Working in data breach resolution, I have the opportunity to assess both the emerging security risks and misconceptions haunting businesses today. Recently, I’ve heard from others in the industry – risk managers, cyber insurers and various security professionals – that many small businesses don’t believe they will be targeted by cyber-attacks. Unfortunately, they fall under the false impression that criminals will only target large or even medium-sized businesses given the higher potential pay out; however, this is simply not the case. In fact, nearly half of cyber-attacks target small businesses. For every high-profile “mega” breach you hear about, you can expect there were at least a dozen attacks on small businesses.
The fact of the matter is that attackers don’t discriminate, and they are becoming more and more advanced with tools that allow them to easily scale their attacks. What’s concerning about small businesses, in particular, is the significant and oftentimes unrecoverable damage a cyber-attack can have. For instance, the U.S. National Cyber Security Alliance states that 60 percent of small businesses are unable to sustain their businesses more than six months after experiencing a cyber-attack.
Small businesses don’t always have – or realize the need for – the available protections and steps that need to be taken to ensure they are being as proactive as possible. Namely, they don’t always know where to start and what to prioritize when it comes to an incident response and often lack the necessary expertise and resources to do so effectively. This week, National Small Business Week, serves as a reminder that security needs to be top of mind for small businesses, specifically the current and emerging risks that shouldn’t be overlooked from an operational standpoint. This week I encourage businesses to take time to prepare for the inevitable.
When it comes to the issues that are most at play, here are three key considerations for small businesses to keep in mind:
Protect Against Spear Phishing Attacks
Phishing has quickly become the main vehicle for ransomware and malware attacks, and its impacts are widespread. Last year, Wombat Security Technologies found that 85 percent of organizations suffered phishing attacks, and I can guarantee you that this number has only increased. And, while businesses are aware of the threat, they are still not prepared. A recent Ponemon study, for instance, identified that over one-third (38 percent) of organizations are not confident in their abilities to deal with this type of attack.
This tax season is a clear example; we saw an anecdotal increase in the number of W-2/tax fraud phishing scams which were heavily concentrated on smaller businesses. Another example is business email compromise, an emerging threat that the FBI has been tracking since 2013. With surprising sophistication, scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners.
Unfortunately, in both scenarios, employees are often responsible for the success of these phishing attacks, and small businesses typically offer less training on identifying and dealing with emerging scams. It is imperative to provide education and regular data protection and privacy training (DDPT), as well as build a stronger internal culture of security (i.e. provide employees with incentives to report security issues and safeguard confidential and sensitive information). This will help ensure that all employees learn to spot cyber-attacks, know how to safeguard their company’s valuable data and possess the ability to strengthen their own security hygiene.
Move Company Data to the Cloud
All businesses, and specifically small businesses with limited resources and technology designated to safeguard their valuable data, can highly benefit from moving their infrastructure to the cloud. Before doing so, it’s important to research different cloud vendors and identify a reputable provider with multi-level and robust firewalls, among other protections. This is because data security and protection is the focus of a good cloud provider, so their expertise in the area is advanced, efficient and continually strengthened. This is not to say that data security isn’t the responsibility of internal employees, though.
Once a vendor is identified, already strapped small business owners and employees can focus on other parts of the business, finding ease in the vendors’ advanced security, storage and preservation processes that are scaled to a business’ needs. Despite this, security should always be a team effort and like the guidance above, employees need to receive clear and strict guidelines around their computing practices. Businesses should ensure DDPT programs cover and span both “basic” topics like securing protected data and password security as well as “advanced” topics like responding to a data loss or theft, mobile device security and email hygiene.
Take Advantage of Cyber Insurance
While not something that necessarily plagues a small business, these organizations must consider purchasing coverage in the immediate future to be proactive in the face of the security risks and repercussions faced by small businesses. Most companies simply don’t have coverage – a total oversight and misunderstanding of the cyber risks that are covered by insurance – and those looking to buy often face confusion around what can and should be covered. And, to that effect, not all insurance is created equal. It is important to work with a reputable broker who can articulate the needs and value for a business’ individual industry/sector. A good plan will help mitigate the costs associated with investigating and resolving a security incident, and aid a business with picking up the pieces and moving forward following a breach.
Of all the aspects of running a business, addressing the risk and proactively preparing for data breach should be top of mind, specifically for those who own small businesses. Whether it’s due to a successful attack on the organization or employees mistakenly disclosing sensitive information, cybersecurity risks represent a real threat to a business’ ability to keep the lights on and the doors open. But, the good news is taking simple precautions, such as educating and training employees, avoiding the urge to become complacent and layering in protections via insurance, can help ensure that a cyber mishap isn’t the last word on a business’ reputation.
About the Author:
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].