Small Business Cybersecurity

There’s no sign of online security threats against companies of all sizes diminishing anytime soon, and small businesses are increasingly being targeted by hackers around the world.

Security researchers differ about the extent of the thread, but agree it is real. Symantec estimates 43 percent of small businesses are targeted by hackers, while the insurance broker Hiscox places the number at 60 percent. Regardless of the statistics, however, there is little doubt that small businesses are increasingly vulnerable to more sophisticated cybersecurity threats from hackers, and many would benefit from increasing their investments in security technologies and employee education about the risks.

Small Business Vulnerabilities

Businesses are generally considered to be easier targets than their larger counterparts for a number of reasons. For instance, small businesses typically lack dedicated security professionals or sophisticated tools designed to protect companies from unauthorized access.

Similarly, not every small business keeps the security software they do have up-to-date, making them vulnerable to known security flaws that can be exploited by hackers using automated discovery and exploitation tools.

In addition, the large number of small businesses makes it worthwhile for hackers to launch automated scans to capture online banking information, Social Security numbers, or other sensitive data they can use to commit fraud. In most instances, hackers are not targeting specific businesses, but rather specific types of information. This emphasis means a small business cannot assume it is not worth targeting.

Understanding Ransomware

The fastest-growing online security threat comes from “ransomware,” malicious programs that encrypt files on a computer or mobile device and demand payment in exchange for the decryption key.

Computers are typically infected with ransomware when a user clicks on an email message containing a malicious attachment. In many attacks, these are disguised as shipment notifications, invoices, or other types of email attachments people are likely to open. In other instances, malware is transferred with users visit infected websites that deliver the malicious software while loading the web page.

Because the amount of ransom demanded – generally less than $500 – is relatively low, many companies choose to pay the ransom rather than dealing with the potential loss of important information or access to vital systems.

Phishing Threats Expanding

The security threat known as “phishing” refers to hackers trying to get personal information under false pretenses. Phishers may try to capture user names, passwords, bank account information, credit card details, and more from their victims.

Phishing attacks usually occur through an email that looks like it’s from a legitimate source. The message will appear to be come from a place the victim recognizes, like their bank, credit card company, or even a social network site. Thinking the source is legitimate, the victim will then answer questions or enter information (such as login credentials) that gives the phishers their personal details.

Today’s professionally designed phishing attacks are often hard to distinguish from legitimate messages without careful examination, making it important for users understand the risk of clicking on links that appear in email messages.

In a new variation known as “spear-phishing,” hackers will research a target — usually a business executive or someone with a high net worth — to learn personal details or the names of connections to help legitimize their attack messages. Several financial executives, for instance, have been fooled by spear-phishing attacks that purported to be urgent requests from their bosses.

Building Your Defenses

The cyber security threats to small businesses increases, the most important thing you can do is install security software and make sure it is kept current. In addition to a firewall designed to prevent malicious software from reaching your company network, you will also want to install antivirus software on your company’s computers as an additional layer of defense.

You also want to make sure employees are using strong passwords to access company resources. A lot of automated hacking tools look for easy-to-guess or common passwords, such as “password” or “qwerty,” so you’ll want your team to avoid using them.

Similarly, don’t allow people to share passwords for cloud accounts, or to use the same log-in credentials for more than one online account. You don’t want a security breach at one software provider to exposure your credentials on another.

Be sure also to pay attention to plugs-in such as Java, Flash, ad blockers, or other extensions that can be exploited by hackers.

It’s also important to upgrade older email software, which is more likely to have known security vulnerabilities. If you’re using Exchange 2010, for instance, which isn’t receiving security updates, it’s time to replace the software or consider adopting a cloud-based email tool.

It’s also a good idea to take advantage of automated encryption tools installed in your computers’ operating systems. This helps to reduce the risk of information that is accessed by hackers being exploited.

Finally, invest in automated online backup software services to protect your company’s computers and mobile devices. These programs automatically upload files to cloud servers so you can recover files if your computer is hacked or damaged in a natural disaster.