While data breaches at big corporations continue to make headlines, cyber attacks against small businesses are quietly on the rise. In 2015, 43% of cyber attacks on businesses worldwide were against organizations with less than 250 employees, up from 18% in 2011, according to Symantec.
“Today, small and mid-sized businesses are getting attacked left, right and centre. They have something very important that the bad guys want, and that’s data,” says Daniel Tobok, CEO of Cytelligence Inc., a cyber security and digital forensics firm. “They’re not just after governmental secrets or the big banks. They’re there to steal private information that they can sell on the dark market.”
Small businesses need to protect themselves, but many still don’t believe they are targets, says Greg Kroeker, founding partner of IT/cyber security firm Shield Networks. “When it comes to IT security, they’re very trusting of their employees and they don’t give much thought to what’s out there that might wreck their business.”
That mindset creates infrastructure cracks that cyber criminals are more than happy to exploit. Here’s a look at some of the more common cyber-security gaps and how small businesses can fill them.
Today’s workforce is increasingly mobile, but with that comes heightened security risks. For example, employees installing apps can “create a big security hole in the system because you’re losing control of who has access to what,” says Tobok.
In addition, the “bring your own device” (BYOD) strategy can escalate the problem. “You don’t know what they’re downloading, you don’t know what they’re doing, and you’re completely losing control of your information,” says Tobok.
To mitigate risk, Tobok says employee education “is as important as slapping on firewalls.” Companies can also keep tabs on corporate data from personal devices by creating a separate wifi network for those devices, says Shield Networks’ Kroeker.
Internet of Things
Firewalls, anti-virus software and spam filters are the tent poles of basic network security. However, with the rise of Internet of Things (IoT) devices, some organizations don’t actually know what is connected to their network, says Wael Lahoud, director and principle of Goldmark Security Consulting.
“Even from a physical security perspective, we’re seeing more cameras and intrusion devices being connected on the network,” he says. “While these are going to help protect the premise, that could be another door in for a cyber breach.”
As with mobile devices, companies should create a separate network for IoT devices. “The weakest link won’t necessarily always be mobile devices,” says Kroeker. “It could be your [IoT] thermostat, if that’s connected to your business network.”
One basic security gap that cyber criminals look for is weak passwords. “We still see what we call ‘1234’ passwords,” says Tobok. “Companies need to have better, secure passwords and have enforcement of password policies.” Best practices include creating passwords that contain letters, numbers and characters, and changing them every three months.
Having poor passwords or no passwords can potentially give employees access to files they shouldn’t have access to, notes Kroeker. “The minimal access to data your employee needs to get their job done would be a good start.”
With so much customer data on e-commerce sites, it’s critical for small business to have an elevated level of security, says Tobok. “(Small businesses) are not just stamping rivets or making burgers. They have confidential data that they have to safeguard.”
Many companies offer e-commerce security solutions that comply with the Payment Card Industry Data Standard (PCI DDS), an information security standard for organizations that handle major credit cards. The requirements include installing and maintaining a firewall to protect cardholder data, encrypting the transmission of cardholder data.
It’s not just cyber criminals that small businesses need to watch out for; employees can pose a big security threat. Disgruntled employees can bring malware into the network, and employee turnover can lead to the loss of intellectual property. However, security breaches aren’t always done maliciously. It often starts with human error, says Tony Bailetti, director of Carleton University’s Technology Innovation Management (TIM) program.
Phishing attacks can lead to employees clicking on links or attachments that download ransomware. That means companies can’t access their own data until they pay up. “That’s a huge problem for a small firm…but would not be a problem if you were maintaining backups,” says Bailetti.
Lahoud says employee awareness training is key, so they know not to click in the first place. He suggests companies do internal tests to make sure employees understand the concepts. After the training, they can send employees emails with a fake link and see who’s clicking on the links.
When it comes to cyber security overall, Lahoud stresses there’s no “magic solution” that will work for all organizations. Try and see what fits your business, he says, because even small security improvements could save you time and money in the long run.