If you're like most small business owners, cybersecurity isn't a top priority.
You probably don't think you're at risk for a cyberattack because it seems like a “big business" problem, affecting major retailers like Target and, more recently, the credit reporting agency Equifax. After all, who would bother stealing your insignificant data when they could hack into Target instead?
This kind of thinking has made small business the victim of nearly half of all cyberattacks. Hackers are going after small businesses because small businesses have valuable data and weak cybersecurity protections, making them the perfect targets.
By penetrating a small business, hackers can do significant damage:
- They can retrieve stored information like customer credit card numbers.
- They may use information to gain access to the computer systems of much larger partner businesses. The 2014 Target data breach happened because hackers stole login credentials from a heating, ventilation, and air conditioning company that serviced some of Target's stores.
- Hackers have found there's easy money in ransomware. They lock up critical files and then demand hundreds of dollars in “ransom" to restore your access.
A cyberattack can force you to temporarily shut down your business, as you work to access data and get websites and systems working again. Customers may lose trust in you, damaging your reputation and profits over the long term. A cyberattack can cost a small business as much as $250,000.
There are, however, things you can do to protect your small business from a cyberattack and minimize the damage if one does occur. Here are five of them.
1. Update Your Software
At a minimum, your business should have anti-virus and anti-spyware software. Firewalls and data encryption are even better. But threats change frequently, and hackers are on the lookout for computers and networks that don't have updated security protection.
If you don't have an IT person on staff, you may be especially vulnerable. Prioritize staying on top of security updates or, better yet, outsource it to a company that specializes in small business cybersecurity.
2. Educate Your Employees
Your own employees may be your biggest security risk. When they log in to their personal emails and social media accounts, use personal devices for work-related tasks, inadvertently open phishing emails, or use the same insecure password for everything, they increase the risk that hackers will find their way into your business data.
You can turn this around and teach employees to recognize and defend against email phishing scams and other security threats. Also, create and enforce a password policy that requires strong passwords, limits who has access to sensitive data, and requires frequent password resets.
If your employees use their own devices for work, create and enforce a policy that defines the data employees can access and what will happen if a computer or phone is stolen, lost, or compromised.
3. Move Your Data Storage to the Cloud
Data stored on your own servers is susceptible to an attack, especially if you haven't installed security protections and don't perform regular backups. Cloud storage providers specialize in keeping data secure and monitoring for cybersecurity threats.
4. Have a Response Plan
It's wise to assume that sooner or later your business will fall victim to a cyberattack. Develop a plan for responding to the attack and containing the damage. Then conduct drills to train your employees to carry out the plan.
5. Get Cybersecurity Insurance
Your general liability policy will not cover your losses in a cyberattack, and yet a cyberattack can be just as devastating as a fire or theft. A wide range of cybersecurity policies are available.
Experts say to look for one with both first and third party coverage. First party coverage pays for your losses. Third party coverage will take over if someone—such as a partner company or a customer whose credit card information was compromised—sues you because of a data breach.
As hacking threats increase, small businesses and their employees will need to make cybersecurity a higher priority. With the right mix of software, policies, and procedures, you can minimize your risk. And, if an attack does occur, you'll be prepared to respond.