Hackers and cybercriminals are shifting their focus to small business for many reasons, read on to find out what you need to know, and how to protect your business from cybersecurity threats.
Small Business Cybersecurity Threats
It’s hard to know just why some criminals do what they do but in most cases it comes down to a couple of things. The first motivation is money, the second may be the need to cause mayhem and for others there is a drive to do something just because they can. This is no different on the Internet. The Internet allows nearly unrestricted access to people’s lives, money and possessions and is a Siren too alluring for many criminals to resist. To combat the growing number of threats big businesses employ departments of IT staff and utilize the latest in cutting edge technologies, which is why cyber criminals target small companies more and more.
According to Symantec small businesses are the focus of nearly 50% of all cyber attacks and make up the lion’s share. Their 2016 Internet Security Threat Report says that about 1 in 40 small businesses are at risk of cyber crime, much less than the number of large businesses. The revealing statistic is the steady rise in small business attacks over the past 6 years, rising from 18% of all attacks in 2011 to 43% in 2015. A report by Keeper Security paints a gloomier picture. According to their data at least 50% of small businesses have experienced some form of breach in the past 12 months.
Why Do Cybercriminals Target Small Businesses?
While there are countless reasons why a cybercriminal might target a small business, there are a few pressing reasons in particular that business owners should be aware of. Below is the list of the top 7 reasons why cyber threats are targeting small businesses.
#1: No IT department.
Smaller businesses are much more likely to have limited or no IT department or personnel. This means that devices, networks, websites and servers are likely not up-to-date on best practices, have not installed the latest updates for their software and devices, and there is no one standing by to take control of a situation if an attack does occur.
#2: Less likely to follow Internet Best Practices.
Small business is a tough game. Most often employees are forced to wear a variety of hats, shuffling from one job to the next, often intermingle personal life with work and do it all on a shoestring budget. If the business owners and employees are tech savvy it is likely they are not following best practices when using the Internet and their networks, opening themselves up to attack.
#3: Simple networks & systems.
Smaller businesses have much simpler networks than a larger business. A large business may have a room full of servers, or more than one room of servers, linking hundreds or thousands of computers and devices dedicated to various tasks. A smaller business may have only one server, if any at all, and a handful of computers and devices with a much less sophisticated set-up that is easier to breach.
#4: Using the cloud.
Small businesses may rely more heavily on the cloud than a larger business with the IT infrastructure to support its own needs. Each time you access the cloud, store or share something across it you put the data, the network and the business at risk. And then there is the chance the server farm hosting whatever cloud it is you’re on will be targeted, attacked and breached through no fault of your own, once again putting your business at risk.
#5: Using third party software, websites, SaaS, PaaS.
Small businesses are more likely to rely on a third party software suite, website, SaaS or PaaS than a larger business. A large business is more likely to have a proprietary or in-house solution. Using a third party solution to service a digital need across the Internet puts your business at risk in many ways. First there is the connection itself, which may or may not be secure, and then there is the chance that hackers will target that service and then use it as a gateway into your business computer network.
#6: Big Data.
Data, there is lots of it. Each time a website is used, data is accessed, ads are viewed, pages are liked and accounts are opened, data is created. The average small business may have as many as a quarter million of these events a day and no way to track which are legitimate and which are anomalous and even if they did, there wouldn’t be time to do anything about it. Big business has the power of big data analytics at its fingertips which means it can spot and address potential cyber threats in real-time, as they happen, instead of trying to figure out what happened after the fact.
#7: Easy target.
No matter how you look at it or the reason why, it is just easier for cyber criminals to target small business that it is big business. Big businesses have the time, the money and the resources to use the latest in cutting edge technology to protect themselves, their networks and their data. Smaller businesses don’t and that is what makes the difference. This is not to say a small business cannot be cyber secure because they can, and it really isn’t as hard as it may seem. Additionally, there are just a lot more small businesses than large which make targeting them that much easier. Analysts have in fact characterized small businesses as being in a hacker’s “sweet spot” having more assets than an individual but far less security than a major corporation.
How To Protect Your Small Business From Cyber Threats
It is possible to protect you business from potential threats; the key is staying ahead of the curve and following a list of best practices. When it comes to the Internet and cyber threats this battle is fought on two fronts. The first is general threats, and the second is specific threats.
General threats are those that may be faced by an entire industry or businesses in general. Say for instance a software company has developed a new method of payments processing that is being adopted by retailers. If cyber terrorists find a flaw or other gateway into the system every retailer is at risk, not just one company. An example is the Target and Home Depot data breaches of 2015/2016 that were caused by the same data-swiping virus. This type of threat is not limited to retailers, any business vertical where there may be widespread use of the same software or sharing of data is at risk.
Specific threats are targeted attacks directed at a specific network or business and may lead to downtime, data loss or both. For a professional cybercriminal, the data is the holy grail. It is important to know how the local network is set-up, how data is accessed and who has access to it. Security is easiest when company information and websites are maintained on in-house servers, it is much harder when this is done on the cloud. The number and types of specific attacks is vast and they are getting more sophisticated every day. Access to a company network may be achieved internally or externally. A hacker may try to sneak through network security, or they may simply leave a device laying about where someone they want will pick it up. If the device is taken into a business and then turned on and connected to the local network, hackers gain immediate access.
