Cyber attacks on small and mid-size businesses (SMBs) are here to stay – but many SMBs still face challenges when it comes to building effective defences.
Unfortunately, strong cyber security remains out of reach for many organizations and some may not fully realize they’re a major target.
In fact, a recent study sponsored by the Insurance Bureau of Canada (IBC) found that nearly half of all surveyed SMBs aren’t putting any operating budget into cyber defences. This is great news for hackers but very bad news for organizations looking to protect their bottom line.
The fact of the matter is that businesses of every size need to be aware of cyber security more than ever before. Here are six reasons why your cyber defence should be a top-of-mind concern – plus a few best practices you can put into play immediately to improve your security.
1. Cyber criminals want your data
There’s an assumption among many SMBs that they don’t have any data worth stealing. In fact, one survey found that 82% of small and mid-size business owners reported believing they’re not targets for a cyber attack.
On the contrary, SMBs fall into a sweet spot for cyber criminals. These organizations collect significant amounts of personally identifiable information (PII), financial credentials, and intellectual property (IP). In some cases, the volume of data may even rival large enterprises, but without the defences these organizations typically have.
As such, SMBs are highly valuable targets in the eyes of cyber criminals. They’re often more willing to pay attackers or otherwise meet their demands to get their operations back up and running as soon as possible – paying an attacker may be cheaper than paying recovery costs, in some cases. Unfortunately, an SMB’s relatively limited defences mean that a successful attack will have a far greater impact.
That recent IBC study also found that 41% of SMB cyber attack victims paid costs of at least $100,000. That’s a steep price, especially for smaller organizations.
Best practice: backup and defend your data
Back up your data to an external hard drive, a cloud backup service, or another secure location that’s not connected to your network or easily available to attackers on your network. Conducting regular backups of data will minimize operational downtime after a cyber attack, helping you and your employees get back on track faster.
2. Digital transactions are a major target for cyber crime
Ongoing digital transformation has enabled SMBs to scale their operations and enter new markets. Digital payment options have been increasing over the past few years, but the global COVID-19 pandemic has accelerated this shift forward.
As payments have gone digital, cyber threats are keeping pace. Businesses that conduct transactions online, whether B2B or B2C, store a wide range of confidential data, highly valuable to attackers.
This data could be used to commit further financial fraud or identity theft, or be sold outright on dark web markets to other criminals.
There are even specific, targeted cyber threats emerging aimed at online stores. E-skimming, for example, occurs when a cyber criminal accesses a store’s web server and begins intercepting financial transactions. These attacks may even focus on a server that supports several businesses – imagine a hacker targeting the provider of a digital storefront solution and compromising several SMBs all at once.
The threat is real and growing – the Canadian Centre for Cyber Security reported that Canadians lost $43 million to cyber crime fraud in 2019 alone, though they suspect the actual total is higher.
Best practice: check and maintain cyber hygiene
SMBs that accept online payments should continuously make efforts to ensure payment systems and their IT network are maintaining strong cyber hygiene. This means updating and patching all payment software, using strong passwords backed up with multifactor authentication (MFA), and continuous network monitoring to spot cyber threats early.
3. Cyber security regulations continue to mature
Countries and industries continue to develop cyber security regulations and guidelines to protect confidential data and individual privacy.
For example, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private-sector organizations in the country that collect, use, or disclose PII for commercial purposes.
But business isn’t bound by borders. SMBs that operate internationally will find themselves in scope of other major regulations. If you have customers in the European Union, for example, then you’d also adhere to the General Data Protection Regulation (GDPR).
These regulations carry certain expectations for how companies protect PII and other data, which in turn sets expectations for cyber security. Noncompliant organizations may be subject to fines or legal action.
Best practice: continuously assess and improve cyber security
Unfortunately, there is no one-size-fits-all approach for regulatory compliance. Meeting the requirements of each law and regulation means reviewing each clause and measuring how your efforts compare. The good news is that by improving your overall security posture, you’ll likely find that your business will be closer to full compliance.
4. The human element
No matter the size of a business, the weakest link is often the end user. Careless or unaware employees and contractors continue to be a major cyber security risk, with one study finding that 39% of respondents consider employee negligence their top vulnerability.
It’s completely understandable: unless you’ve had the right training, it’s hard to spot increasingly sophisticated phishing emails designed to trick even the most diligent employees. Hackers frequently target employees and end users to use them as their access point to the wider IT network.
What’s worse, phishing as a tactic is evolving and becoming harder to detect. Cyber criminals have started using new platforms such as social networking sites, file-sharing services, and instant messaging applications to carry out their phishing scams.
Best practice: train your employees
Investing in regular cyber security awareness training will help employees recognize common cyber security attack techniques while giving them the knowledge they need to respond effectively. Training should ideally cover everything from password management and cyber security best practices to regulatory responsibilities and what to do in the event of an attack.
5. Third-party vendors may introduce cyber risks
SMBs working with third-party vendors may be exposed to cyber risks from those vendors. Even if you’ve taken the time and effort to securely configure your IT infrastructure and deliver awareness training to employees, that doesn’t mean your vendors have done the same thing.
A major data breach impacting thousands of Target department stores started with a malware infection across point-of-sale (POS) systems. Analysis of the breach revealed that attackers were able to access the POS systems by stealing credentials from a third-party vendor for Target.
Best practice: assess third-party vendor security
Take the time to determine what your vendors do to maximize security on their end and verify if they have cyber threat monitoring solutions in place. Ask existing and prospective vendors about the steps they’re taking to educate and train employees on cyber security best practices. Start including language around data breach notification requirements in your contracts. You may also want to discuss security expectations with your vendors to ensure you’re on the same page.
6. Bring-your-own-device and remote work policies
Many businesses simply don’t have the IT budget to provide new staff with their own devices. As such, many organizations have a de facto bring-your-own-device (BYOD) policy, while others have chosen this approach as standard.
But each new device on your office’s network presents a potential avenue of attack. These devices may be out-of-date, already compromised, or otherwise vulnerable to an attack.
Similarly, hybrid work policies – with a combination of in-office and remote work options – introduce risks of their own. Even a work-approved device on a home network could be exposed to new threats; an attacker looking to compromise corporate data may have a harder time breaching your office’s defences, but a home office won’t necessarily have the same protections in place.
Best practice: continuous threat monitoring
Most businesses today aren’t equipped to detect and defend against cyber threats, especially with the growing cyber attack potential for remote workers. For situations like those, holistic monitoring and detection solutions can provide the visibility needed to protect SMBs from cyber threats and help improve the security of your business.
For more information on steps you can take to secure your business and stay ahead of cyber threats, click here to access free resources, insights, and advice you can put to work right now to defend your SMB.