In a way, small businesses serve as the foundation upon which society operates. Just think about your local coffee shop you frequent on a chilly fall morning or the local pharmacy where the pharmacy techs know you by name. While you may think cyber criminals ignore these small businesses, in reality, they are still targets.
Although small businesses may not possess the quantity or type of information larger businesses do, they typically still handle personal information. Yet, small businesses tend to implement very few security measures to protect that information.
Are you looking for guidance on how to improve your organization’s cybersecurity? Read on for our top tips on how to create a small business security plan.
Are Small Businesses Really at Risk?
A Verizon 2019 Data Breach report found that 43 percent of cyber attacks target small businesses. Furthermore, 71 percent of the attacks were financially motivated. In other words, while the healthcare, public, and financial sectors serve as the desirable targets, threat actors will target any “low hanging fruit” businesses that offer a potential monetary gain. In terms of money, one of the best ways to make a profit is to steal credit card information, and many small businesses accept credit/debit cards. Additionally, small business systems and employees are easier to breach or trick. Consequently, threat actors can successfully attack many small businesses versus trying to hack one large, much better-defended company.
The interdependent nature of companies makes the “low hanging fruit” attack method concerning to many experts. The CTO of Conventus, Taylor Armerding, highlights the emerging threat small business pose to larger companies:
“As the B2B digital world continues to become more entwined, large companies are requiring their vendors to interact with internal systems including procurement, logistics, marketing, human resources, payroll, and even into environmental and maintenance. These relationships and requirements create access into the parent organization – the ultimate target.”
Assess your cybersecurity
To summarize, small businesses are attacked because:
- They are less aware of threats
- Have minimal security protocols in place
- Are easy prey for ransomware
- Serve as entry points into larger businesses
How to Avoid a Security Breach
It’s understandable that small businesses find cybersecurity daunting. Some common questions small business owners ask include:
What if I don’t have a technical background?
What if I don’t have the resources to allocate for security improvements?
Developing a small business security plan doesn’t have to be overwhelming, taking the process step by step will not only make the process more manageable but also more thorough.
Tackle Human Error
First, if a budget is a concern, understand that there are affordable options available for l small businesses with limited funds. Creating a security policy for office employees to follow is free but still tackles the issue of clerical/office mistakes. The policy could cover how to properly handle customer or vendor information and how to thoroughly delete customer information once it isn’t needed anymore. Another free option is to limit device access by using passwords on all devices containing customer or personal information.
Also Read: Why your Team Needs Cybersecurity Education
Strengthen Communication Channels
Next, analyze communication channels and operation platforms. Implementing email encryption offers a relatively simple and low cost means for a company to improve security. Emails store information from customers and partners, so it’s important to protect and maintain the integrity of email platforms.
Use Monitoring Tools
Once basic security measures are in place, some small businesses call it quits. What they don’t realize is that security threats evolve and monitoring is crucial to maintaining a robust security fence. In 2018, Business News Daily published an article on 14 cybersecurity solutions for small businesses, including services with free to low-cost options.
FCC Recommendations for Small Businesses
In 2011, the FCC realized that small businesses were becoming an increasingly lucrative target for threat actors. Consequently, the FCC decided to provide recommendations and resources for incorporating cybersecurity methods into small business operations.
Recommendations
The moto the FCC, in conjunction with the Department of Homeland Security, promotes is STOP. THINK. CONNECT. The campaign strives to educate small businesses and the public about how to securely benefit from the Internet and its associated tools. In line with these goals, the FCC developed a list of 10 security practices for small businesses.
- Train employees – As noted above, training your employees is imperative. Establishing guidelines for passwords and Internet usage removes ambiguity in the office place. For example, it’s a poor practice to write passwords down on sticky notes in the office. Likewise, employees should be warned to avoid websites known to harbor malicious links. The bottom line — establish rules and consequences for handling customer personal information.
- Machine maintenance – Just like a room that gradually gets cluttered over time and needs a spring cleaning or makeover, devices must be maintained. Use security software to monitor a device’s activity and install anti-virus software. Update operating systems, since developers typically release patches in updates. Lastly, clean up folders and delete unnecessary files. Digital Trends recently released an article on the 5 Best Antivirus Solutions for Small Businesses.
- Use firewalls – A firewall uses a set of programs to protect a private network and prevent intruders from compromising private data. Some operating systems come with firewalls and others don’t, so it’s important to check. If the operating system doesn’t have a firewall or if a stronger firewall is desired, there are free or paid options available.
- Don’t forget mobile devices – For some small businesses, a cell phone may be the company phone. The key question is whether company business is conducted via the phone, like through a sales or email app. If yes, create a policy, similar to computers, for mobile devices. Consider implementing email encryption, strong passwords, and a lost/stolen device plan. These safeguards will help protect phones even when they are on unsecured networks.
