by Tina Manzer
It’s easy to think that because you have a small- to medium-size business (SMB), cybercriminals will not attack your company. The “not much to steal” mindset is common among owners of small businesses, but it is completely incorrect.
Based on a report from Verizon, 71 percent of all cyber attacks are directed at businesses with fewer than 100 employees. Startups and mom-and-pop shops are the most susceptible, reports the National Small Business Association.
Why are small businesses attacked more often? It’s because the size becomes less of an issue than the security network, says an article on content hub Cox BLUE. Almost all cyber-attacks are to obtain personal data to use in credit card or identify theft. While larger enterprises typically have more data to steal, small businesses have less secure networks. When the criminals use automated attacks, they can breach thousands or more small businesses.
Last September, Keeper Security, a password manager and secure digital vault, announced that the risk of a cyber attack is increasing for companies of all sizes and industries when compared to 2016. Its 2017 “State of SMB Cybersecurity Report” states that more than 61 percent of SMBs had been breached in the last 12 months versus 55 percent in 2016. What’s more, the quantity of stolen data in an average breach nearly doubled to 9,350 records compared to 2016’s average of 5,079 records.
Keeper Security’s annual study, conducted by the Ponemon Institute, involved more than 1,000 IT prof- essionals at small- to medium-sized businesses in North America and the UK. Among the report’s highlights are these.
• According to 54 percent of respondents, negligent employees were the root cause of data breaches across the U.S. and the UK.
• Ransomware is hitting SMBs hard. More than 50 percent of the study’s participants had experienced an attack.
• Phishing/social engineering (48 percent of respondents) and web-based (43 percent) attacks were also prevalent. More respondents this year stated their organization had a phishing/social engineering attack on par with the number of Ransomware attacks their companies experienced.
• Internet of Things devices are a problem for SMB organizations, with 67 percent of the respondents very concerned about the impact these devices have on their office. More than half of respondents believe IoT and mobile devices are the most vulnerable endpoint in their organization’s network.
• Attacks are becoming costlier with damages to businesses totaling more than $1 million.
The study found that strong passwords and biometrics continue to be an essential part of security defense. However, 59 percent of respondents say they do not have visibility into their employees’ password practices. In other words, they don’t know if they’re using unique or strong passwords, or whether passwords are being shared securely. In addition, safe password policies are not being strictly enforced. Only 43 percent of respondents have a password policy in place, and 68 percent said they do not strictly enforce their policy or are unsure about what it is.
“The number-one greatest cyber threat to a business is its very own employees,” notes Darren Guccione, CEO and cofounder of Keeper Security. “Critical data is more accessible via mobile devices in our 24/7-connected, device-filled world. In fact, more than 50 percent of the sensitive data at U.S. companies can be accessed via an employee’s smartphone or tablet. Poor password policies, the rise of mobile-targeted attacks and the influx of Internet of Things devices in the workplace constitute a recipe for disaster.
To see the complete study, visit KeeperSecurity.com.
How to prevent a breach
Here are a few tips from experts at informationsecuritybuzz.com and content hub Cox BLUE.
Use strong passwords
What’s strong? Not 1234 or ABCD – they’re a cakewalk for a hacker. Always use a combination of upper- and lowercase letters, numbers and symbols.
Update passwords every three months.
Minimize the number of password attempts
A six-digit PIN creates a million unique possibilities, but password-cracking software can come up with it in minutes, so limit the number of log-in attempts at all stages of your authentication process. (Tip: this is as important as the strength of your passwords).
Should you or shouldn’t you use a password manager?
A password manager tool creates strong passwords and remembers them for you; many businesses use them. But if the database in which the passwords are stored gets hacked, the criminal will get all of them, even if he was only going for one. “Just consider the pros and cons before making your decision,” suggests Ahmad Hamidi from Secure Guard Security Services, on informationsecuritybuzz.com.
Document your cyber-security procedures
Cyber security protocols at small business are often loosely structured and verbal only, so it’s important to document a list of the procedures you want employees to follow. The FCC’s Cyberplanner 2.0 provides a starting point, and the Small Business Administration’s Cybersecurity portal provides online training, checklists and information for small businesses.
Educate employees about your protocols
Train all your employees to use standard procedures. Conduct seminars frequently and remind employees to be on guard. “Since the policies are evolving as cybercriminals become savvier, it’s essential to have regular updates on new protocols,” notes the article on Cox BLUE. Hold employees accountable by having each one sign a document stating that they have been informed of the policies and understand that actions may be taken if they do not follow security policies.
Teach employees to report signs of a cyber security attack (see above).
Plan for mobile devices
Nearly 60 percent of businesses allow BYOD, says a 2016 report from Tech Pro Reseach. It is therefore essential that your cyber security policies include a focus on personal devices. With the increasing popularity of smart watches and fitness trackers with wireless capability, you must include these devices in a policy. Norton by Symantec also recommends that small businesses require employees to set up automatic security updates, and require that the company’s password policy apply to all mobile devices accessing the network.
Use onscreen keyboards to post sensitive information
Hackers today are so sophisticated. They can record your keystrokes with the help of keylogging software, especially when you are using shared networks. But keylogging software cannot keep track of onscreen or virtual keystrokes operated through mouse clicks; an input option used at many financial institutions.
Back up frequently
You should back up word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files on a regular basis. Encrypt and password-protect your documents before storing them on the cloud or remote server to provide an extra layer of protection.
Don’t store customers’ CVV numbers
Getting your customers’ card details – with their consent – can help you make their future checkouts convenient. On the flip side, this practice exposes their data to hackers. One solution is to store the data without keeping the CVV number, and ask them for the three digits during each transaction.
Control physical access to systems and network components
Don’t permit outsiders or other unauthorized personnel to use your system. If a technician from another firm must service your equipment, provide them with a general PC or make sure someone from your staff supervises them.
Lock your computer when you leave and insist your staff do so as well.
The threat of cyberattacks on small businesses is very real, so make sure you have security controls in place, and that each one of your employees is making cyber security a top priority.
From Cisco: Signs of a Possible Cyber Attack
Email phishing is a method used by malicious actors to access sensitive business information by pretending to be a trusted organization or website. Employees should never respond to “mystery” emails and should be careful about clicking on online links from unknown sources, or opening email attachments.
Unusual password activity
If an employee is locked out of his or her system and/or receives an email stating that a password has been changed, it is a potential sign that the password is compromised if they did not initiate any of this action.
Don’t click on them, not even to close them. Unknown pop-ups can be infected with malware or spyware that can compromise the network.
A slower-than-normal network
A hacking attempt or malware outbreak often results in spikes in network traffic that can reduce internet speed.