For the Average Hacker, Your Small Business Is an Ideal Target You're not too big to be hacked. Here's how to avoid becoming a statistic.
By Jon Schram Edited by Dan Bova
Opinions expressed by Entrepreneur contributors are their own.
Headlines are full of cybersecurity breaches, and big businesses like Google and Facebook are some of the latest to fall victim to outside attacks. A vulnerability in Google+ is at least partially responsible for the company's decision to shut down the platform for good, and a recent breach of Facebook's network security may have compromised the personal information of almost 50 million users.
Of course, for such enormous companies, a breach is an embarrassing blip on the radar. Google is mostly terminating its social platform because no one uses it (the company reported that 90 percent of user sessions last less than five seconds), and the even the notorious Cambridge Analytica scandal cost Facebook a mere $644,000 in fines imposed by British regulators -- peanuts for a company bringing in almost $100,000 in revenue every minute. But what would a $600,000 fine do to your small businesses?
Related: The Dos and Don'ts of Cyber Security Measures to Help You Protect Your Business and Assets
Face it: Small businesses like yours lack the resources to make data breaches disappear. Not only can fines and fees put you out of business, but the loss in customer trust after a breach can lead to increased levels of churn that you aren't prepared to handle. According to the National Cyber Security Alliance, 60 percent of small businesses are forced to close their doors less than six months after a cyberattack. To protect your business and prevent it from becoming another statistic, follow these four steps:
1. Recognize that you're a target.
Many small business owners enjoy a false sense of security, assuming they're too small to attract the attention of hackers. The problem is, hackers are no longer an elite few. The dark web -- the area of the internet accessible only through special software such as the Tor browser -- has made powerful hacking tools available to anyone with a few hundred dollars and a few hours to spare. According to Verizon's 2018 Data Breach Investigations Report, small businesses account for 58 percent of malware attack victims. And the Ponemon Institute found in its 2017 State of Cybersecurity in Small & Medium-Sized Businesses report that cyberattacks on small businesses have increased in recent years, affecting 61 percent of SMBs in 2017, up from 55 percent in 2016.
While it might be more difficult for these hackers to break into the network of a financial institution or a large tech company, it's easy for them to attack small businesses with ransomware or steal customer information and sell it on the dark web. You might not have been in danger when hacking required rare skills, but in the current climate you're the ideal target, so recognize that you should prepare accordingly.
Related: Here's Why Companies Can't Dismiss the Rising Need for Cyber Security
2. Do your due diligence in security practices.
When it comes to data breaches, it's more a question of "when" than "if," because attempts to compromise your systems cost hackers virtually nothing and all it takes for them to strike it rich is one successful effort against a lucrative target. With 86 percent of North American chief information security officers describing data breaches as "inevitable," according to a Kaspersky Lab survey, you should expect to be hacked at some point. Therefore, you should have a system in place to deal with the consequences of that attack quickly and effectively in order to safeguard your business and your customers. Part of surviving an attack is your business's story of effort: You want to demonstrate that you had the appropriate protections in place.
Implement a password policy and a security monitoring policy, perform firewall updates, conduct regular penetration testing and create an incident response plan. Nothing will protect you completely, but you can still institute some practical measures that are affordable for even small businesses. If you can show customers you were actively taking measures to protect them, they will be far more understanding in the event of a breach. But if your cybersecurity strategy involves crossing your fingers and hoping for the best, they'll abandon you in droves -- and rightfully so.
3. Train your employees continuously.
Even if you lived in a perfect world and had a fortune to spend on sophisticated cyber-defense systems, your data still wouldn't be totally protected. Even big corporations with massive cybersecurity budgets get hacked because their employees are human and therefore prone to making mistakes and being fooled.
Your employees are the most vulnerable part of your business from a cybersecurity standpoint, so train them to be more vigilant, especially around more common internal sources of security breaches such as email. Teach employees to recognize phishing attempts and more sophisticated spear-phishing emails and to delete any messages they have any doubts about. Set times for them to update their web browsers and operating systems in order to maintain the latest security software. To help minimize their odds of failure, invest in a good spam filter. According to Webroot's SMB Cybersecurity Preparedness report published in June, nearly all businesses train employees on cybersecurity best practices, but fewer than half maintain that training continuously, which leaves room for error. Education on security practices must extend to all employees and must be ongoing in order to be effective.
Related: 5 Cybersecurity Tools Your Company Should Have
4. Use systems that are easy and ongoing.
In Webroot's survey of 600 IT decision makers at SMBs in the Australia, the U.S. and the U.K., only about one-fifth said their businesses were ready to manage IT threats by themselves. Running a small business is highly demanding, so implementing cybersecurity measures in-house often proves to be too much work on top of that.
So many SMBs find that the best course of action is hiring a third party to regularly audit their defenses and conduct training, freeing up any in-house IT or tech talent to create new solutions for the business. Having professionals conduct training and ensure the system's security on an ongoing basis gives many businesses the peace of mind that they are proactively protecting customers' data. Because every business transaction is built on a foundation of trust, this investment in security is seen as money well-spent.
With security breaches occurring in every major industry on what feels like a daily basis, it's possible to become desensitized to the severe consequences of a breach. As a small business owner, it's important for you to realize that your business lacks the ability to recover from a breach in the way that larger corporations can. To protect yourself, follow the above steps and establish a capable line of defense. When the target is on your business's back, you'll be glad you did.