In this guest post, Experian invited Alan W. Silberberg, Founder and CEO of Digijaks, a boutique Cybersecurity company, to share his views on how small businesses are vulnerable to cyber attacks, and some best practices every small business should adopt to protect their businesses.
In 2017 61% of small businesses in the United States suffered some kind of cyber attack according to a report by Ponemon Institute. This number reflects an over 50% increase year to year in cybersecurity assaults on U.S. small businesses. There are many reasons why small businesses need cybersecurity — privacy, client trust, financial integrity, employee integrity, data integrity and the longevity of the business.
For a small business owner, the topic of cybersecurity can seem overwhelmingly complex, but a basic understanding of cybersecurity is considered table stakes for running a business in 2018, particularly a business with any kind of online presence. But even those companies without an online presence can be quite vulnerable to cybersecurity threats.
Threats include attacks launched through email, SMS and voice phishing, even insider threat attacks, or in person cybersecurity attacks. Small businesses are also very likely to suffer a reputational attack, where someone starts posting negative information in social media, websites, blog posts to harm your brand and or reputation.
There are many kinds of cybersecurity tools and protocols available to the small businesses, and it would be impossible to boil the topic down in a single blog post. Rather, I’d like to outline some common sense protections to have in place for your business and illuminate some tactics hackers are employing when going after an unsuspecting business.
Two Factor Authentication and or multi-factor authentication are needed for every sign in, every banking account, every insurance account, and if possible should be defacto, Two-factor authentication can be commonly known as using a secondary password or 4 digit code to authenticate login after your username and password are entered. While many consumers know two-factor authentication as something like SMS messaging post-login, many banks, and government players are moving into multi-factor authentication or relying on non-sms delivery.
There are multiple types of firewalls, including solutions specifically for mobile devices. Generally speaking, a firewall serves as the first or sometimes the second point of response for all incoming traffic including normal and business-related data/voice data. A firewall will defend a network, a device, or both against multiple kinds of cyber attacks.
This could include things like malicious code insertion, denial of service, data stuffing, viruses and potentially malicious payloads in documents. Usually, a firewall will work best when configured onto a specific network or device to the needs of that specific instance. Not using a firewall is a novice mistake since they do capture and stop a large number of certain kinds of attacks.
This being said, however, a smart attacker, using social engineering and or network monitoring, even network penetration can create malicious code designed to bypass firewalls. This is why layered cybersecurity approaches to even the smallest business can reap long-term rewards.
The kinds of threats facing a small manufacturer versus a small FinTech company; are simultaneously different and the same. Each industry has specific devices, use cases, and technology that need securing in different ways. However, all small businesses need to use common sense and some basics; like strong password rules, firewalls, https websites, two-factor authentication, encryption for both data storage and transmissions like email or website.
Common cyber hacks used on Small Business
Social engineering attacks, for example, account for over 50% of all cybersecurity intrusions in one form or another. This includes social media, search results, email phishing, voice phishing, SMS phishing, and link bait. Then there is reverse social engineering, where someone learns enough about your business to be able to convince you they are the ones to solve your problems when they are really behind the hack in the first place.
Social engineering attacks can occur in multiple instances. One kind might be directed at the CEO or CFO like in the “CFO Scam” otherwise known as the Business Email Compromise scam. Others can be directed at corporate websites, using fake comments, fake vendors and fake customers to deluge a small business with negative comments and create a bad vibe.
Other social engineering attacks can occur through social media; with LinkedIn and Facebook especially often used to mine information about who is who, and what they do inside organizations. This can be used in good ways obviously, but also to inform attackers about potential vectors in.
Social engineering can take the form of someone contacting your customer service representatives, with just enough information about a certain account, to request password changes. Or address changes. While this may be directed at a specific user or client, it affects your company directly and can result in litigation or loss of business or both.
Reputation security of your brand, your key employees, and even the owner of a small business is just as important as cyber security and all business need to pay attention to external attacks that may start as, or be through search or social media. A small business might have up to date cyber security controls and protocols, but may still be open to reputation attacks. Set up Google alerts in your brand name, key employees names and your own. Monitor for any changes in search results which are often tied directly to reputation attacks. Create a social media plan that encourages employees to not share any work-related information, and trains people how to ascertain fake accounts versus real ones.
It should not take a cyber horror story to get your company investing the time, money and training to protect your business., Protecting the security of the business is viewed as a positive thing to share with investors, due diligence teams from prospective partners, and or even with your clients. All of us want to do business with safe companies, or those perceived to be that way. In fact, there is a huge incentive. Recent studies show that on average 20-25% of US companies that suffer a data breach permanently lose clients. This number can increase dramatically if the breach is with a financial company, health care company or insurance company.
So do not wait. Educate yourself, your colleagues and your employees. Learn what kind of cybersecurity you need and how it would be implemented across your business. Do not assume you won’t be attacked. Do not assume your own business is too small or not worth a hacker’s time. Take the necessary steps beginning with education. Then begin to form an action plan and next steps. Want to learn more?
Resources for Cybersecurity information
Here are some additional resources to consider when researching cybersecurity options for your business: