology (NIST), CISA (under the Department of Homeland Security), the Better Business Bureau and the Federal Trade Commission.
“You can get cyber help without spending an arm and a leg,” Crawford said.