Improving Information Security for Small Businesses

When most people think of a cyberattack, they picture malicious malware or ransomware coming from the dark web to infiltrate their personal or business database, corrupting files, stealing information and generally wreaking havoc. However, it’s often something simple like a negligent employee or contractor opening a “phishy” email or downloading a suspicious file that leads to business data loss and disruption. No matter how small or large a computer network is, its built-in antivirus is rarely enough to protect it, which is why improving information security is important for your small business.

It doesn’t take much for a network to be infiltrated and infected, and it doesn’t take much to protect it from outside and inside threats.

Horror Stories

Trend Micro, which provides information security for PCs, offers this story of how a company’s network was compromised through a bookkeeper who was just doing her job. The victim had received a request for a wire transfer. After receiving approval from the company’s CEO to submit and approve such transactions, the bookkeeper got a request from the CEO asking her to submit a wire transfer request.

After processing the request, the company’s bank called to verify the request. The bookkeeper verified the request had come from the CEO and the bank processed the transfer. The company later discovered the email request had been manipulated by fraudsters.

Another company, during a routine security assessment, found that the network accounts of close to 150 former employees were still active and approximately 17 of them were regularly being used. Even scarier, five of those accounts were employees who had been fired for stealing company information.

Cybersecurity isn’t Just for Big Business

Verizon’s “2018 Data Breach Investigation Report” found that 58% of all cyberattacks target small businesses. That number is up 15% over the past two years. So, while it’s accurate that large corporations account for the high-profile attacks, small businesses aren’t immune.

Cybercriminals, both organized and lone wolves, target small, independent businesses because they’re more vulnerable. Independent businesses often don’t invest in information security because they either don’t want to spend the money or take the time, which can be a damaging decision.

“The real question is, can you afford to not take the proper precautions?” asks John Oetinger, director of ManagedNetwork™ at Paladin Data Corporation. “What is the cost of your business being down for days because of something as common as malware, for example?”

The “2018 State of Cybersecurity in Small and Medium Size Businesses” from the Ponemon Institute shows that 67% of businesses surveyed experienced a cyberattack, which is up 6% over 2017. “The Cost of Malicious Cyber Activity to the U.S. Economy,” from the Executive Office of the President of the United States released in February, estimates that malicious cyberactivity cost the U.S. economy between $57 billion and $109 billion in 2016.

Ransomware, which essentially disrupts a business network and holds it hostage, not only disrupts a company’s operating network, it can literally cost a business money to regain control. The study shows that 61% of businesses experienced a ransomware attack in 2017 and 70% of them paid the ransom at an average cost of $1,466.

Phishing for a Cause 

For 60% of businesses in the Ponemon study, an employee or contractor was the root of their data breach. With businesses increasingly leaning on technology to enhance customer service and automate their processes, there are more network entry points. That’s why it’s critical to have effective protocols for information security.

Mobile devices are among the most vulnerable entry points, and many companies that encourage the practice of bring your own device (BYOD) to work leave themselves open to all kinds of intrusion. Nearly half of businesses acknowledge that their information security is compromised by allowing employees to access it with their own devices.

Businesses reporting phishing attacks, where fraudulent emails are sent purporting to be from reputable companies to steal personal or business information, increased to 52% in the 2017 report.  Phishing can be extremely disruptive because the emails can be sent to every employee with an account, multiplying its effectiveness.

The Verizon report shows that more than 92% of malware is delivered through emails. Plugging those numbers into a small business (fewer than 250 employees), Symantec’s “2018 Internet Security Threat Report” says that each employee gets nine malicious emails per month.

“In 2018, Cisco blocked 7 trillion threats on behalf of our customers – 20 billion per day. That’s the good news. The bad news is, a bad guy only has to be successful once,” says Cisco CEO Chuck Robbins.

An Ounce of Prevention

There is a myriad of ways to improve information security for small businesses. Some are as simple as regularly changing passwords and backing up data files. Others are more extensive, thorough and effective, such as contracting for network management.

Strengthening employee access passwords is one of the easiest steps. The Ponemon study shows that 40% of businesses that experienced cyberattacks involved compromised employee passwords. The average cost of each of those attacks was $386,365.

Companies that develop a password protocol or a two-step verification put up a better defense against malware and ransomware.

World Backup Day is March 31 each year and is dedicated to promoting the importance of regularly backing up personal and business data files. It’s promoters and other industry experts suggest that companies use a 3-2-1 Rule for their backups.

Increasing the IT budget is another easy way to improve information and network security. Many retail technology companies offer data backup and network management services that protect businesses of all sizes 24/7.

Whether it’s just developing more extensive information protocols with employee passwords and data backups, or contracting for network management, any investment in improving information security is a wise one.