It’s an unfortunate fact that cybersecurity is rarely the foremost of concerns among small- to medium-sized businesses. However, investing in cybersecurity is becoming even more important as these organizations undergo digital transformation. It may seem like there are more important priorities on which a small business could focus, but putting your company and your customers at risk of a cyberattack can have huge consequences.
Your reputation may suffer as your customers deal with potential financial loss caused by a consumer data breach. The data your business needs to function may be wiped out, or even worse, you may find your company bank accounts empty. Furthermore, your business may have to face legal repercussions and fines if found in violation of consumer data laws.
Fortunately, it’s not as difficult as you may think for companies to set up security solutions for their business and customers as well as to build a cyber secure workplace culture. Although it’s impossible to achieve a full guarantee of security from cybercriminals, there are many options to keep sensitive information safe.
This article will take a look at some significant security breaches carried out on small- and medium-sized businesses, take a look back at the lessons we can learn from 2020, explore how to effectively implement security solutions when handling sensitive data and investigate how these solutions can strengthen a business as a whole.
Do cybercriminals bother with SME businesses?
Most of us have heard about the major corporate hacks that have occurred in the last few years. As a result, it’s easy to assume that cybercriminals only go after the biggest companies with the deepest pockets.
However, statistics show that this assumption is false. In fact, almost 60% of businesses that experienced a data breach in the last few years were considered small businesses. That number is likely to increase in the coming years.
In many cases, these businesses suffered not only financial losses but also incurred regulatory fines due to the lack of PCI compliance. Depending on the state in which a company is located, there may be additional regulations that apply. For example, the 2020 California Consumer Privacy Act severely restricts how companies can handle consumer data.
Small businesses around the world also fall victim to phishing attacks every day. Companies could lose thousands if not millions of dollars in these attacks, which could result in them having to deal with ongoing lawsuits filed against them. In Massachusetts, companies must even pay for 18 months of credit monitoring for clients affected by any breach, following Bill H.4806 that was signed into law in 2019.
What can SMEs do to protect their IT infrastructures and comply with cybersecurity laws?
The good news is that it’s not as difficult as you might suspect to protect essential IT infrastructures from cyberattacks and to stay up to date with cybersecurity compliance laws such as the SHIELD Act, CCPA or other similar laws passed in your state.
First and foremost, one of the biggest security threats to confidential data is human error. A recent report found that 79% of IT leaders fear the idea of employees putting data at risk accidentally. These internal leaks can put companies in severe danger.
Studies reveal that these fears are not unfounded. Statistics show that almost a third of all cybersecurity breaches for SMEs are perpetrated by unwitting members of business staff. This is why it’s critical for business owners to provide the right cybersecurity education for employees and encourage a cyber secure workplace culture. Employee cybersecurity training is ultimately the number one strategy to ensure that the risk of human error can be significantly reduced.
With this in mind, it’s important to create and/or review company policies to include mandatory requirements for employees to follow. These policies could include clauses around forbidding the use of removable hardware like USB files and adopting healthy password habits. Doing this will help to support companies to develop a more cyber-aware focus in their employees when they handle sensitive data.
Backing up sensitive information is another strategy that is crucial in the fight against cybercrime—especially in the event of a ransomware attack. At the end of Q3 last year, the United States experienced a 139% increase in ransomware attacks Ransomware continues to gain popularity amongst attackers for being a simple and effective way to make money.
It’s also essential that your entire IT infrastructure come with the latest firmware versions for your servers, firewalls and routers. Each server needs to have the most recent software upgrades including antivirus software, so ensure you are always keeping your software updated on this front. The idea is that each possible access point into your company’s virtual data needs to be protected with a reliable cybersecurity measure.
Finally, make it a company policy that each employee using the company network utilizes a virtual private network (VPN). A virtual private network not only geoblocks your IP addresses; it also utilizes secure encryption measures such as L2TP or SSTP to frustrate even the more experienced attackers. Even though a VPN will likely slow down your internet speed by a small amount, the trade of greatly improved security makes it well worth it.
Remember: There is no absolute 100% guarantee that your company will never face a breach or attack no matter what measures you put in place. Creating a detailed cybersecurity action plan that provides clearly defined steps that must be taken in the event of a security breach is a vital part of your cybersecurity defenses. It’s good practice to run ‘fire drills’ with teams and employees so you can be assured that they understand their role and that action can be taken quickly in the event of a real attack.
Malicious actors are shifting their focus away from big name companies that can afford high-end security solutions to SMEs that are more likely to have vulnerabilities in their infrastructure.
This is a sad truth that we must prepare for, but thankfully, protecting your IT infrastructures from malicious actors and complying with cybersecurity laws doesn’t have to be expensive or complicated. Implementing simple solutions such as the right software, hosting and cybersecurity education can dramatically lessen your company’s chances of becoming the latest cybercrime victim.
About the Author: Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security with an emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.