3 Simple Ways Small Businesses Can Defend Against Cyberattacks
Forty percent of small businesses experienced at least one cyberattack last year, according to one estimate. The cost to pay a ransom or clean up after a data breach can be devastating, clocking in anywhere from tens of thousands to millions of dollars–enough to put a company out of business.
The difference between a deflected or averted attack and one that’s catastrophic can come down to the right defenses, smart preparation, and quick action in an emergency.
There are three reasons that small businesses are increasingly being targeted by cybercriminals, according to Rohit Ghai, CEO of Burlington, Massachusetts-based RSA, a global leader in identity and access management. Speaking at a recent conference, he said that hackers are looking to small businesses because they’re increasingly connected to digital services, they’re seen as less prepared to withstand a cyberattack, and they can be a conduit to attack larger businesses that are their clients.
Joining him on the panel was Tiffany Ricks, founder and CEO of Brooklyn-based HacWare, which helps companies guard against phishing and social engineering attacks.
“We have to think about cybersecurity as an arm to help us do business more effectively,” she said, noting the financial, reputational, and business disruption costs that can follow a cyber incident. Cybersecurity should be an ongoing effort, she added. To that end, Ricks and Ghai shared some cybersecurity pointers for small businesses .
Take these three steps now
There are major steps companies can take to improve their cyber hygiene.
- Be vigilant about phishing attempts. Educate yourself and your employees on how to identify phishing attempts. Look carefully at senders’ email addresses, URLs, and links that QR codes redirect to—keep your eye out for strange domain names or typos, which are often a giveaway that an address is not legitimate. Criminals also often rely on too-good-to-be-true offers (say, a $500 Amazon gift card from a stranger) or create a false sense of urgency to encourage recipients to click without thinking.
- Turn on multi-factor authentication (MFA) for important accounts. Many hacks begin with compromised passwords. With MFA turned on, a hacker would need to provide a second form of verification (such as a numerical code sent by text message or through an authenticator app) to access an account.
- Keep your software up to date. Software publishers regularly release updates to guard against evolving threats and fix bugs that can make the software more vulnerable to hacking. Make a habit of installing those updates right away.
The Cybersecurity & Infrastructure Security Agency, a government agency tasked with securing the nation’s digital infrastructure, offers tools and guidance for small businesses to get started.
Start making plans in advance
There’s a security saying: it’s not if your company will be hit, but when. And even if your company isn’t itself the subject of a cyberattack, an outage at a key vendor can disrupt business, as a faulty software update by CrowdStrike and the Change Healthcare ransomware attack illustrated. Know in advance what you’d do in the event of a disruption: How could your business continue to operate if a key system goes down?
Identify your “crown jewels,” which are your most valuable data or systems. Most hackers are economically motivated, so they’re looking to lock up whatever they believe can be resold, can use for financial gain (such as credit card numbers), or is so critical to running your business you’ll pay a ransom to get it back.
In fact, hackers often lurk in systems for months to figure out what a company’s crown jewels are. Those are the systems that you’ll want to expend the most effort securing and backing up–and the first that you’ll want to lock down if you notice any strange traffic or signs of an intrusion.
Know who you’d call in an emergency. That might be your lawyer, your cyber insurer, or an incident response company. Depending on your state and industry, you may also be required to notify a government agency.
Act fast in a crisis
Ricks advised anyone facing a ransomware attack or cyber incident to remember the acronym CAN: Contain, Assess, Notify. Try to contain the breach by changing passwords or taking systems offline. Assess the scope of the damage. Then, notify the relevant stakeholders, which you’ve hopefully already identified.
Old National is committed to helping your business fight against fraud. Learn about our resources here.
This article was written by Jennifer Conrad from Inc. and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.