Two common forms of attack are ransomware and spear-phishing. Ransomware is software that locks a network from use, or threatens to publish data publicly, until the owners pay a “ransom” to have it unlocked. This attack has been around since the late ’80’s and has proliferated in recent years. In some cases the malware will even encrypt the entire hard-drive of computer or server making the data impossible to recover without the proper key. Spear-phishing is an advanced form of the old phishing attacks where hackers steal personal data for their nefarious purposes. Spear-phishing takes it a step further, expanding the practice to small and large businesses alike. Criminals may try to impersonate a CEO or other executive and request sensitive information or even initiate a financial transfer. According to Symantec the number of spear-phishing campaigns increase more than 50% from 2014 to 2015 and they expect further increases in 2016.
Internet Best Practices For Small Businesses Protection from Cybersecurity Threats
- If possible, always use in-house servers for your data and websites.
The cloud, SaaS and PaaS are growing in popularity but so are the attacks against them. Anytime you put your data and information on someone else servers you put it at risk. Keeping safe on your own servers does not remove all risk but it does alleviate it to a more manageable level. A tower server can be as inexpensive as $375 and can be set-up by your IT specialist whether that is an in-house staff member or sub-contracted out.
- Always use firewalls.
Firewalls are the first line of defense from an outside attack. They are meant to screen software and connection requests inbound to your network and will prevent questionable or known threats from entering. The only downside is that firewalls may sometimes block good software as well but that problem is easily fixed with a simple change to the permissions.
- Always use anti-virus and anti-malware.
These software suites protect your devices, network and data from infections that have passed though the firewall. There are two kinds of anti-virus on the market today, blacklist and whitelist, and each with its own pros and cons. Blacklist antivirus protects against known threats, whitelist antivirus only allows known good software from entering your network. In either case these can prevent data leakage, ransomware and other software based threats from harming your network.
- Be careful with email attachments.
Is the most common source of attack for small businesses. Hackers, scammers, spear-phishers and the like may try to use email to deploy malware, gain access to your network or steal data. Employees should only use business email accounts while at work, preferably running on an in-house server, so that you can control access and ensure proper anti-virus and anti-malware is being used. Employees should only accept mail from know senders and never open attachments from not-trusted sources.
- No personal devices.
Personal devices are one of the greatest weaknesses a small business network may have. It makes no sense to take the steps necessary to ensure high levels of network safety only to allow a random device to enter, log-on and do whatever it wants. Personal devices may be safe, but they may also be infected with untold numbers of malware that will wreak havoc on a network or allow unauthorized access.
- No outside devices on your Wi-Fi.
Outside devices may come into contact with your network from time to time but it should be limited. First, no “found” devices should be allowed to connect to your network as this is a popular method of deploying malware. Second, if you wish or need to maintain a public Wi-Fi hotspot or allow customers to use Wi-Fi in your office/building they should be on a separate router at minimum and on a different Internet connection at best.
- Change passwords regularly.
Passwords protect all networks, devices and data and change those passwords regularly. If you want to get really secure with your passwords use a two-step authentication process.
- Back up your data.
Every person who has ever used a computer or other digital device should know to back up your data. The sad thing is that all too few follow-through on the advice. Backing up your data regularly, daily for active businesses, can save you a lot of hassle and not just from cyber threats. In the case of cyber threats, let’s say you were targeted by ransomware but thankfully you have a back-up on an isolated system that you can fall back on instead of paying the ransom.
- Use encryption.
Encryption once a word used only by the highest levels of top-secret government agencies but is now a tool that can be used by anyone. Encrypting your data is the only way to be sure that, if leaked or stolen, it won’t be used by criminals. This can be achieved a number of ways, the easiest is to employ a trusted encryption software from company like Symantec.
- Get Cyber Insurance.
No, your basic business liability policy will not cover loss due to cyber theft but you can, believe it or not, buy cyber insurance. This is a special rider for a business policy that insures against loss to cyber crime. For best effect get a blend of 1st and 3rd party coverage to protect your business, and any liability you may have to your customers or business partners.
- Use a VPN.
VPN, virtual private network, is technology created by Big Business and the US government to ensure private, secure and encrypted connections across public networks, what we call the Internet. This software and service creates a hidden connection to dedicated servers that hackers can’t see, can’t trace and can’t use to harm you. It also masks IP addresses so that if a criminal is monitoring a website or network your business is using, they won’t know who you are, or where to find you. VPN can be installed onto individual devices to protect remote users accessing your network, or installed onto your router so that any device accessing the Internet through your network is automatically protected.
Online VPN Services For Small Business
VPN technology used to be very hard to deploy, requiring an in-depth knowledge of Internet Protocol, and was not available to the public. Now VPN is commercially available and comes in several forms. The best is to use a paid service, there are many free services but they are often not what they seem. Some black-hats are using the lure of “security” as a means of attracting victims. You may think you are protecting your network and data, and keeping your locations secure, but if the VPN service is collecting data you are not. They may sell your information to a third party, or it may be leaked.
Le VPN is a top provider of VPN services with servers in more than 100 countries. They support 3 protocols as well as a HybridVPN / SmartDNS for streaming content from around the world. The open-source OpenVPN carries the highest level of security and encryption, all will mask IP address and provide secure, private connections for as little as $4.95 a month. The technology can be used on PC, Mac, tablets and phones as well as used on a router to protect the entire network. The bottom line, if it’s good enough for a large business to protect itself, a small business needs it even more.
Le VPN Spring Special
Get Le VPN 2-year plan for $69.60 or $2.90/month