In recent years, small and medium-sized businesses (SMBs) have increasingly adopted digital technology for remote work, production, and sales, in the same way that larger enterprises have. But they haven’t always followed through with sufficient attention to cybersecurity, even as their expanded computer networks have created new vulnerabilities for cyber threats. This is a mistake because cyber attacks can cause serious damage – both financial and reputational – which means that cybersecurity for small businesses deserves to be taken seriously.
What is cybersecurity?
Cybersecurity is a series of processes and strategies which protect a business’s critical systems and sensitive information against cyber attacks and data breaches. Cyber attacks are becoming increasingly sophisticated as the threat landscape evolves, with cyber criminals using AI and social engineering to create new methods of attack. As a result, businesses need to enhance their cybersecurity efforts to match.
Why are small businesses vulnerable to cyber attacks?
You may think that cyber criminals focus most of their efforts on larger organizations, but in fact, there’s evidence that smaller businesses can be more vulnerable to cyber attacks. Often, this is because smaller businesses lack the resources of larger organizations to guard against cyber threats. They spend less on cybersecurity and are more likely to be using outdated and unsupported software. This makes them easier targets for cyber criminals.
In addition, small businesses are more likely to employ people who use their own devices for work. While this saves time and cost, it also increases the likelihood of suffering a malware attack, since personal devices are more likely to be at risk from malicious downloads.
The motivations for cyber criminals to target small businesses include:
Money: The main motivation is financial gain. While some cyber attacks are driven by a desire to cause disruption or revenge, most are launched to generate profit. That’s why ransomware is such a popular method of attack. As long as any attack method is lucrative, hackers will keep using it.
Computing power: Sometimes, hackers want to use a company’s computers by conscripting them into an army of bots to carry out Distributed Denial of Service (DDoS) attacks. DDoS attacks work by artificially generating massive amounts of web traffic to disrupt service to a company. The hijacked bots help to generate the disruptive traffic.
Links to other entities: A small business will be digitally connected to other entities, through transactions, supply chains, and information sharing. Since larger companies can be harder to breach, hackers sometimes target smaller companies as a way to attack the systems of larger companies.
What kind of cyber threats can affect small businesses?
Before you devise a cybersecurity strategy for your business, it helps to understand the threat landscape. Cyber threats which affect small businesses include:
Social engineering: This is a type of cybercrime that tricks or manipulates someone into disclosing sensitive information for fraudulent purposes. Social engineering can take different forms, including:
- Phishing - where a hacker sends a deceptive email designed to trick the recipient into handing over private information, or to deploy malicious software on the victim’s device or network.
- Spear phishing – a variant of phishing which targets a specific individual, typically by impersonating someone they know.
- Fake websites – scam websites designed to deceive users into fraud or malicious attacks.
- Phone spoofing - when scammers change their caller ID to disguise their identity from the person they are calling.
- Smishing – a variant of phishing which uses mobile phones as the attack platform.
Ransomware:
Ransomware is one of the most common methods hackers use to target businesses. Ransomware locks up computers and encrypts data, holding it hostage. For owners to regain access to their data, they have to pay a ransom to the hacker, so they release the decryption key. Reports have shown that as many as 71% of ransomware attacks target small businesses, with an average ransom demand of $116,000. SMBs are often more likely to pay ransom demands since their data might not be backed-up and they need to get up and running as soon as possible.
Malware:
Malware is an umbrella term for malicious software designed to cause harm to a user’s device or network. It encompasses a variety of cyber threats such as Trojans and viruses (and in fact, ransomware is a form of malware). Malware attacks are damaging for small businesses as they can cripple devices, requiring expensive repairs or replacements. They can also give attackers a back door to access data, putting both customers and employees at risk.
Botnets:
A botnet is a network of computers which have been compromised and infected with malware, allowing them to combine processing power to carry out cyberattacks. They have been considered a threat for larger organizations for some time, but in recent years, small and medium-sized businesses have been targeted as well.
Distributed Denial of Service attacks:
A Distributed Denial of Service or DDoS attack aims to bring down a website by flooding it with traffic from numerous different sources. A successful DDoS attack can take your website offline altogether, making it impossible for customers to access it.
SQL injection:
If your business has a database on SQL (which stands for Structured Query Language), then you are potentially vulnerable to SQL injection. SQL injection refers to injecting a piece of malicious code into an SQL database. Depending on the nature of the malicious code, the consequences can be very serious. For example, it can delete data, compromise sensitive user information, and in extreme cases, shut down the whole system. It is one of the most common forms of website attack.
