Small businesses are swiftly adjusting to our new world of work-from-anywhere opportunities. But with more adaptability also comes more cybersecurity risk. Over half of small firms had data breaches just in the previous year. Fortunately, there are actions your small, expanding firm may take to significantly improve security while spending minimal time or money.
Even though it may be unpleasant to consider, cybercrime poses a serious threat to small businesses.
The Australian Cyber Security Centre (ACSC) found that during the 2020-2021 financial year, small businesses on average lost $8,899 due to cybercrime. They also made more cybercrime reports than in the previous financial year.
Fortunately, there are straightforward and cost-effective ways small business owners can help protect themselves from breaches.
What Are The Primary Cyber Attacks Types That Small Businesses Often Face?
Every small firm, regardless of industry, must be aware of the risks posed by cybersecurity attacks. Cybercriminals’ strategies are always evolving, making it more vital than ever to establish a cybersecurity plan — especially when cyber risks to businesses are on the rise as a result of COVID-19. Employees working from home are increasing, creating risks in many companies’ infrastructures.
Malware (or malicious software) is a cyber-attack that “executes unauthorized actions on the victim’s system”. This can be deployed through ransomware, viruses, phishing, or other malevolent tactics. There are three main types of malware: trojan horse, virus, and worm.
- Trojan Horse: A scam where malware is hidden in an application, like a game or internet download.
- Virus: A malicious code that attacks programs, files, or parts of the operating system. We’ll explain more about viruses in the next section.
- Worm: A type of malware that infects a system and other associated programs.
Although there are different types of viruses, all are programmed to harm your hardware. Computer viruses can damage programs, harm or delete files, or slow down computer performance. You can get a virus in a variety of ways including sharing files, opening infected emails, visiting a malicious site, and downloading harmful applications. Signs that you have a virus on your computer include an increase in pop-up windows, unauthorized password changes to your account, deleted files, and a slowdown in your network speed.
Ransomware, as the name suggests, holds a company’s important information for ransom. This includes passwords, credit card and other personal information, files, databases, applications, and other valuable assets. The “ransom” typically has to be paid within 24-48 hours, or the files will be lost or compromised personal information will be shared publicly.
Ransomware is most often spread through email spam or network attacks and often targets small businesses. In July of 2021, a ransomware syndicate called the REvil gang orchestrated a large attack via Kaseya, a company that provides small and medium-sized IT and security management solutions. This attack left between 800 and 1,500 small business vulnerable, and although Kaseya acted fast to control the situation, it still negatively affected many small businesses. Each business affected may have paid for an investigation into the breach and would have needed to notify customers if personal information was found to be stolen.
In a phishing attack, a cybercriminal aims to steal personal information like credit card or bank info, social security number, and passwords. These attacks often occur through emails or text messages that look trustworthy. Phishing and business email compromise (BEC) can be disastrous for small businesses. Criminals often make it seem as though an emailed invoice or link to a payment portal is legitimate, which is detrimental to both businesses and their customers. It’s important for businesses to have a cybersecurity plan, and for everyone to stay educated about cyber attacks.
5. Password Hacking
You may be aware that “123456” and “password” are among the most common passwords, and you shouldn’t use them. But did you know that 59% of people use the same password for all their accounts?
Password theft is an ongoing problem, and it’s important to protect your accounts with smart password choices. Cybercriminals can use a high-speed program to test passwords quickly. These programs are more successful when a victim uses commonly used passwords, or personal information like their birthday or pet’s name. Another technique commonly used by cybercriminals is called hashing. Depending on the encryption strength of the account software, hackers can use a “hash”, a one-way encryption software to steal passwords.
Recent Examples of Cyber Attacks Against Small Businesses
As attackers increasingly automate attacks, it’s easy for them to target hundreds, if not thousands of small businesses at once. Small businesses often have less stringent technological defences, less awareness of threats and less time and resource to put into cybersecurity. This makes them an easier target for hackers than bigger organizations.
