In my years working in the data breach resolution industry, I’ve heard my share of concerning misconceptions. One of the most cringe-worthy is the belief many small business owners have that because their business is small their risks of experiencing a cybersecurity breach are small as well. They think cybercriminals only target large or medium-sized businesses, while ignoring smaller ones.
Nothing could be farther from the truth.
Small business, huge risks
In fact, Symantec reports nearly half of all cyberattacks target small businesses. The Securities and Exchange Commission goes further, stating that “small and midsize businesses (“SMBs”) are not just targets of cybercrime, they are its principal target.” Cybercriminals are as interested in small businesses as they are in large ones, and they’re becoming more adept at scaling their attacks to better match the target.
Even more concerning, the impact of a cyberattack is worse for small businesses that often lack the ability to recover from the damage. The SEC cites estimates that indicate half of small businesses that experience a cyberattack close their doors within six months of the incident.
When it comes to preventing cyberattacks, small businesses can be their own worst enemy. Frequently, they don’t take the precautions that could help reduce their risks. Many are simply unaware of their level of exposure. When an attack does occur, they don’t know what to do to quickly and effectively stem the damage and begin recovering.
A good start for SMBs
There are many components to effective cybersecurity, but here are three key considerations that my experience tells me are critical for small businesses to address:
- Prevent spear-phishing attacks — Top executives of big companies have fallen prey to this type of cyberattack, and the risks are even higher for small businesses. In this type of attack, a fraudster sends a fake email or emails posing as someone known and/or trusted with the purpose of stealing money, information or both. Wombat Security Technologies says 85 percent of companies experience spear-phishing attacks, and Ponemon found 38 percent aren’t confident they know how to deal with this type of attack. Spear phishing is particularly effective against small businesses because it plays on the diligence of well-meaning employees, and takes advantage of the likelihood small businesses will be less able to spot and block a spear-phishing attack. Small businesses need to train employees, especially those with access to finances, to recognize the signs of a spear-phishing attack.
- Move company data to the cloud — Unfortunately, some small business owners may have the misconception that data stored to the cloud is less secure than information they store and maintain on their own. However, the opposite is actually true. Few small businesses have the resources and technology to protect their data as effectively as a reputable cloud vendor whose business pivots on their ability to secure data for their customers. Good cloud vendors have multi-level security, robust firewalls and other protections. Migrating to the cloud can allow time-pressed small business owners and employees to focus on other things, like generating revenue for their company.
- Get cyber insurance — Many small business owners are unaware of exactly what cyber insurance covers. Yet many of the types of incidents typically covered by cyber insurance are ones a small business is most likely to experience, such as an employee or contractor mishandling information, lost or stolen computer hardware that contains proprietary data, or inadequately secured systems and data. When one of those events occur, good cyber insurance can help mitigate the costs of investigating and resolving the security incident. For small businesses that often run on tight margins, that financial help could mean the difference between going out of business and recovering.
Companies of every size face huge cybersecurity challenges, but for small businesses, the risks can be even more damaging. It’s critical for small business owners to stop thinking of themselves as targets too small to be worth a cybercrook’s time and attention.