Understand your vulnerabilities to select the right tools
In the modern digital environment, it’s important to have a cyber defense strategy in place. This can be a challenge for small businesses that don’t have a dedicated IT department to help defend them and detect new threats.
Research from the UK government found that 78% of small businesses consider cybersecurity a priority, but only 26% of those businesses have formal cybersecurity policies in place. This suggests small businesses are taking this more seriously, but they lack the expertise to become more resilient to cyber-attacks.
Seeking advice from a cybersecurity professional to understand the parts of your business that are the most valuable and vulnerable to cybercriminals is an important first step in defending yourself. This advice will also help you to narrow down which cybersecurity tools match the needs of your business.
There is some clear consistency in the types of threats small businesses face. According to Cisco’s cybersecurity report for SME’s, the most common threats to small businesses were targeted attacks on employees like phishing, advanced malware and ransomware.
Ransomware, made famous by the WannaCry attack in 2017, encrypts your data and demands payment (normally in a digital currency like Bitcoin) in exchange for restoring the data. Cybercriminals prefer SME’s as targets for these types of attacks as they are much more likely to pay the ransom than bigger enterprises. Understanding which types of threats you are likely to face can help your business gain the upper hand.
Integrate new technology carefully
For small businesses, tech, like cloud computing, data analytics and mobile have been extremely valuable in simplifying processes and automating time consuming admin. These benefits are clearly playing an important role in helping small companies to scale, but with new additions to your technology stack come cyber risks that shouldn’t be ignored.
These types of risks are commonly referred to as third-party vendor risks. When external applications including cybersecurity tools are connected to your network, it can create gaps that hackers can then exploit to gain access. This type of attack made recent headlines when companies like Airbus and Rolls Royce were successfully attacked through their supply chains. For small businesses, this basically means that you should be careful in selecting software partners and ensure that the offering is compatible with your current solutions.
Cisco’s report also found that companies that had to manage relationships with many different vendors were less secure as a result, so a solution might be to turn to a single Managed Service Provider that can provide tools to combat a wide range of issues that meet your company’s specific needs and the benefit of only dealing with one supplier.
Consider cyber insurance
Small businesses typically have insurance policies for property, stock or covering them against other liabilities. Given the damage that a cyberattack can cause a small business (research conducted in the US suggests that 60% of small businesses that experience a cyber-attack close their doors within 6 months) getting cyber insurance for your business could be a smart move.
There are some important considerations here. From a reputational perspective, if there is a data breach and customers and regulators are not informed in a timely manner, this can damage the way the business is perceived and could cause issues with data protection laws like GDPR.
Financially, large enterprises can usually take losing money in a breach or paying a fine in their stride, but for smaller companies this can cripple the business. According to the UK government study cited earlier, the average cost of a serious data breach for small businesses was between £65,000 and £125,000. It’s often assumed that this money can be recovered but this isn’t always true so a cyber insurance policy can help safeguard your business against such breaches.
Educate your people and develop a cyber policy
It may come as a surprise, but arguably the biggest risk for small businesses when it comes to cybersecurity comes from within the business itself. These ‘insider threats’ are intentional or accidental risks caused by former or current employees, contractors or other business associates who have access to your networks and data.
According to McAfee’s Grand Theft Data survey, internal sources were responsible for 43% of incidents of data loss, half of which were intentional and half accidental. While it can be challenging to prevent human error, two approaches for dealing with insider threats are educating people within the organization and limiting access to sensitive data for people that don’t need that access to carry out their job functions.
Education is also key for helping employees of small businesses to understand how they will be targeted and some common best practices for avoiding scams like phishing or invoice fraud. There are many free Cybersecurity courses available online and if your business operates in an industry like financial services or healthcare which are heavily targeted by cybercriminals, you may want to consider bringing in some external training.
A final suggestion is to develop and clearly communicate a cybersecurity policy that can serve as a resource for people within the company if they feel unsure of what to do when situations seem suspicious. This is particularly valuable for onboarding as the business continues to grow. The new digital age has provided huge opportunities for small businesses and being cyber resilient will continue to be beneficial in scaling your business.