But, at the same time, they are no less lucrative targets. Even the very smallest businesses can deal with large sums of money, or have access to huge amounts of customer data, which, under regulations such as GDPR, they are obligated to protect. Small businesses also often work with larger companies, and so they can be used by hackers as a way to target those companies.
Cybersecurity risks are on the rise for business leaders, with 68% feeling confident that their risks are increasing. 54% of businesses admit that their IT departments lack the experience to manage complex cyberattacks.
In the post-Covid era, cyber risks have changed. More and more businesses are leaning towards a bring-your-own-device model, and tons of applications are being used on an enterprise-wide scale as well as on a personal level.
Too many people have access that they do not need and many people are signed into applications that they haven’t used in months. All of these combined create a scenario where small and mid-size businesses become easy prey for hackers.
43% of all data breaches are caused by insiders, whether on purpose or not. A staggering 42% of companies are experiencing cyber fatigue or a sense of apathy toward proactively defending against digital attacks.
The cost of cyber security assessment is just one of the many reasons why necessary steps are often ignored by small businesses. The security plans stay put in the pipeline for months while the companies try to mitigate the burgeoning risk with antiviruses and other inexpensive modes of cyber defense.
In 2021, personal data was stolen in 45% of all breaches. In 2021, the average cost of a data breach was an unprecedented $4.24 million.
In 2021, the average time it took to identify a data breach was 212 days. In 2021, the average organization took 286 days to identify and contain a breach.
Companies that suffer data breaches see a sharp decrease in repeat customers, with 55% of people in the U.S. saying they would take their business elsewhere.
A recent report unveiled that it took 50% of small businesses more than 24 hours to recover from an attack. When asked, over 51% of all small businesses said that their website had been inaccessible for 8 to 24 hours.
If your small business falls victim to ransomware, there’s a 51% chance you’ll pay the fee. If nearly three-quarters or 75% of small businesses were to experience a ransomware attack, bankruptcy would soon follow for the majority of them.
A staggeringly low 17% of small businesses have cyber insurance. 48% of all companies waited until they experienced an attack before buying insurance. 64% of small businesses are unfamiliar with cyber insurance.
How to Implement a Risk Management Framework
A risk management framework (RMF) is a structured method for identifying possible threats to an organisation and defining a strategy for eliminating or reducing the impact of these risks, as well as tools for effectively monitoring and evaluating this approach.
RMFs allow a company to acquire a comprehensive picture of its total risk level. RMFs are frequently used by corporations to establish risk management strategies because they give a suitable starting point for analyzing obstacles, defining actions, and evaluating the outcomes of a plan. A good RMF attempts to protect the organization’s capital base and earnings while not impeding expansion. Furthermore, investors are more willing to invest in companies with good risk management practices and this generally results in lower borrowing costs, easier access to capital for the business and improved long-term performance.
Eight steps to establishing a risk management program are:
- Implement a Risk Management Framework based on the Risk Policy
When developing the firm’s risk management framework, consideration should be given to the services offered, marketing and communication, staff and human resources issues, information and resource management, regulatory obligations, IT issues and security, succession planning, acceptance and continuance of clients and cash flow management.
- Establish the Context
Consider the goals and objectives of the firm and the environment in which it operates (e.g. cultural, legal and operational). Identify internal and external stakeholders (e.g. clients, personnel, consultants, agents, internal systems, third parties, suppliers, etc.).
- Identify Risks
Identify existing and potential risks as well as existing controls. The potential risks can be categorized as services performed, contract risk, acceptance or continuance risk and performance risk.
- Analyze and Evaluate Risks
Analyze and evaluate the risks on a continuing basis. This involves a comparison of exposure levels against a predetermined tolerance level, the degree of control, potential or actual losses and benefits and opportunities presented by the risk. One of the simplest models to identify the cost of the controls and their adequacy is to consider the likelihood of occurrence of an event and the consequences of that event e.g. Risk = Likelihood x Consequence.
In assessing the level of the risk and identifying high and low risks, the process should include the firm’s existing and anticipated areas of practice; the composition, experience and expertise of the firm; the management and internal control procedures; the likelihood of being sued and the process to assess new and existing clients.
