How can small businesses protect themselves from cyber threats?
“Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses,” the SBA noted in a cybersecurity guide published on its website.
A recent poll conducted by the association of small business owners across the country has found that 88% of respondents felt their businesses were vulnerable to cyberattacks. Despite this, most of those surveyed admitted they could not afford professional IT services, did not have enough time to focus on cybersecurity, or did not know where to start when it comes to protecting their data.
Read more: Biggest cybersecurity challenges to watch out for in 2022
And the consequences are telling. The latest internet crime report from the Federal Bureau of Investigation (FBI) has revealed a sharp rise in cybercrime complaints and losses in the past few years. From 301,580 complaints equivalent to $1.4 billion in damages in 2017, the figures have shot up to 847,376 and $6.9 billion in 2021, respectively.
During the period, the FBI has received almost 2.8 million reports of cyberattacks, amounting to $18.9 billion in losses, highlighting the need for effective data protection measures among the nation’s business population.
What are the most common types of cyber threats facing small businesses?
The SBA listed some of the main types of cyber threats small businesses need to be aware of but warned that new dangers could emerge as “cyberattacks are constantly evolving.” These are the most common attack types, according to the agency.
The SBA describes ransomware as a specific type of malware that infects and restricts access to a computer until a ransom is paid, adding that it is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.
Separate data gathered by cybersecurity firm SonicWall has shown that there were almost 421.5 million ransomware attempts against US businesses in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits. Ransomware attempts against the US actually more than doubled those of the top 10 countries with the most hits, which included the UK, Brazil, Canada, Colombia, France, South Africa, Belgium, and Mexico. Combined, these nations logged about 174 million ransomware attempts.
Read more: What are the biggest ransomware trends facing US businesses?
In a phishing attack, cybercriminals use email or malicious websites to infect a device with malware or collect sensitive information.
“Phishing emails appear as though they’ve been sent from a legitimate organization or known individual,” the SBA explained. “These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.”
Tech giant IBM’s 2022 X-Force Threat Intelligence Index, meanwhile, has found that phishing was the attack vector of choice for threat actors targeting businesses in the US, with 47% of incidents using this technique to gain initial access. Among the top spoofed brands are Microsoft, Apple, Google, Amazon, and Facebook.
“Threat actors may be focused on phishing as more North American organizations implement robust patch management programs in the face of several critical vulnerabilities released in 2020 and 2021,” the research noted.
Read more: How to stop phishing emails turning into a catastrophe
Another common threat the SBA identified is malware, which the agency describes as an “umbrella term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network.” This can include computer viruses and ransomware.
Data from the FBI has shown a downtrend in malware reports it has received since 2019. From 2,373, complaints have dipped to 1,423 in 2020 and dropped further to 810 in 2021.
IBM, however, has warned businesses that despite the decline, threat actors continue to innovate and find new ways to make malware more capable across operating systems and more challenging to detect.
Read more: Cyber insurance claims explode in severity
Practical ways small businesses can protect against cyberattacks
To help small businesses address the growing threat of cyberattacks, the SBA has published a guide outlining several steps firms can take to protect against cybersecurity risks even before the attack happens.
“You don’t have to be a large corporation in America to be vulnerable to cybersecurity attacks,” the agency explained. “Fortunately, there are ways that you can strengthen your business against a cyberattack to minimize financial losses and reduce risks for employees.”
Here are some of those practical measures:
1. Assess the risk facing your business
The first and most crucial step to improving a company’s cybersecurity, according to the SBA, is having a deep understanding of the unique risks they are facing and pinpointing where to make the biggest enhancements.
“A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action, which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets,” the association wrote. “Start by learning about common cyber threats, understanding where your business is vulnerable, and taking steps to improve your cybersecurity.”
The SBA noted, however, that although “there’s no substitute for dedicated IT support, whether an employee or external consultant,” small businesses with “more limited means” can still access affordable or even free planning and assessment tools to help enhance their cybersecurity, including:
- The Federal Communications Commission’s (FCC) customizable cybersecurity planning tool
- The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR) and free cyber hygiene vulnerability scanning tool
- The DHS’ and Cybersecurity & Infrastructure Agency’s (CISA) supply chain risk management toolkit
- A range of free cybersecurity tools and services from CISA
2. Invest in employee training
The SBA noted how employees and emails have become “a leading cause of data breaches” because they often provide a direct path into a company’s computer system.
“Training employees on basic internet best practices can go a long way in preventing cyberattacks,” the agency wrote, adding that educating staff does not always have to be a costly endeavor.
The association suggested businesses access the DHS’ Stop.Think.Connect campaign, which offers training and other materials on a range of topics, including:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
- Maintaining good cyber hygiene
Read more: How threat preparedness can help companies improve their cyber security posture
3. Keep antivirus software updated
It is also crucial that companies ensure that their systems are equipped with the latest antivirus software and antispyware and that these are regularly updated.
“Such software is readily available online from a variety of vendors,” the SBA explained. “All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.”
4. Make sure networks are secure
The SBA advised businesses to safeguard their internet connection by using a firewall and encrypting all their data. Wi-Fi networks should also be secure and hidden.
“To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID),” the agency instructed. “Password-protect access to the router.”
5. Use strong passwords
One of the simplest ways to improve cybersecurity, strong passwords should have the following elements:
- 10 characters or more
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
6. Activate multi-factor authentication
Another effective practice to protect data is the use of multi-factor authentication (MFA). This verification process requires users to provide two or more proofs of their identities to access their accounts, adding another layer of security. One example is a system where a password and a code sent to a separate device are required before a user is granted access to an online account.
7. Conduct regular data back-ups
Backing up data is among the most cost-effective ways of making sure information is recovered in an event of a cyber incident or computer issues.
“Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable and payable files,” the SBA wrote. “Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.”
Read more: How can organizations reduce their cyber insurance premiums?
8. Ensure payment processing is secure
The agency advised small businesses to work with their banks to make sure that “the most trusted and validated” tools and anti-fraud services are being used. It also recommended that companies isolate payment systems from less secure programs and use separate computers when processing payments and surfing the internet.
9. Control physical access
Businesses should prevent unauthorized individuals from getting access to or using their computers. Companies should also give administrative privileges only to trusted IT staff and key personnel.
“Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended,” the SBA added. “Make sure a separate user account is created for each employee and require strong passwords.”
10. Consider cyber insurance
Although not on the SBA’s list, a cyber insurance policy can help cover the financial losses resulting from a cyberattack and, in an increasingly digital business environment, it pays for companies to have one. Coverage can also include claims made by individuals or groups that may have been harmed because of a business’s action or inaction.