Few small businesses question the need to protect their physical assets with locks and security cameras. But what about the assets they store on computer equipment and online?
Sixty-six percent of small- and medium-sized businesses said they were not concerned about cyber threats in a 2012 survey conducted by the National Cyber Security Alliance (NCSA) and Symantec.
Eighty-two percent of small business owners said they didn't consider their businesses targets for cyber attacks because they didn't have any data worth stealing, according to a 2015 survey by Towergate Insurance.
When it comes to cybersecurity, small-business owners may be selling themselves short - at the expense of their productivity, their reputation and maybe even their survival.
"Isn't there some information that you have that's associated with your clients? Maybe it's their addresses. Maybe, if you're in health care, it's their medical information. There are tons of things that are actually of value in your environment," said Kevin Seiler of Check Point Software Technologies, a presenter at the recent Missouri Governor's Cybersecurity Summit held in Jefferson City.
If the thought of telling a longtime customer you've lost their personal information to a hacker isn't chilling enough, there are financial ramifications for your business, too.
Small- to medium-sized businesses spend, on average, $38,000 to recover from a security breach, plus an additional $8,000 in indirect costs, according to research by international software security group Kaspersky Lab.
"It's also more than just getting your data back," said John Smallwood, owner of STI Technologies in Jefferson City. "A company's not just losing the money they've paid us to come do the work; they're also paying that employee to not be able to work."
Ultimately, up to 60 percent of small- and medium-sized businesses that experience a data breach go out of business after six months, according to NCSA data.
Layers of protection
The good news is businesses - even small ones - have plenty of options to protect their cyber assets.
Whether the business' IT setup is equipped to handle cybersecurity or outsourced IT support is preferred, experts recommend defending your cyber assets from all angles.
"You need to work with somebody to create a multi-layered approach to defense. You want to try to make your company difficult to get things into so they move on to another company," Smallwood said. "If somebody wants to get into your computer, they're going to get into your computer. What you're trying to do is get the casual person to find an easier target."
Protect the perimeter
Start by protecting your network's "perimeter" - in other words, screening what enters your system in the first place.
"All your internet coming in is being scanned by some type of professional software or hardware appliance like a firewall," Smallwood said. "Your inbound email - because that's the No. 1 way that people get into a system - should also be scanned by a quality anti-spam filter."
A pro tip for the not-so-tech-savvy: firewalls and antivirus software are not the same thing, and both are necessary. While antivirus software works to find malicious software already embedded on a system, firewall software works to keep it from getting there in the first place.
"A good, quality firewall or another type of protective software can prevent that stuff from coming in on your computer," Smallwood said. "Even if your network firewall protects against viruses, individual computers should also have quality antivirus software scanning for malware."
Prepare for the worst
Hackers are creative, and even a carefully plotted cybersecurity plan can experience a breach. That's where backups come into play.
"If all of that stuff is there and something still gets through, you need to still be able to recover from that," Smallwood said. "Your backup really needs to be set up in a way that if your computer gets compromised, it's not able to compromise your backup as well."
That means multi-factor authentication, for starters: Your backup should require a password to access, and it should be a password not used elsewhere in your system.
Multi-site backups add another layer of assurance. STI's policy is to keep one backup device on site that takes a full image of a business' computers and servers daily, which is replicated to a second backup device in STI's off-site data center.
Companies trying to trim technology budgets may consider cloud backups in lieu of multiple physical devices - but be careful.
"What I have read and unfortunately have experienced, especially with Google Docs or Dropbox, those are easily compromised. So if you get Encrypto (a virus that locks your computer and threatens to destroy information unless the owner pays 'ransom' for it), it can easily jump to that network drive and encrypt that as well," Smallwood said. "It needs to be programmed with a unique username and password that has to be used every time - it's not an automatic connection - so that when the virus is on your computer trying to get to it, it is forced to log in, and if it doesn't have that information it can't do that."
Account for technology's human elements
Even as software solutions for cybersecurity continue to multiply, the human side of technology is arguably more important now than ever.
Next to malware and phishing, accidental data leaks by employees made the top three cybersecurity incidents as determined by Kaspersky Lab.
"People are very good at taking advantage of the human side of technology," Smallwood said. "Most of the time what I see is mistakes: people have accidentally deleted files. Or it's sabotage: a disgruntled employee is mad at somebody."
Protecting a business from an employee-generated data disaster starts with a cybersecurity policy.
In 2012, 69 percent of small- and medium-sized businesses did not have even an informal internet security policy for employees, according to the NCSA/Symantec survey. Only 14 percent had a written plan.
A comprehensive cybersecurity plan should include guidance on setting appropriate passwords, as well as a directive on using personal devices on the company's network and rules of thumb for working remotely.
"One of the problems I've seen a lot of companies have is people will want to take files home to work on, and they'll use thumb drives to transfer the files. That is a very common way of infecting a system," Smallwood said. "You bring it home and you plug it in and your system at home is infected, so it moves over to that thumb drive and you bring it back and plug it in and it moves off to your computer."
Evolve cybersecurity with technology
No cybersecurity effort is a one-time fix. Technology changes regularly, and cybersecurity plans and protections must adjust along with it.
As for the hardware and software businesses employ to protect their systems, vendors should account for the newest threats, while businesses should make sure they're up to date.
"It's important to have a firewall that can be updated as software releases come out - because every hour of every day somebody's come up with a new way to break into something," Smallwood said. "A good company would provide updates for you to be able to put on that firewall to block these new problems."
And, while an organization's cybersecurity policy may be a fluid document, it's important to expose employees to such changes as they arise with regular training and education.
Top cybersecurity tips from the U.S. Small Business Administration
Source: sba.gov
1. Protect against viruses, spyware and other malicious code.
2. Secure your networks.
3. Establish security practices and policies to protect sensitive information.
4. Educate employees about cyberthreats and hold them accountable.
5. Require employees to use strong passwords and to change them often.
6. Employ best practices on payment cards.
7. Make backup copies of important business data and information.
8. Control physical access to computers and network components.
9. Create a mobile device action plan.
10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages.
Resource:
The Federal Communications Commission offers Small Biz Cyber Planner 2.0, a free online resource to help small businesses create a custom cybersecurity plan. Access it at fcc.gov/cyberplanner.
Check out #jcmo Inside Business for additional Mid-Missouri business coverage.