Statistics show that cybersecurity is a legitimate threat to small businesses, but small businesses don't always act on that knowledge. According to the 2018 Hiscox Small Business Cybersecurity Report, 47% of small businesses experienced an attack in the past 12 months. Cybersecurity is a serious concern, yet the report shows only 52% of businesses have a cybersecurity strategy.
Why don't small businesses care about cybersecurity? It's not fair to assume that small businesses truly don't care about it, but they do often ignore cybersecurity concerns. Even with alarming statistics and articles on cybersecurity tips for businesses available, smaller firms seem to consistently overlook the risk of cyberattacks.
Logically, this makes sense. While cybersecurity threats can be as bad as physical security threats, the threats aren't always obvious. While bad password protection and poor site maintenance may leave your business vulnerable to attack, there isn't the same clear threat as there is when you leave your store unlocked or someone is suspiciously walking around your business.
Unfortunately for small businesses, this "out of sight, out of mind" mentality can have horrible consequences. If you fail to protect your business from cybersecurity threats, you may lose critical company information while also damaging your brand and losing money. Cyberattacks can occasionally be so bad that you ultimately go out of business.
"Small business owners cannot think their business is too small to be hacked," said Monique Becenti, product and channel specialist at SiteLock. "While the breaches that make headlines tend to be associated with large enterprises, no business is immune to cyberthreats."
One of the big reasons small businesses avoid putting resources toward cybersecurity is a lack of understanding and concern. Just the term "cybersecurity" sounds complicated. Luckily, there are experts out there who know how to tackle the topic. Business News Daily reached out to cybersecurity experts for ways small businesses can improve their cybersecurity in just an hour or less. Protecting your business doesn't have to be a daunting task. [Interested in internet security? Check out our best picks for software and reviews.]
1. Perform a cybersecurity audit.
Start by figuring out where your business stands. Are you well protected against cyberthreats? Are you secure in some areas but lacking in others? It's best to start by understanding where you can improve.
"While most measures that a small business can take require more than an hour to implement, it may be worth spending an hour doing a quick audit of what cybersecurity measures you already have in place," said Heather Paunet, vice president of product management at Untangle, which provides network security to small businesses. "Cybersecurity includes policies alongside systems. Formulating an acceptable use policy for devices, data and the network can be an important first step if you don't already have one in place. If even this is too daunting, spend the hour locating an IT professional in your area who can help you out. Many MSPs now offer cybersecurity alongside other IT services."
Paunet's suggestion is one small businesses should follow. If the reason your business avoids taking cybersecurity measures is a lack of knowledge, there are plenty of knowledgeable people out there willing to visit your business, either for a training or to share options for cybersecurity plans. Ignoring cybersecurity because your team lacks technical knowledge isn't a legitimate excuse.
If you're strapped for time or have a remote team, you can take online cybersecurity classes to better train your team and also to understand in what areas your business lacks online protection. These are a few of the top free online cybersecurity classes:
- SANS Cyber Aces Online – This is one of the top options for beginners, as much of this content is as basic as it gets. If your team is lost when it comes to cybersecurity, consider taking advantage of this free course.
- Cybrary – The free access to Cybrary includes about 500 courses related to cybersecurity and IT. The courses are sorted by difficulty, which makes it easy to know which courses are best suited to you.
- Springboard's Foundations of Cybersecurity – This free course includes a whopping 38 hours' worth of materials. You don't need to watch all of it to gain a better understanding of cybersecurity best practices. If you go through an hour a week, you'll gain tremendous insights, and it will only take about nine months.
2. Train your employees to recognize common cybersecurity threats.
The quickest way to protect your business from cyberattacks is to properly train your employees. Some businesses might picture an overseas hacker taking extraordinary measures to break into a small business's network, but that's not usually the case. In many scenarios, a basic phishing email can compromise your small business. Basic safety measures often prevent attacks from being successful.
"If SMBs spent one hour training staff on basic internet hygiene – spotting phishing emails, good browsing practices, not downloading suspicious files or clicking links – cybersecurity would be greatly improved," said Sean Allen, digital marketing manager at Aware. "Employees and emails are still the No. 1 causes of breaches for SMBs – no need to worry about master hackers."