When assessing the kind of risks the firm is exposed to, it is important to consider both the internal risks and the external risks. Internal risks may include staff, the business premises and location, threats to goodwill and reputation and information technology. External risks may include clients and both current and potential competitors.
- Treat and Manage Risks
Develop strategies to manage the identified risk. Options can include accepting, avoiding, transfer (in part or full), reducing the likelihood and/or consequence and retaining the risk. Action plans can be developed based on the current levels of risk exposure, benefits from actions/ controls, the duration of time to implement actions and the available budget.
In areas identified as high risk, actions may include reconsidering that area and its development, retraining staff and reviewing the engagement with clients. Risk management procedures can include:
- Clarity on the terms of the engagement;
- Obtaining adequate insurance and controlling claims once they have occurred;
- Maintaining accurate documentation;
- Ensuring timeliness of action and diary systems;
- Only practicing in those areas where there is sufficient expertise; and
- Implementing strict selection criteria for clients and consultants or agents used.
Role of Cybersecurity Training Programs to Spread Awareness
Cybersecurity awareness training is an integral part of any company’s cybersecurity strategy. It helps employees understand the risks of working in a digital environment and how they can mitigate those risks.
Security awareness training is the process of educating people to understand, identify, and avoid cyber threats. The ultimate goal is to prevent or mitigate harm—to both the organization and its stakeholders—and reduce human cyber risk.
The importance of cybersecurity awareness training for your employees and organization are:
- It helps keep your organization’s data safe by ensuring all your employees are aware of some basic security practices.
- It teaches employees how to identify, avoid and report common cyber threats.
- It helps them understand how hackers use social engineering techniques like phishing emails or ransomware attacks to steal personal information or compromise company systems.
- Improves productivity by reducing downtime from malware infections caused by poor computer hygiene practices, which can cause significant problems for businesses with multiple employees who share computers.
- Last but not least, it helps organizations save time and money instead of reeling under the aftermath of a malicious cyberattack.
Introduction to Cybersecurity Regulations And Standards (GDPR and HIPAA)
A growing number of cyber security regulations are creating a complex web of compliance requirements for organizations around the world. In analyzing the massive and escalating volume of regulation, a couple of themes emerge loud and clear.
Many elements of cybersecurity regulations are directed at establishing accountability and responsibility to ensure that senior leadership in companies are treating security and risk issues seriously and strategically. Many regulations stipulate information security requirements and controls that organizations must have in place to safeguard customers’ personal data from risk of misuse, unauthorized access, and theft.
Additionally, under many cyber security regulations, organizations are now liable for the actions or failings of their vendors and third parties. These regulations recognize the risk within supply chains and the importance of having effective risk management processes to support privacy obligations and information passed on to third parties.
While both HIPAA and GDPR govern how personal information is used, their scopes are vastly different.
HIPAA is concerned with healthcare organizations and the use of personal health information in the United States. GDPR, on the other hand, is a bigger piece of legislation that governs any organization that handles personally identifiable information on an EU or UK citizen.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US law that limits the use of protected health information (PHI) by healthcare organizations, which it refers to as covered entities.
A covered entity can be any of the following:
- Health plans: Includes health insurance companies, company health plans, etc.
- Healthcare clearinghouses: Any entity that processes nonstandard health information received from another entity into a standard format
- Healthcare providers: Includes doctors, dentists, clinics, pharmacies, etc.
HIPAA defines PHI as any information that qualifies as a personal identifier. For example, billing information, insurance accounts, medical histories, mental health conditions, or laboratory results.
While HIPAA doesn’t have a certifying body or official certification, it’s enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR). Cases of non-compliance or violations can result in fines and penalties, as well as a damaged reputation.
Any covered entity or business associate of a covered entity is legally required to be HIPAA compliant. The process involves performing routine technical and nontechnical evaluations to ensure compliance against HIPAA’s three main rules:
- Privacy rule
- Security rule
- Breach notification rule
The General Data Protection Regulation, or GDPR, became law on May 25, 2018, and exists as one of the most stringent data privacy and security laws around the world.
