Small Business Cybersecurity

With large companies installing ever-more-sophisticated defenses against evolving cyber threats, hackers are shifting their focus from the largest of companies to the smallest.

Insurance broker Hiscox estimates just under half of all small businesses have experienced some sort of cyber attack, with half of that group being targeted more than once. But statistics aside, there’s little doubt that online security threats for small businesses are growing and becoming harder to manage.

Small Business Vulnerabilities

Small and medium businesses are generally considered to be easier targets than their larger counterparts for a number of reasons. For instance, small businesses typically lack dedicated security professionals or sophisticated tools designed to protect companies from unauthorized access.

Similarly, not every small business keeps the security software they do have up-to-date, making them vulnerable to known security flaws that can be exploited by hackers using automated discovery and exploitation tools.

These comparatively softer defenses mean small businesses are vulnerable to hackers using automated scans to capture online banking log-in credentials, passwords for vendor accounts, employee Social Security numbers, or other sensitive data they can use to commit fraud.

In most instances, hackers are not targeting specific businesses, but rather specific types of information. This emphasis means a small business cannot assume it is not worth targeting.

Phishing Threats Expanding

The most common form of cyber attack launched against small businesses comes in the form of Business Email Compromise, which can include several forms of threats aimed at small businesses and, in some cases, specific companies.

In one common scam, hackers will send emails designed to mimic messages from large companies that small businesses are likely to have accounts with. These messages will typically ask someone to update their account details so any payments are sent to the hackers instead of the legitimate vendor.

In other scams, an email purporting to come from a company owner or leader directs someone to send an emergency wire, with the funds going to accounts controlled by hackers.

Similarly, a related security threat known as “phishing” refers to hackers trying to get personal information under false pretenses. Phishers may try to capture user names, passwords, bank account information, credit card details, and more from their victims.

Phishing attacks usually occur through an email that looks like it’s from a legitimate source. The message will appear to come from a sender the victim recognizes, like their bank, credit card company, or even a social networking site. Thinking the source is legitimate, the victim will then answer questions or enter information (such as login credentials) that gives the phishers their personal details.

Today’s professionally designed phishing attacks are often hard to distinguish from legitimate messages without careful examination, making it important for users to understand the risk of clicking on links that appear in email messages.

In a variation known as “spear-phishing,” hackers will research a target — usually a business executive or someone with a high net worth — to learn personal details or the names of connections to help legitimize their attack messages.

The best approach to defending against these attacks comes as much from process as from technology. Employees need to understand the importance of not trusting emails at face value, and companies should have policies mandating that workers call to verify any transfers or bill payments over a predetermined amount.

Understanding Ransomware

Another persistent online security threat comes from “ransomware,” malicious programs that encrypt files on a computer or mobile device and demand payment in exchange for the decryption key.

Computers are typically infected with ransomware when a user clicks on an email message containing a malicious attachment. In many attacks, these are disguised as shipment notifications, invoices, or other types of email attachments people are likely to open. In other instances, malware is transferred when users visit infected websites that deliver the malicious software while loading the web page.

Because the amount of ransom demanded – generally less than $500 – is relatively low, many companies choose to pay the ransom rather than dealing with the potential loss of important information or access to vital systems.

Building Your Defenses

As the cyber security threats to small businesses increase, the most important thing you can do is install security software and make sure it is kept current. In addition to a firewall designed to prevent malicious software from reaching your company network, you will also want to install antivirus software on your company’s computers as an additional layer of defense.

You also want to make sure employees are using strong passwords to access company resources. A lot of automated hacking tools look for easy-to-guess or common passwords, such as “password” or “qwerty,” so you’ll want your team to avoid using them.

Similarly, don’t allow people to share passwords for cloud accounts, or to use the same log-in credentials for more than one online account. You don’t want a security breach at one software provider to expose your credentials on another.

It’s also important to upgrade older email software, which is more likely to have known security vulnerabilities. If you’re using a server-based email platform that isn’t receiving security updates, it’s time to replace the software or consider adopting a cloud-based email tool.

It’s also a good idea to take advantage of automated encryption tools installed in your computers’ operating systems. This helps to reduce the risk of information that is accessed by hackers being exploited.

Finally, invest in automated online backup software services to protect your company’s computers and mobile devices. These programs automatically upload files to cloud servers so you can recover files if your computer is hacked or damaged in a natural disaster.