The increasing dependence on the Internet has made cyberattacks a harsh reality for all types of organizations, especially small businesses. It is a serious mistake for a small business to assume this type of threat only concerns their larger brethren. When small businesses fail to address adequately the risk of a cyber incident, they are at risk of suffering significant financial losses, even bankruptcy.
Unfortunately, the scope and scale of malicious cyber activity continues to increase. Cybercriminals use various techniques, including business email compromise, ransomware and extortion, to target small entities for financial gain, disrupt business operations, or even to steal proprietary information. Since cybercriminals’ sophistication and adaptability is growing, small businesses must continuously identify cyber security as a top priority so they can evolve with the threat. Establishing a strong security profile cannot be a one-shot deal. There must be a commitment to incorporate cyber security into the greater corporate culture.
Cyber security is not cheap, but there are some basic inexpensive steps businesses should take to become more proactive in their own defense. Businesses must invest in training and awareness programs in order to change their culture. The weakest part of any system is its users. A 2016 report by Ponemon Institute on the annual cost of cybercrime showed small organizations are more susceptible to cybercrime costs related to spear phishing, social engineering, and web-based attacks. These types of exploitations allow criminals to obtain an employees’ credentials and passwords. As a result, small organizations must train their workforce to be aware of the fact they are a vulnerability, at work and at home.
It is unfortunate when businesses spend millions on sophisticated cyber defenses only to have them defeated by one careless action
All employees must understand their role in protecting the company’s networks and data. More importantly, ongoing communication on this subject should provide employees an opportunity to report any concerns or mistakes, without fear of punishment, before it is too late. It is unfortunate when businesses spend millions on sophisticated cyber defenses only to have them defeated by one careless action. Nonetheless, while many attacks are caused inadvertently, some are produced by employees with malicious intentions. As a result, businesses should emphasize better communication between their human resource department and security division to promptly mitigate insider threats produced by disgruntled employees. No business should take this type of threat lightly.
Considering what could be spent on cyber defense, there are low-cost actions small businesses can take to make them a less attractive target. Companies can improve their security posture by assessing and hardening their network. This includes segregating the internal and external network with firewalls, removing sensitive information from public facing portions of the network, maintaining logs and regular system backups, disabling unnecessary services, and, most importantly, regularly updating and patching software and applications. Many cybercriminals are opportunistic, seeking systems with known vulnerabilities to exploit. By properly configuring and patching your systems, you can make yourself a less attractive target to attackers.
Failure to take these kind of steps has made information loss the most expensive consequence of cybercrime.
While the aforementioned steps will help reduce the likelihood of an incident, you may not prevent all attacks. Understanding the inevitability of an attack, it is prudent to invest some resources on a comprehensive cyber incident response and remediation plan before an attack occurs. This plan should identify critical roles and responsibilities as well as a logical plan to contain and mitigate a cyber threat so you can restore your systems and business operations as quickly as possible. A third-party mitigation company can assist you with this task. The value of a response plan cannot be overstated. Not having an agreed upon approach will likely lead to a longer down time and potentially costly mistakes. Failure to take these kind of steps has made information loss the most expensive consequence of cybercrime.
Lastly, businesses should take the time to develop a relationship with their local Federal Bureau of Investigation (FBI) cyber supervisors. The FBI is made up of 56 field offices across all 50 States, each with a multi-agency Cyber Task Force. Any incident should be reported to your respective field office to determine the best course of action. Businesses can also engage FBI agents by joining InfraGard (Infragard.org), a partnership between the FBI and private sector members to facilitate public-private collaboration and information sharing.
Although cyber security is often considered expensive, not investing in it will produce larger unwanted costs. Including cyber security in a company’s overall culture will produce substantial long-term benefits. As a result, it is imperative all small businesses maintain an educated workforce, sound cyber network security practices, and a realistic response plan. In doing so, companies will significantly reduce the likelihood and consequences of an attack. For such a strategy to remain effective, business leaders must understand the threat and be committed to stopping it.