It applies to all organizations targeting or collecting personally identifiable information (PII) of people in the UK or the EU, regardless of whether they physically operate within those jurisdictions. The data is referred to as personally identifiable information (PII) and includes anything that can be used to clearly identify a person.
Under the GDPR, organizations are required to safeguard and provide documentation of the protocols used to protect PII. The documented steps should cover the following:
- Consent: Whenever an individual’s data is used for a new purpose, organizations are required to send them a new request for consent. The GDPR prohibits the use of confusing terms and conditions when it comes to consent, and requires the process to withdraw consent to be just as easy as it is to give consent.
- Breach notifications: Organizations have 72 hours to notify all data subjects of a security breach, either by email, phone, or through a public announcement.
- Right to access: Organizations must be transparent with UK and EU citizens about how their PII is used.
- Right to be forgotten: Unless there is a legal reason for retaining the information, organizations must delete PII immediately upon an individual request and cease further distribution of that data.
- Privacy by design: Organizations are only allowed to process information essential to the completion of their business.
- Data protection officers: Organizations must appoint a data protection officer (DPO) to oversee the implementation of the GDPR. This individual protects personal data from misuse, unauthorized access, and other security breaches.
Regardless of size, an organization must appoint a DPO if:
- It is a public authority or body
- Its core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale
- Its core activities consist of large-scale processing of special categories of data and/or personal data relating to criminal convictions and offenses
Controlled access to sensitive information, providing organizational privacy, and detecting unauthorized changes to personal information, are a few similarities both HIPAA and GDPR share. However, their differences take a superior focus in the long run.
Below are the three key differences that may help you reach a suitable conclusion on the debate of GDPR vs HIPAA compliance.
One of the primary points of difference between HIPAA and GDPR is that while the former allows for PHI disclosure without consent from the patient in certain circumstances, the latter doesn’t share and use any information without explicit consent from the concerned party.
Under HIPAA, healthcare providers may share personal health information with other healthcare providers or even with other business associates for treatment purposes without patient consent.
But as per GDPR guidelines, any personal data interaction that is not directly connected to the customer can proceed only with the explicit consent of the client.
2. RBF – right to be forgotten
Another key difference between these two frameworks comes with awarding their patients with the right to be forgotten. While GDPR provides the data subjects with the ‘right to be forgotten’, HIPAA has no such policy in place.
3. Data breaches
Healthcare providers who are trying to maintain patient care and abide by important frameworks and regulations are very concerned about data breaches – which is another key difference between HIPAA and GDPR.
Under the HIPAA Breach Notification Rule, covered entities and business partners must alert individuals who may have been affected if unsecured PHI is compromised. It states that you must provide 60 days’ notice to each affected person and the Office for Civil Rights (OCR) if more than 500 people are involved. In case of minor breaches, you must notify the OCR and those affected by the annual reporting deadline.
However, With GDPR, this is not the case. An obligation to report a breach, despite its size or impact, within 72 hours is listed under Article 33 of the GDPR standard. Care providers must report a breach to their supervisory authority.
Cybersecurity Best Practices For Small Businesses
According to the FBI, 10,000 small businesses across America are targeted by hackers every day. This may be because they have not set up their security properly or because the hackers are trying to use them as a back door to get into other, bigger businesses.
Let’s look at why this can be dangerous for you.
Protection Of Sensitive Information
As a business, you will most likely be storing sensitive information about your customers and your employees. Hackers can get hold of this information and sell it or use it against the victims.
You also risk breaking data protection and GDPR rules if hacked. These can result in big fines for you and your business.
Potential Money Loss
86% of hacks on small businesses were financially motivated in 2020. The hackers may be looking for banking information (of your business or your customers) to steal money that way.
Or they may install malware and demand a ransom. They target small businesses with this technique because it is often cheaper for small businesses to pay the ransom than deal with the consequences of not doing so.
