Could you afford to lose $117,000? According to one estimate, that's how much a digital data breach can cost a small business. Add to that startling number the fact that it takes an average of three days to stop a cyberattack, and the potential financial and operational damage becomes worryingly real.
"All of a sudden you're bouncing checks because you thought you had a couple thousand dollars in your account," Green Bay Police Department Capt. Jeremy Muraski explained while discussing the fallout for a local business that found itself in a hacker's crosshairs. "All your bills go out, get paid, but there's no money to support it, so then you have a bunch of creditors after you. So it leaves kind of a trail of destruction in its wake, for sure."
Cyberattacks on small businesses are on the rise: In 2017, a shocking 61 percent of U.S. small businesses surveyed said they'd been a target of a cyberattack, compared with 55 percent in 2016. The most common security problem? Phishing and other forms of social engineering, usually involving a criminal posing as a legitimate organization who tries to obtain sensitive information, such as a password, through an email, text, or phone call. For the businesses surveyed, the costs of repairing the damage from a successful attack was high: more than $1 million.
Of course, big companies are at risk, too. But cybersecurity "represents an especially pernicious threat to smaller businesses," a report from the Securities and Exchange Commission states. "The reason is simple: Small and mid-size businesses are not just targets of cybercrime; they are its principal target."
Bigger businesses have their cyber acts together, with security policies and protocols in place, so cybercriminals are turning their attention to smaller, more vulnerable, enterprises. On top of this, smaller operations are less likely to be able to afford full-time cybersecurity staffers. This makes it harder to both diagnose potential weaknesses and find the cause of an attack when there is one.
Without the luxury of a board or teams of lawyers and consultants, startups need to know how to protect corporate information, intellectual property, and confidential data. But it seems small businesses aren't yet taking this issue seriously enough. A loss of $117,000 may not be a big problem if a company has the right insurance in place, but just 21 percent of small businesses say they have insurance, and more than half of those without it said they had no intention of getting any. When asked the same question, just 9 percent of large businesses were as care-free.
To get cyber-smart, small businesses need to focus on the threats that are specific to their size and specialty.
"It seems like this big thing — 'I'm supposed to be doing everything,'" says Michael Kaisser of the National Cyber Security Alliance. "The fact is, you don't have to do everything. You have to do what's important for your business and you have to make cybersecurity relevant for your situation."
Small businesses should start with the basics: All company computers need anti-virus and anti-spyware programs, and this software needs to be regularly updated. Employees are often the weak spot, so if they are using a company Wi-Fi network, make sure it's secure and that their passwords are strong and regularly updated. Adding two-factor authentication, which uses a password and an additional piece of information that only the account holder has, can help block cybercriminals' attempts to gain access. Unfortunately for small firms, some of the things they hope will save them time and money might open them up to cyberattacks. Take computers and cell phones: Asking staff to use their own for work purposes can cut costs and boost productivity, but is riskier in cybersecurity terms.
If you share business or customer data with suppliers or partners, you need to make sure they have the right cybersecurity in place, too.
If you can't afford to keep a cybersecurity expert on staff, think about bringing one in for certain projects or to review your systems and processes on an ad hoc basis. This way you can tap into their specialist knowledge and ensure you're up-to-date with the latest security measures without having to shell out for someone full-time.
Data needs to be regularly and remotely backed up so anything lost in a ransomware attack or breach can be easily recovered. If it's stored somewhere else then there's nothing for cybercriminals to hold ransom. Educate your employees, too — they need to understand just how important that data is and why it needs such sensitive handling.
If it happens to you, act quickly. The affected systems will need to be taken offline, and it's important to inform your customers as soon as possible. This might be part of a larger attack, so you'll want to tell local authorities what's happened.
"When you're in a crisis situation is not the time to develop a plan," Diana Burley, internet security specialist and George Washington University professor, tells CBS. It's best to practice how you might respond to a data disaster and establish what your recovery plan is ahead of time. Thinking this won't happen to you because you're too small is no longer a defense.