Do Small Businesses Need to be Concerned About Cybersecurity?

Of course they do: According to the National Small Business Association 2015 year-end economic report, 42% of small businesses have been the victim of at least one cyberattack. On average, cyberattacks cost over $7,000. Where bank accounts were hacked, average losses were higher than $32,000.1

Maybe it is because I’ve been in the security industry for 15 years and that I pay attention to security issues, but it seems to me that media coverage of the importance of cybersecurity is increasing.  With the increased publicity and the high percentage of businesses that have fallen victim to cyberattacks, there still seems to be a pervasive thought among small business owners that cybersecurity isn’t necessary.  Why? Small businesses don’t have anything worthwhile to steal – or at least that would seem to be the case. Maybe it is because they haven’t made it a high enough priority.

Fact:

Small businesses do have valuable information such as employee and customer data, access to larger networks, and so on. If malware such as a key logger is installed on a company computer, it is a simple matter to capture critical bank account or cloud application credentials. This valuable information is easily turned into a source of revenue for entrepreneurial cybercriminals. We see small businesses being targeted by criminals because they typically don’t have the resources to fund a security team of professionals – and criminals know and have adapted to this fact.

The good news is you don’t need a team of professionals dedicated to the security of your small business.

Here are some of the practices that can and should be employed by small businesses in order to minimize the risk of cybersecurity events:
  1. Establish an Internet Usage Policy. Make sure your employees are aware of it and they understand the consequences for not following it.
  2. Create a security perimeter in front of all of your devices. A few years back, the concept of a “perimeter” was thought to be a relic: Endpoint security was supposed to take care of everything. However, with IoT, the idea of securing all devices individually isn’t realistic.
  3. Stress to your employees the importance of security and educate them to guard against things such as phishing, social engineering, and online fraud. The Department of Homeland Security has several tips on how to accomplish this along with other cybersecurity resources2.
  4. If a Managed Services Provider takes care of your IT needs, make sure your MSP keeps all your systems up to date with the latest software patches. Talk to your MSP about security.

To underscore the importance of security for small businesses, the Small Business Administration has published a list of top ten cybersecurity tips (https://www.sba.gov/managing-business/cybersecurity/top-ten-cybersecurity-tips).  In the list are topics that range from securing your network to ensuring employees adhere to some basic security principles.

  1. http://www.nsba.biz/wp-content/uploads/2016/02/Year-End-Economic-Report-2015.pdf
  2. https://www.dhs.gov/publication/stopthinkconnect-small-business-resources