New small business owners have a long list of hurdles to overcome in the early stages. These can be complicated times, so avoiding a cybersecurity mess wouldn’t necessarily rank at the top of the priority list. But the dangers can be substantial.
A poll conducted by CNBC and SurveyMonkey shows that just 2 percent of small business owners surveyed reported that “they view the threat of a cyberattack as the most critical issue they face.”
“That, in some ways, makes sense,” writes Chris Morris for CNBC. “Taxes and the cost of employee health care were two of the highest-ranking items and certainly are more front of mind on a day-to-day basis. But online security experts say that very lack of focus makes small businesses a lot more vulnerable.”
Hackers are on the attack, according to Morris, who writes that they have “breached half of the 28 million small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report.”
And cybersecurity firm Datto estimates that the combination of costs, unreported incidents and time/productivity lost because of cyberattacks add up to $75 billion a year, in a story by The Atlantic.
What can small business owners do? For starters, make sure that cybersecurity is a priority. Ensure that the operating systems and software are updated on a consistent and frequent basis, and that the business has up-to-date anti-virus and anti-malware software. As Adam Fridman advises for Inc.com, “Don’t opt for a free version because these aren’t updated often enough.”
Here’s a look at some other cybersecurity tips for small businesses.
Install a firewall
Before a business gets off the ground, methods of protecting computer systems and information need to be addressed and explored. In a story for the Houston Chronicle, Fred Decker writes that setting up a firewall is the equivalent of installing “a series of locks, alarms and security cameras to protect their premises and inventory from intrusions and theft.” He calls a firewall “one of the cornerstones of any network security strategy.”
“Think of it as the electronic equivalent of a sentry at the gate,” he writes. “It inspects all the data passing in or out of the network, ensuring that the traffic is legitimate. When properly configured, a firewall should allow your users access to all the resources they need while still keeping out any malicious users or programs.”
Train the staff
It’s important that everyone within the business is on the same page about cybersecurity. Some may not understand the impact attacks can have on the business — and therefore on their own jobs — so training can be beneficial. Charles Cooper writes about this for cnet.com.
“Take time to educate your staff about the acceptable use of corporate resources,” he says. “Demand adherence to security protocols and make employees aware of the risks entailed when they open emails from strangers and click on the attachments. Training should focus on furthering employee understanding of how to minimize risks such as data breaches. Reinforce the message regularly — even to the point of including cybersecurity awareness as part of their annual review, if that’s what it takes.”
The need for strong passwords is crucial for cybersecurity, no matter how often we groan about having to change (and remember) a new one. Shubhomita Bose writes about this and data from Headway Capital for smallbiztrends.com. The Headway infographic emphasizes having a company policy to avoid “weak” passwords, to change passwords on a regular basis, and to incorporate “two-factor authentication” — as some businesses are now doing with an additional text-message step in the password process.
This is an increasingly significant threat to cybersecurity. The name is appropriate, as the malware essentially holds your system hostage for a ransom payment. As Anita Campbell, CEO of Small Business Trends, writes for Inc.com, “The ransom is displayed on the screen with a message stating you must pay a fine or fee in order to access your own system. Ransoms have ranged from hundreds of dollars to tens of thousands of dollars.”
The next steps depend on how prepared the business is to handle such a scenario, according to The Hartford View, as published on Inc.com. If the business has been vigilant about backing up its data, it may not be disastrous. The business can “ignore the threat, wipe the system clean, and start anew from its last backup,” the story states. “If not, a business may opt to pay the ransom, which typically ranges from hundreds to thousands of dollars, but that still doesn’t guarantee the return of its data. (We are dealing with criminals here.)”
Don’t go phishing
Though awareness of fake emails has increased over the years, phishing can still cause major issues. Its purpose, according to Campbell, is “to induce the recipient to visit malicious websites, download malware, or voluntarily give up login credentials by replying to the email. Quite a few hackings start with phishing schemes targeting a company employee.”
A personalized phishing attempt — known as “spear phishing” — can be harder to detect. As the Hartford View story notes, “… A fraudster might pose as your business banker and send an email asking you to confirm your log-in information or review a recent transaction. The email would be addressed specifically to you, signed by your representative, and emulate the look and feel of typical communication you receive from that business.”
Another problem for cybersecurity is the addition of outside and mobile devices in the workplace. In a story for Entrepreneur, Brian Hughes writes about the “BYOD” culture (bring your own device) that some businesses adopt, including phones, tablets and computers:
“While many companies decide the benefits (increased productivity, lower hardware costs) outweigh the risks (hackers and viruses), your business still needs a company-wide policy that regulates what data employees can access and what happens if an employee’s device is lost, stolen or compromised.”
The Federal Communications Commission recommends a “mobile device action plan” in its cybersecurity tip sheet: “Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.”
Reach out for help
A small business may not be able to have a full-time employee or team dedicated to information technology. And the owner may not have enough of a background in cybersecurity to fully explore methods of protection. In cases like these, as Cooper writes for cnet.com, it’s time to seek reliable professional help.
“No shame if you can’t do this in-house,” he explains. “It’s a lot easier to protect yourself properly from the beginning than to deal with a hack or data loss after the fact. There are any number of reputable managed security service providers and value-added resellers who can assist. The CompTIA trade association, which represents most of the technology reselling universe, is a good resource for starting your search.”