Today, small and medium sized businesses (SMBs) are sometimes at a greater risk of cyber-attacks and security breaches than large enterprises and corporations. Seventy-one percent of cyber-attacks happen at businesses with less than one hundred employees due to less secure networks, lack of time, budget constraints, and limited resources for proper security. Other factors, such as not having an IT network specialist, being unaware of risks associated with cyber security, lack of employee training on cyber security practices and protocols, failure to update security programs, outsourcing security, and failure to secure endpoints may play a role in the increased cyber-attacks on SMBs.
Common Cyber Attacks on SMBs:
- Advanced Persistent Threats. These are passive cyberattacks in which a hacker gains access to a computer or network over a long period of time with the intent to gather information.
- Phishing. Criminals utilize phishing, via email or other communication methods, to induce users to perform a certain task. Once the target user completes the task, such as opening a link or giving personal information, the hacker can gain access to private systems or information.
- Denial of Service Attacks (DoS, DDoS). Hackers will deny service to a legitimate user through specially crafted data that causes an error within the system or flooding that involves overloading a system so that it no longer functions. The hacker forces the user to pay a fee in order to regain working order of the system.
- Insider Attacks. An insider attack may occur when employees do not practice good cyber safety resulting in stolen and/or compromised data.
- Malware. Malware may be downloaded to the computer without the user knowing, causing serious data or security breaches.
- Password Attacks. Hackers may use automated systems to input various passwords in an attempt to access a network. If successful in gaining network access, hackers can easily move laterally, gaining access to even more systems.
- Ransomware. Ransomware is a specific malware that gathers and encrypts data in a network, preventing user access. User access is only restored if the hacker’s demands are met.
To help ensure your business is protected, it is important to know and understand the different ways hackers can gain access to a network and pose a threat to the data security of the business.
Some Ways SMEs Can Help Avoid Being a Victim of Cyber-Attacks
- Understand Legal Requirements
Often, SMBs are unaware of cybersecurity best practices, so they rely on vendors without first determining what their legal obligation is to have certain cybersecurity and data privacy practices in place. Some laws dictate what steps an organization are required to take. Thus, it is prudent for a company to develop a plan with legal counsel and then identify the ideal vendors to help execute that plan.
- Use a Firewall
Firewalls are used to prevent unauthorized access to or from a private network and prevent unauthorized users from accessing private networks connected to the internet, especially intranets. The Federal Communications Commission (FCC) recommends all SMBs set up a firewall, both externally and internally, to provide a barrier between your data and cybercriminals.
- Document Cybersecurity Policies
It is critical as a business to document your cybersecurity protocols. As discussed above, there may even be legal obligations to do so. There are many sources available that provide information on how to document your cybersecurity. The Small Business Administration (SBA) Cybersecurity portal provides online training, checklists, and information specific to protecting small businesses. The FCC’s Cyberplanner 2.0 provides a starting point for security documents and the C3 Voluntary Program for Small Businesses contains a detailed toolkit for determining and documenting the cybersecurity practices and policies best suited for your business.
- Plan for Mobile Devices
With technology advancing and companies allowing employees to bring their own devices to work, it is crucial for SMBs to have a documented written policy that focuses on security precautions and protocols surrounding smart devices, including fitness trackers and smart watches. Employees should be required to install automatic security updates and businesses should implement (and enforce) a company password policy to apply to all mobile devices accessing the network.
- Educate Employees on Legal Obligations and Threats
One of the biggest threats to data security is a company’s employees, but they also can help be the best defense. It is important to train employees on the company’s cybersecurity best practices and security policies. Provide employees with regular updates on protocols and have each employee sign a document stating they have been informed of the business’ procedures and understand they will be held accountable if they do not follow the security policies. Also, employees must understand the legal obligations on companies to maintain certain practices, including how to respond to inquiries the business may receive from customers about their data.
- Enforce Safe Password Practices
Lost, stolen, or weak passwords account for over half of all data breaches. It is essential that SMB password policies are enforced and that all employee devices accessing the company network are password protected. Passwords should meet certain requirements such as using upper and lower-case letters, numbers, and symbols. All passwords should be changed every sixty to ninety days.
- Regularly Back Up Data
It is recommended to regularly back up word processing documents, electronic spreadsheets, databases, financial files, human resource files, and accounts receivable/payable files, as well as all data stored on the cloud. Make sure backups are stored in a separate location not connected to your network and check regularly to help ensure that backup is functioning correctly.
- Install Anti-Malware Software
It is vital to have anti-malware software installed on all devices and the networks. Anti-malware software can help protect your business from phishing attacks that install malware on an employee’s computer if a malicious link is clicked.
- Use Multifactor Identification
Regardless of precautions and training, your employees will likely make security mistakes that may put data at risk. Using multifactor identification provides an extra layer of protection.
Both technology and cybercriminals are becoming more advanced every day. Cyber security should be a top priority for your SMB. The right technology experts can help identify and implement the necessary policies, procedures, and technology to protect your company data and networks.
Octillo is a law firm focused on technology, data security, and privacy. Octillo has an experienced team of attorneys, who are also technologists, who can help educate your company on the best practices for data security that will help protect you from any future cyber-attacks and data security threats.
*Attorney Advertising. Prior results do not guarantee future outcomes.
Subscribe to our Newsletter.