Author: Phil Muncaster
Date published: July 23, 2024
Most of the eye-catching security breaches of the past decade have involved big brands, large enterprises and government organizations. However, as reported in the Verizon 2023 Data Breach Investigations Report Small and Medium Business Snapshot (DBIR) revealed that U.S. small businesses had reported more incidents and confirmed data disclosures than large businesses and almost three out of four U.S. small businesses reported a cyberattack in 2022. Further, the Verizon 2023 (DBIR) found that SMBs and large companies are using similar services and infrastructure, and that means that their attack surfaces share more in common than ever before.1
This is why small business cybersecurity is of critical importance today. It should be an urgent strategic priority for any SMB owner, and the good news is that effective cyber risk management doesn't have to break the bank.
As a small business owner, the first step in developing a cybersecurity strategy is understanding the scale and nature of the threat, including through expert resources such as the SBA.
Small businesses face multiple cyber risks:
1. SMBs can represent an attractive target, with personal and customer data to steal, sell and ransom, corporate bank accounts to hijack, and employees to trick into making fraudulent payments.
2. They often have fewer resources to spend on security. This can mean they employ few or no IT security experts and have limited cybersecurity tooling and little money to spend on third-party services. While small businesses have increased spending on IT security, insurer Hiscox reports that there are still vulnerabilities. For example, 41% of small businesses surveyed do not use data backup recovery and restoration systems.2
3. Attacks could cause significant damage. Over half (54%) of small businesses that experienced a cyberattack had confirmed data disclosure, according to Verizon's 2023 DBIR.3
4. SMBs may still be bound by compliance requirements depending on their sector and clients/partners.
The truth is that SMBs are very much on the radar of malicious hackers. That makes cybersecurity for small businesses essential. According to a report commissioned by Hiscox, the risk of attacks has increased in the last year, with the median number of attacks a small business encountered increasing from three to four.4
These attacks could cause significant financial and reputational damage to your business, including:
● IT costs related to clean up and remediation of an incident
● Third-party consultants required to investigate an incident
● Potential lawsuits due to an employee/customer data breach
● Regulatory fines
● Customer churn
● Lost productivity for staff
● Downtime and lost sales
The second step in developing a small business cybersecurity strategy is understanding how you may be attacked and the potential impact an attack may have.
Common small business cybersecurity threats include:
● Ransomware: Ransomware is a problem for businesses of all sizes, not just large enterprises. According to Verizon’s 2023 DBIR, Ransomware continues to be one of the top external threat actions at 24% of breaches, and is ubiquitous among firms of all sizes and industries.5
● Phishing: Fake emails, texts and even phone calls continue to be one of the most popular ways to trick employees into handing over their work logins and information, or unwittingly initiating a malware download.
● Malware: Keyloggers, spyware, banking Trojans and other types of malware are designed to steal access credentials and customer information, with potentially devastating consequences.
● Supply chain attacks: Sometimes, trusted third parties can actually introduce threats to the small business environment. It could be malware hidden in legitimate software, which is subsequently downloaded by the SMB. Or a contractor/partner with access credentials to the SMB network may be compromised.
By assessing what devices (including laptops, PCs, servers and cloud accounts) you need to protect and where the organization's most sensitive data is stored, you can draw up a policy and apply security controls accordingly. You may want to consider conducting a risk assessment to provide this kind of information.
Cybersecurity for small businesses doesn't have to be expensive or onerous to implement to get results. A cybersecurity strategy should be tailored to each small business, but some common elements can be implemented regarding networks, devices and people.
A zero-trust approach to network security is recommended. The basic premise is to limit access to the network—anyone or anything that can't be trusted shouldn't get in. Configure account access according to the principle of "least privilege"—i.e., staff are only able to access the bare minimum resources to get their job done and no more. Minimize the number of users with administrator privileges, too, as these are a popular target for attackers.
You should also use a network firewall to block the most common external threats, ensure the router is password protected and disable its SSID broadcast feature to make it invisible to users.
Policies to adopt to improve the protection of devices include:
● Making sure employees have corporate-liable devices to help enhance device protection and use compliance
● Making sure all devices are password-protected and updated from the factory default.
● For sensitive accounts and devices, using multi-factor authentication (MFA), to help ensure that even if hackers get hold of a password (i.e., via phishing) they are less likely to gain access.
● Investing in software from a reputable company and ensure it is configured to automatically update.
● Ensuring apps are only downloaded from official app stores, and that all devices have anti-malware installed and can be tracked, locked and remotely wiped in the event of loss or theft.
Users can make or break small business security. According to the 2023 DBIR, 74% of breaches involved the human element.6 A small business cybersecurity strategy can benefit from these elements:
● Train staff in security awareness so they know how to spot potential attacks, what to do during a security incident and why good password security is so important.
● Ensure all staff use strong and unique credentials for all accounts.
● To help staff productivity, consider a password manager, which will securely store and recall multiple passwords so that they don't feel the need to reuse or think of simple-to-guess logins.
● Craft policy to ensure staff don't use public Wi-Fi when out and about. According to the Verizon 2023 Mobile Security Index, nine out of ten remote workers access their organization’s resources from locations outside of their home, exposing their firm to additional security risks.7
While hopefully never used, it is prudent to have an established plan for how you will respond to any breach. Ensure all critical data is regularly backed up according to the "3-2-1 rule." This is essential to recover quickly from a possible ransomware breach.
Draw up a simple plan detailing the steps to take if the organization suffers a serious security breach. This could include contact details for security and technology vendors, your bank's fraud department and possibly other emergency response support. Keep a hard copy somewhere safe in case computers are inaccessible at the time. Add these plans to user awareness training.
Given the complexity of modern small business cybersecurity, it can feel overwhelming. However, you're not alone. Verizon has the expertise and solutions to help enhance the cybersecurity protections for your business while allowing you to focus on the most important thing—keeping it successful.
Learn how Verizon's simple, pre-packaged tools and services can enhance cybersecurity for small businesses.
The author of this content is a paid contributor for Verizon.
1 Verizon, 2023 DBIR Small and Medium Business Snapshot, page 9.
2 Hiscox, Cyber Readiness Report 2023, US Small Business Focus, page 6.
3 Verizon, 2023 Data Breach Investigations Report, Page 65.
4 Op. Cit., Hiscox, page 4.
5 Verizon, Ibid, page 9.
6 Ibid, page 8.
7 Verizon, Mobile Security Index 2023, page 22.