Even as consumer devices and applications continue to improve their security, cyber-attacks against small and medium businesses (SMBs) remain at an all-time high. In fact, since the FBI began collecting statistics in 2013, SMBs have lost more than $3 billion to email phishing scams and ransomware alone.
A cybersecurity attack against your business can be devastating: the costs of recovering from an attack can easily reach $100,000. Consider the example of a small Midwestern retailer described by Gary Miller of the Denver Post. The firm was unlucky enough to be infected by the Cryptowall ransomware in 2016, which encrypted all of the company’s customer accounts and sales data. Despite paying a $50,000 ransom, they were never able to decrypt the files and regain access to them, and the business closed within six months of the original attack.
The problem is not confined to email, either. Increasingly, small business websites and applications are also the targets of hackers. These attacks can be unrelenting: one study found that the average small business website was attacked over 40 times per day, often by automated bots attempting to install malware.
While there is no surefire way to prevent your company from becoming the next victim, there are a number of steps you can take to minimize both the risks and consequences of a cyber-attack.
Cybersecurity Best Practices
Have a Backup Plan
Backing up critical systems and data is the best strategy for minimizing the effects of a ransomware attack. With full backups in hand, you can restore your business to its full operational state with a minimal amount of time and effort, with no need to clean viruses or pay off attackers.
Traditional backups, especially on low-cost external drives or USB devices, are still the way to go for many businesses concerned about the privacy and integrity of their data. If you follow this route, make sure that you keep at least a few of these backups offline, where they cannot be impacted by a computer infected with malware. Offsite backups are also important: you wouldn’t want a fire, flood or theft at your business location to compromise your data as well. Online backup schemes, which store your data securely in the cloud, are becoming more and more affordable. Quite a few are available for as little as $50 a year.
Additional reading: How to Build a Storage and Backup Strategy for Your Small Business
Use Antivirus, But Don’t Rely on It
Choosing the right antivirus tool for your business can be a daunting task. With dozens of products offering hundreds of features, it can seem like you need to become a cybersecurity expert just to keep your business safe from malware. The truth is, antivirus products do vary widely in quality and effectiveness, but at the end of the day, there’s no way to be certain which products will keep you safe. It’s best to choose an antivirus product that’s commercially recognized, easy to use, easy to update.
Once you pick one, it’s best to be consistent: you can save significant time and aggravation by using a small business antivirus solution for multiple computers. Whatever you do, don’t rely on those trial antivirus solutions that came free with your new computer. They almost never stay up-to-date without upgrading to the full version. Finally, you should recognize that an antivirus will not protect you against all threats.
Just as an antivirus needs to be kept up-to-date to remain effective, your operating systems and software, including business software, are most secure when you apply regular updates, security upgrades, and patches as recommended by the vendor. In fact, making sure your software is upgraded will prevent you from most attacks that affect small businesses each year. Poor patching, rather than zero-day vulnerabilities, is responsible for the majority of attacks.
The major operating systems, including Microsoft Windows, OS X, and Linux, all include automatic update features that apply security patches on a monthly basis or more frequently if a critical security vulnerability occurs. Maintaining computers and operating systems past their end-of-life may limit your ability to get and apply these patches. Additionally, some commercial and industrial applications may have a less regular patch cycle or require paid upgrades to continue support. That’s why it’s critical to know about the support lifecycle for all of your systems and applications, including point-of-sale, embedded and special-purpose systems.
Phishing attacks, in which a hacker uses a fake email in order to lure you into opening malware, remain the number one cause of security compromises in organizations of all sizes. Small business owners need to be especially careful because attackers often target them based on public information about the business that can be used to create a pretext for communication. This form of phishing, called spear phishing, was experienced by 53% of all professionals in 2017.
While enterprise mail hosts and antivirus products help with the most high-profile attacks, the key to defending against phishing scams is to remain vigilant when managing your inbox. Know your bank’s, vendors’ and commercial customers’ policies for electronic communication, and don’t be afraid to confirm information by telephone or in person if you get suspicious. Never open attachments from unknown senders or emails that seem suspicious, no matter how tempting. Don’t be disarmed by superficial personalization, such as your name or the name of your business: attackers can automate the insertion of these details using information obtained on the internet. Finally, remember that phishing can occur by telephone and text as well.
With data breaches and identity theft constantly in the news, the amount of information out there about cybersecurity can seem daunting, and it can be even harder to distinguish real concerns from fear-mongering. Media coverage and product promotions can distort our perspective, causing us to over-react to some risks and ignore others. That’s why educating yourself and your employees is the best strategy for long-term cyber defense of your business.
Education can come in a variety of forms, including books, articles, podcasts, and online or in person cybersecurity certifications and classes. Be sure to steer clear of courses that promote a particular company or product: quite a few security companies use ‘education’ as a strategy for sales. Instead, look for information from sources that leverage industry experts to inform, educate and improve overall security.
No one can offer you a foolproof strategy for cybersecurity. However, by following these tried-and-true tips you can keep yourself, your employees and your customers safe and avoid becoming another statistic. That’s good for the bottom line!
Interested in a career in cybersecurity? Check out Springboard’s Introduction to Cybersecurity course today.
This post was written by Scott Chase, a cybersecurity consultant and educator with more than twenty years experience in application security assessment. He is also the co-author of The Software Vulnerability Guide.