It's been obvious for a while now that the internet is a dangerous place. Individuals are targets for harassment and abuse. Content creators have to deal with stalkers tracking them down offline. Kids have to look out for strangers looking for ways to exploit them. All in all, it's not a pleasant environment.
But those dangers are well-known and most users try to take steps to protect themselves. But there's one group that faces danger online every day that doesn't seem to notice, care, or even attempt to mount a defense. I'm talking, of course, about small businesses.
Every year, small businesses are the top target for cyberattacks. And every year, small businesses seem to go on their merry way without doing much to address the risk. For proof, look no further than a recent survey that indicated that 56% of small business owners weren't concerned with being a victim of a cyberattack in the next 12 months. And 24% of them even reported not having any concern at all!
One wonders if the survey respondents bother to lock their businesses' front doors at night.
And the most frustrating thing about this is the fact that improving small business cybersecurity isn't hard. With just a minimum of effort, the average company could dramatically reduce its risk of being victimized. Here's how.
A chain is only as strong as its weakest link. This is also true of small business cybersecurity. And the bad guys know it, too. That's why they target rank-and-file employees looking for an easy way into a business's protected systems. According to the 2021 Verizon Data Breach Investigation report – 85% of data breaches in 2020 involved some kind of human element.
Their weapon of choice when doing this is phishing. This is when an attacker uses a spoofed or otherwise altered email, phone call, or another communication method to trick an employee into divulging sensitive information. And the reason it's so effective is that most businesses don't bother to educate their employees about the threat or define clear policies around security.
All a small business needs to do to fix this is to establish clear rules about what kind of information employees may divulge via email, phone, and other modes of business communication. Then, make a violation of those rules a fireable offense. That alone will lower the risk of anyone carrying out a successful phishing expedition against the business.
For years, security professionals have insisted that complex passwords were the keys to account and device security. But in reality, that's nonsense. The truth is that passwords are a terrible form of security – even when you go out of your way to make them complex. The reason for that is simple: humans don't have good memories.
Everyone's familiar with the typical complex password requirements of most sites and services. Passwords must be at least a certain length, contain a capital letter, a number, and a special character. Researchers at Carnegie Mellon University did a study to see how people tend to satisfy those requirements. They found that most people simply capitalize the first letter of their password, add the number 1, and an exclamation point. Depressing, isn't it?
The real security solution small businesses should turn to is to stop relying on passwords for security at all. At a minimum, they should be using two-factor authentication on every account and device. And even better, they should use hardware keys to secure any account that allows for them.
Over the last few years, one of the biggest cyber threats small businesses had to contend with was ransomware. The idea of it is simple. The bad guys get into a business's systems and encrypt everything – then demand a hefty payment for the keys that unlock everything. A targeted business has few options once they've gotten hit.
They can either try to recover the data from their backups, or they can pay the attacker the ransom. The former is the right response, but the latter is unfortunately what plenty of small businesses choose to do instead. But that just encourages more attacks. And indeed, there's evidence that plenty of companies get re-victimized after they've already suffered a successful attack. And why wouldn't they be? They've proven to be an easy target that will cough up a ransom payment once, odds are they'll do it again, right?
To avoid this, all a business has to do is to maintain complete and updated (preferably offline) backups of all of their critical data and systems. Then, create a policy to ensure that all business devices get every security update that becomes available right away. And if they don't already have one, they should add an endpoint security solution to their devices that can spot ransomware before it can do any damage.
Believe it or not, the three simple bits of advice above would make the average small business all but immune to most garden-variety cyberattacks. The average attacker isn't going to want to waste their time going after a hardened target, and most will just move on to a more vulnerable one. But there's no way to lower the odds of a cyberattack to zero.
That's why every small business – and especially those with a heavy dependency on data and digital services – should look into cyber insurance. A typical small business cyber insurance policy is cheaper than what you'd pay to insure a car in most states. And the alternative isn't worth considering.
According to the US Securities and Exchange Commission, around half of small businesses that suffer a successful cyberattack are out of business within six months. They just don't have the financial wherewithal to deal with the resulting fallout. But the same doesn't happen after conventional burglaries. Why? It's because most businesses just report the incident to their insurer, replace the missing goods, and reopen for business. There's no reason that a cyberattack should be any different.
At the end of the day, it's unlikely that the internet will ever get much safer. And that means that everyone connected to it – including small businesses – needs to wake up to that reality. The sooner they do, the sooner they'll become part of the solution to the problem, rather than just adding more fuel to the fire. And those that can't (or won't) do that, I leave you with a question: what's your address, and when do you close for the night? Because I have a feeling that cybersecurity isn't the only kind of security you're neglecting.