For small businesses wondering what the different types of cyberattacks are, we've outlined them in our small business guide to cybersecurity. Among the most common types of cyberattacks against small businesses are phishing attacks.
Phishing is a lot like it sounds. When people catch fish, they use bait to lure them close. When the fish gets close, it bites the hook with the bait on it, which then causes a pull on the fishing line, and the fisherman knows to reel the fish back to the boat. Phishing emails work similarly in the sense that the cybercriminals try to trick users by using bait, often in the form of an email.
For example, a cybercriminal might create a fake email address that closely resembles that of your CEO. (We've seen this a few times at our company.) The email may say something like, "Hi, message me immediately with your cell phone number. I need your help on a project and want to give you a call." The goal of this email is to get you to think you're emailing back and forth with your CEO. This gets you to send personal information to the hacker without even realizing it's a threat.
Other phishing attacks ask for more personal information, like your credit card number. It's a good rule of thumb to avoid sending personal financial information over email. In most instances, you can share personal information with companies or people over the phone or in person. Phishing is one area where training your employees can prevent crippling cyberattacks.
Businesses should also be prepared to prevent ransomware attacks, which occur when malware infects your computer and locks it down until a ransom is paid. Using anti-malware software is a quick way to prevent these attacks. It's a good idea to back up all files. It's also important to never pay the ransom should your business be attacked.
3. Improve your password strength to avoid brute-force attacks.
If you're looking for one place to start improving your cybersecurity measures, make it passwords. Way too many employees and executives use passwords that are easy to hack. To make matters worse, they often use these passwords across several platforms and websites. If that one password is compromised, the potential harm increases exponentially. It's best practice to have different passwords for different sites.
"I would recommend changing your password to a complex password (yes, take time to include letters, numbers and symbols in your password!)," said Taylor Toce, CEO and founder of Velo IT Group. "The simple act of changing your password will lock out anyone who might have it. For example, if your password was compromised as part of a security breach, or if you simply shared it with one too many co-workers, you can tighten the security on those accounts by just using a new password. Further, a complex password is your best defense against the very common dictionary or brute-force attack methodology, which is widely exploited today."
Brute-force attacks are when hackers run automated programs that plug in a variety of potential password combinations. A dictionary attack is a form of brute-force attack that tries every word in the dictionary as a potential password. Brute-force attacks are particularly effective against companies with obvious username information and simplistic passwords.
Strengthening your organization's passwords immediately reduces the risk of a successful cyberattack against your business, and it doesn't take long. It can take just a few minutes to change a weak password to a secure one.
"All passwords should have at least 10 characters or more, including at least one uppercase, one lowercase, one number and one special character," said Myles Keough, CEO of Spade Technology.
Long passwords with different symbols and capitalization of letters tend to combat brute-force attacks. A fix as simple as changing your password can prevent a cyberattack. Using strong passwords is a critical step in the early process of improving cybersecurity.
4. Implement multifactor authentication on business accounts.
"One 'quick win' for small business owners is setting up multifactor authentication on their accounts, especially those related to financial transactions," said Stacy Clements, founder of Milepost 42. "Multifactor authentication provides an extra layer of security beyond a username and password to protect your accounts, usually by requiring you to enter a code sent to your mobile device or provided by a separate hardware security key. Most banks and credit card online services offer this capability, as do most email and social media services. Enabling this extra security protection takes only a few minutes and protects your important accounts by helping to ensure that it's really you accessing the account, not a cybercriminal who stole your password."
Multifactor authentication is a great way to add a layer of protection when logging in to certain programs. As Clements mentioned, this practice is commonplace in today's digital world. Two-factor authentication isn't hard to implement or look for in tech products, and using it can help prevent cybersecurity attacks.
Improve your cybersecurity measures in an hour.
Introducing and implementing a complete cybersecurity program takes more than an hour. You won't be completely safe from attacks by making a few quick changes, but you can take drastic strides forward in 60 minutes or less.
There's no excuse for small businesses to completely ignore cybersecurity in 2019. According to SiteLock's annual security report, the average website is attacked 62 times a day. While that applies to larger enterprises as well, small businesses are subject to attack. Your business can and should protect sensitive data by making a handful of quick changes.