The cyberattacks that generate the most headlines are often the ones that target large, prominent corporations like T-Mobile, Sony and American Airlines.
But hackers don’t spend all of their energy going after those big, shiny targets. Small businesses are becoming the primary victims of cyberattacks, and they often aren’t equipped to ward them off.
In the past year, small businesses experienced a 28 percentage point increase in cyberattacks, according to the Identity Theft Resource Center’s “2023 Business Impact Report.” Yet just 50 percent of the small businesses surveyed reported that they had taken steps to prevent future attacks.
Part of the reason for the lack of cybersecurity initiative may be that these businesses don’t feel they have the resources to launch a full-scale defense. Many small businesses often can’t afford compliance, legal or even HR departments, much less a strong IT team that works relentlessly to repel cyberattacks.
The data on the types of businesses surveyed by the ITRC illustrates why this might be so. The survey included businesses with up to 500 employees, but many were much smaller than that. Some of the businesses were solo entrepreneurs and nearly one-fourth had just one to five employees.
4 Cybersecurity Measures That Don’t Break the Budget
- Train all employees in cybersecurity best practices.
- Keep everything updated.
- Limit the data your business collects.
- Prepare to accept reusable, verifiable digital IDs in the future.
Another reason that many of the small business owners might not have taken any added security measures is that, despite the uptick in attacks on small businesses, they “continue to project an air of extreme confidence about their ability to respond to the threats they face and the options for recovery when an attack is successful,” the ITRC report says.
Unfortunately, most businesses aren’t equipped to serve as a fortress against cyber criminals. Those criminals are relentless, so the defenses need to be relentless as well. One slip-up and the bad guys are in, wreaking havoc, stealing data and potentially taking the company’s systems hostage.
Still, just because small businesses have limited resources doesn’t mean they should surrender. There are steps they can take to improve their defenses that don’t require a fully dedicated cybersecurity team.
4 Steps SMBs Can Take to Improve Cybersecurity
1. Train All Employees in Cybersecurity Best Practices
Cybersecurity is everyone’s responsibility, and cybercriminals are adept at targeting random employees by email or text message in hopes of tricking them into letting down the company’s defenses. Employees need to be alert to such phishing efforts and other tactics that give hackers a way to circumvent antivirus software and other protections.
Make sure employees understand that they shouldn’t click on attachments they didn’t expect, even if the email or text appears to be coming from a trusted source. And don’t provide this lesson just once and think the mission is accomplished. People forget.
Set regular reminders for employees to be on the lookout for these phishing expeditions and let them know to report anything suspicious. It may seem simple, but it works. According to the ITRC survey, of the 50 percent of businesses that took steps to prevent future breaches, 65 percent said they had provided new training for employees.
2. Update Everything
Make sure any antivirus software you use has the latest updates. Also, remind employees that their passwords should not be something a hacker can easily guess. Longer passwords with a mixture of letters, numbers and symbols are best. One option is to adopt verification systems that require "genuine presence" similar to facial ID in your smartphones.
Small businesses also need to understand that the perpetrators aren’t always external attackers launching a virtual assault from some far-flung locale. Thirty percent of cyberattacks in the ITRC report were caused by malicious insiders. Other breaches came from third-party vendors being attacked. Consider implementing continuous evaluation of your workforce post-hire.
3. Limit the Data You Collect
Cybercriminals can’t steal what’s not there. Businesses often collect and store all types of personal identifiable information from their customers that becomes a target for cyber thieves. The less data that you collect and store, the less you are putting customers at risk of identity theft, and the less your company is at risk of liability.
Businesses should review what it is they collect and decide whether some of that information is unnecessary. Do you really need a customer’s Social Security number? Is there another way to verify their identity? By limiting the data they collect and store, small businesses can make themselves less attractive to cyberattacks, and incur less damage if an attack does happen.
4. Prepare to Accept Reusable, Verified Digital IDs in the Future
With a reusable digital ID, small businesses wouldn’t be responsible for storing their customers’ personal data. People would only need to supply their personal data once, at the time the ID verification is performed by an independent issuer.
They would then use that reusable ID for all interactions when any business needs to verify their identity. This would eliminate the need for re-entering Social Security numbers, date of birth, driver’s license or other information into online or paper forms. Consumers and employees would have fewer worries that their information would be stolen, and businesses would have the ID verification they need without the added responsibility and liability of collecting, storing, and protecting that data from the seemingly endless efforts of cybercriminals.
Yes, small businesses often have limited resources for warding off the evil intent of cybercriminals. But with a few proactive efforts, they can at least make those criminals’ jobs a lot more challenging and a lot less successful.