How can your business avoid being a victim of a cyber-attack? Here are 8 cybersecurity best practices for the business you can begin to implement today.
1. Use a firewall
One of the first lines of defense in a cyber-attack is a firewall. The Federal Communications Commission (FCC) recommends that all SMBs set up a firewall to provide a barrier between their data and cybercriminals. In addition to the standard external firewall, many companies are starting to install internal firewalls to provide additional protection. It’s also important that employees working from home install a firewall on their home network as well. Consider providing firewall software and support for home networks to ensure compliance.
2. Document your cybersecurity policies
While small businesses often operate by word of mouth and intuitional knowledge, cyber security is one area where it is essential to document your protocols. The Small Business Administration (SBA)’s Cybersecurity portal provides online training, checklists, and information specific to protect online businesses. The FCC’s Cyberplanner 2.0 provides a starting point for your security document. Consider also participating in the C3 Voluntary Program for Small Businesses, which contains a detailed toolkit for determining and documenting cyber security best practices and cyber security policies.
3. Plan for mobile devices
With 59 percent of businesses currently allowing BYOD, according to the Tech Pro Research 2016 BYOD, Wearables and IoT: Strategies Security and Satisfaction, it is essential that companies have a documented BYOD policy that focuses on security precautions. With the increasing popularity of wearables, such as smartwatches and fitness trackers with wireless capability, it is essential to include these devices in a policy. Norton by Symantec also recommends that small businesses require employees to set up automatic security updates and require that the company’s password policy apply to all mobile devices accessing the network.
4. Educate all employees
Employees often wear many hats at SMBs, making it essential that all employees accessing the network be trained on your company’s network cyber security best practices and security policies.
Since the policies are evolving as cybercriminals become savvier, it’s essential to have regular updates on new protocols. To hold employees accountable, have each employee sign a document stating that they have been informed of the policies and understand that actions may be taken if they do not follow security policies.
5, Enforce safe password practices
Yes, employees find changing passwords to be a pain. However, the Verizon 2016 Data Breach Investigations Report found that 63 percent of data breaches happened due to lost, stolen or weak passwords. According to the Keeper Security and Ponemon Institute Report, 65 percent of SMBs with password policies do not enforce it. In today’s BYOD world, it’s essential that all employee devices accessing the company network be password protected.
In the Business Daily article “Cybersecurity: A Small Business Guide,” Bill Carey, vice president of marketing and business development at Siber Systems, recommended that employees be required to use passwords with upper- and lowercase letters, numbers and symbols. He says that SMBs should require all passwords to be changed every 60 to 90 days.
6. Regularly back up all data
While it’s important to prevent as many attacks as possible, it is still possible to be breached regardless of your precautions. The SBA recommends backing up word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Be sure to also back up all data stored on the cloud. Make sure that backups are stored in a separate location in case of fire or flood. To ensure that you will have the latest backup if you ever need it, check your backup regularly to ensure that it is functioning correctly.
7. Install anti-malware software
It’s easy to assume that your employees know to never open phishing emails. However, the Verizon 2016 Data Breach Investigations Report found that 30 percent of employees opened phishing emails, a 7 percent increase from 2015. Since phishing attacks involve installing malware on the employee’s computer when the link is clicked, it’s essential to have anti-malware software installed on all devices and the network.
8. Use multifactor identification
Regardless of your preparation, an employee will likely make a security mistake that can compromise your data. In the PC Week article “10 Cyber Security Steps Your Small Business Should Take Right Now,” Matt Littleton, East Regional Director of Cybersecurity and Azure Infrastructure Services at Microsoft, says using the multi-factor identification settings on most major network and email products is simple to do and provides an extra layer of protection. He recommends using employees’ cell numbers as a second form since it is unlikely a thief will have both the PIN and the password.
Security is a moving target. Cybercriminals get more advanced every day. In order to protect your data as much as possible, it’s essential that each and every employee make cyber security a top priority. And most importantly, you stay on top of the latest trends for attacks and the newest prevention technology. Your business depends on it.