- Redundancy – While it’s foolish to retain unnecessary personal information, it is important to use backup systems for information or programs vital to daily operations. If companies lose their data, approximately 60 percent of them will close. Data loss doesn’t just happen from a cyber attack, it can also occur from a corrupted hard drive, other technical malfunction, or even a natural disaster. Regularly backing up data or, even better, using an automatic backup system will mitigate the potential damage any of these threats can cause.
- Minimize access to critical information – Employees should only have access to information or systems they need to complete their tasks. Creating employee user accounts adds another layer of security. With each employee using a different password and platform, small business owners can partition access on a “need to know” basis. Likewise, protect company devices locking the premises when leaving devices unattended.
- Secure WiFi networks – Today many small businesses offer free WiFi for customers. While this is a good way to attract customers, business operations should not take place on the same network. Instead, set up a private network that does not broadcast the network name (Service Set Identifier(SSID). Additionally, use complex passwords to protect router access. CoxBlue has a quick, 10-step guide for securing your business network.
- Follow payment card best practices – Experts recommend using anti-fraud software and validation processes as well as having a dedicated computer for processing payments, separate from Internet searches. If a company uses credit or debit transactions, it must comply with the Payment Card Industry Data Security Standard (PCI DSS). To learn more about the PCI DSS process, check out RSI Security’s PCI DSS Checklist.
- Limit authority for installation – Use controls that limit who can install new software and who has access to what programs. If an employee doesn’t need access to a certain program, like accounting software, make sure the credential protocols reflect that.
- Create password guidelines – Employees should know what a good password is and should change it from time to time. Moreover, using password phrases can help employees better remember their passwords, while multifactor authentication adds another layer of security. Small businesses should also consider the security measures of any partners or vendors.
Resources
Resources provided on the FCC website vary from private sector security solutions to government reports. Knowledge is power, so checking out the Small Business Cyber Security Preparedness 101 Seminar will serve as a good introductory foundation for small businesses entering the cybersecurity world. A next step would be to take advantage of the Small Biz Cyber Planner offered by the FCC. The planner allows companies to develop a custom security plan. It takes into account everything from network security to mobile devices to incident response and reporting procedures. The tool is free, another bonus for small businesses on a limited budget. Although it shouldn’t be the only step small businesses take toward improving security, using the tool is a good stepping stone to determine the weakest points and the best threat vector to allocate resources.
Other resources include:
- NIST Small Business Cybersecurity Corner
- NIST Small Business Information Security: The Fundamentals
- Free Online Security Checkups and Tools
Small Business Backup Solutions
A report by Beazley Breach Response Services found that over 2018 approximately 70 percent of ransomware attacks targeted small businesses. Among the most affected industries were the healthcare, financial, and professional sectors. Many small businesses serve as third-parties for larger businesses.
Thus, when small businesses are attacked by ransomware, they can inhibit the functions of larger businesses. A recent attack did just that when a security breach in a cybersecurity firm’s systems locked up patient records for medical practices in Oregon and Washington.
Melinda Urbina, a spokeswoman for the FBI, warned that managed service providers “are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public.”
Cloud Backup Solutions for Small Businesses
Carbonite – With unlimited storage and a user-friendly platform, Carbonite is a great choice for small businesses looking to back up their data. Carbonite uses encryption but also holds the encryption keys; however, a private key option is also available. Carbonite lists several different subscription levels ranging from personal computers to compliance specific options.
Backblaze – Backblaze offers unlimited storage. Although it scans hard drives for files to backup, it does not automatically backup OS files, applications, or temporary files. Prior to entering the cloud, files are encrypted. However, unlike Carbonite, Backblaze requires that private keys be turned over if data needs to be unencrypted.
OpenDrive – OpenDrive is not as user-friendly compared to Carbonite or Backblaze since files must be added one at a time. Storage starts at 500GB, but business plans are available. Deleted files remain accessible for 90 days, and OpenDrive retains up to 99 different file versions with no time limit. The personal service is free (with minimal storage) and the custom plan starts at USD 5 per month.
SpiderOak – Unlike the other services, Spideroak uses client-side end-to-end encryption. Its maximum storage capacity is 5 TB. As files change, the changes are uploaded to the cloud, which saves bandwidth. Since SpiderOak automatically saves all versions of a document, the storage limitation may become an issue, depending on how much data a small business stores.
Acronis – Compared to the other services above, Acronis is on the more expensive side. It has a 5 TB storage cap and offers blockchain checks and ransomware monitoring. Acronis gives users the option to customize which file-types to upload, manually choose what files/folders to upload, or upload everything. It implements end-to-end private encryption with a 6 month versioning period.
Need Help?
Although rarely mentioned in the news, small business attacks happen. When small businesses face cyber threats unprepared, they usually close. More concerning is the realization that small businesses can serve as the door for threat actors into larger businesses. Today large companies work with vendors, partners, and third-party consultants. Consequently, it’s crucial that small businesses take cybersecurity seriously to ensure their future and earn the trust of their business partners. If you need help developing a small business security plan, contact RSI Security today.