Why SMB cybersecurity is essential
There are various reasons why cybersecurity for small businesses and SMB security in general must be taken seriously:
The possibility of financial losses:
A cyber incident can destroy a small business’s finances, sometimes terminally. The cost of recovery, loss of income during downtime, plus any financial penalties for non-compliance with legislation can seriously affect your bottom line.
Reputational damage:
If your business suffers a data breach which affects customer details, then depending on the scale of the attack and how it is handled, it can have a serious impact on your company’s reputation. This could affect your ability to retain and attract new customers and employees.
Putting your employees at risk:
If sensitive employee information – such as confidential HR files, dates of birth, financial information and so on –is stolen by cyber criminals, those employees will be at risk of identity theft and other cybercrimes.
Ability to continue operations:
Businesses of all sizes have become heavily reliant on computer systems, especially since the Covid-19 pandemic. The reliance on cloud services, smartphones, the Internet of Things and AI means that any disruption caused by a cyber attack seriously hampers your ability to operate and transact normally.
Compliance with regulation:
Jurisdictions around the world have increased their regulation in relation to the internet. For example, in Europe, there is the General Data Protection Regulation (GDPR) and in California, the California Consumer Privacy Act. Regulations like these impose obligations on organizations which collect and store data, with penalties for non-compliance – underlining the need for businesses of all sizes to take data privacy seriously. You can read more about laws governing the internet here.
The threat landscape continues to evolve:
Both the volume and complexity of cyber threats are increasing. It’s estimated that globally, over 30,000 websites are hacked daily, and that more than 300,000 new pieces of malware are created each day. Cyber criminals are always looking for new ways to exploit and attack businesses of all sizes. Just because your business may not have experienced an attack so far, it doesn’t mean you are immune.
How often are small businesses affected by cyber threats?
The risk of a cyber attack for SMBs – already typically higher than the risk for larger organizations – has grown in recent years. For example, in 2020 and 2021, data breaches at small businesses globally increased 152% compared to the previous two years, according to RiskRecon, a unit of MasterCard which assesses corporate cybersecurity risk. This figure was double the equivalent for larger companies during the same period.
A 2021 study by IBM found that 52% of small businesses had experienced a cyber attack in the previous year. Yet despite this, many businesses are not prepared – a survey by UpCity, a US business service provider, revealed that only 50% had a cybersecurity plan in place for 2022.
When the economic environment is tough, it’s natural for businesses to focus on daily operations and their immediate survival. But given the cyber threat landscape, cybersecurity is a key aspect of longer-term business survival.
How can you protect your small business from cyber threats?
To protect your SMB from cyber threats, you need to create a cybersecurity strategy. A robust cybersecurity strategy should include:
- Employee training and awareness
- Network security
- Infrastructure security
- Application security
- Information security
- Cloud security
- Disaster recovery or business continuity in the event of a serious attack
It’s essential to foster a culture of security within your business. Employees and managers should learn and follow good basic security practices. However, vigilance alone is not enough. SMBs must also invest in appropriate security tools to safeguard their business.
Protecting small business networks
Cybersecurity professionals talk a lot about network security. It sounds like something that applies only to large enterprises, but any business with more than one computer has a network. In fact, if employees use their smartphones for work, one desktop computer including those smartphones is a business network.
Internet security awareness is the first critical layer of protection. Access to the network should be protected by strong passwords, which should be regularly changed.
Users with network access should learn to be careful about email. Don't click on links in emails unless you are confident that the email is really from a known and trusted source. Beware of emails that claim to be from colleagues but have no real personal message. Also beware of emails, supposedly from banks or other businesses, asking you to provide account information. Both are red flags for phishing scams that seek to trick recipients.
Invest in effective protection
Good, basic security practices will reduce the chance of cybercriminals breaking into your business network. But small business security also requires appropriate business solutions.
Free small business protection is not always enough. Freeware security tools are essentially marketing devices. They can be helpful for getting a feel for a potential solution, on a try-before-you-buy basis, but they are inherently limited. Effective small business security tools are, however, available at an affordable price.
Effective business solutions should have these five basic features:
- They should include protection against computer viruses and other malware.
- Because mobile network access is now practically universal, they should provide mobile security.
- They should provide for encryption of individual files, folders, or an entire disk of data.
- They should protect endpoints – the various devices and locations that allow access to the network.
- Last but not least, an effective business security solution should include system management tools, such as patch management for updating the protection.
With effective protection and good internet security practices, small businesses can protect themselves from cybercriminals. They may try the doors to your network, but when those doors don't open, they'll go looking for an easier victim.
Other articles and links related to small business security:
